News

26 Oct 2016

The Right Way to Protect Personal Data

Law No. 152-FZ On Personal Data, which was adopted 10 years ago, was primarily intended to ensure the protection of the citizens’ rights and freedoms, such as the right to privacy and family. Olga Korotkova, Deputy Head of the Department of the Federal Supervision Agency for Information Technologies and Communications for the Central Federal District has explained the key provisions of the law on the website of the Prefecture of the Eastern Administrative District of Moscow.

In her interview, the official has described the current aims of the agency authorized to protect the rights of personal data owners.

We have asked Mikhail Emelyannikov, the lead expert on Information Security and the Managing Partner at Emelyannikov, Popova and Partnery Consulting Agency, to comment on the recently issued article.

You can see the key issues from the interview with Olga Aleksandrovna below.

What is “personal data”?

In international practice, this notion was defined at the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No. 108) dated January 28, 1981. The notion of “personal data” in the Russian Federation strongly complies with that definition and means any data that is directly or indirectly related to an individual belongs to the personal data owner.

Who are personal data operators?

Any state or municipal authorities, as well as individuals and legal entities who organize and conduct personal data processing and who determine the actions required for data processing, along with the composition of the data.

How does one legally become a personal data operator?

Prior to commencing data processing, the operator must inform the competent department on the protection of rights of personal data owners about their intention to conduct personal data processing according to Part 3, Article 22 of the Federal Law On Personal Data. The respective notice can be submitted either in paper format or electronically. The cases described in Part 2, Article 22 of Law No. 152-FZ represent exceptions.

Once the notice is submitted, the information about the operator is entered into the Registry of Personal Data Operators. The information contained in that Registry is available to the general public. Anyone can look through it on the Personal Data Portal of the Federal Supervision Agency for Information Technologies and Communications (Roskomnadzor) at http://pd.rkn.gov.ru. People often contact the Department of Roskomnadzor because they fail to find the organization to which they provide personal data in the Registry. And that causes concern about the safety of such personal data.
Like I said before, the law outlines a number of exceptions that allow the operator to process personal data without notifying Roskomnadzor.

It is difficult to become a personal data operator?

According to Olga Korotkova, not so much. This implies no financial expenses. Moreover, a notice of personal data processing can be submitted electronically and Roskomnadzor has drafted recommendations on how to fill in the notice form. This information is available on the Personal Data Portal or on the website of any regional Roskomnadzor Department. Besides, the Department employees offer assistance in filling out the notice and provide explanations for any points of friction.

Are there operators who chose not to make themselves known, and if yes, why?

Olga Aleksandrovna reminds us that processing of data without proper notification in cases when no grounds exist listed in Part 2, Article 22 of the Federal Law On Personal Data is a breach. The activities of some organizations really do fall under these exceptions. But there are also some organizations that do not consider themselves personal data operators by mistake. Ms. Aleksandrovna provides an example from her own experience. An organization has indicated in their information letter that they use e-mail addresses and full names of their website users as protection against spam. This does not represent a legal basis for personal data processing without notification, which is why the Department requested a proper notice.

Some organizations also fail to submit notices in belief that this would save them from Roskomnadzor inspections. However, this is not true because the inspection schedule also includes the organizations that conduct operations that imply no grounds for personal data processing without notification. Moreover, the Department once in a while reminds the organizations about the legal requirements and requests that they provide the notice on personal data processing.

What trends are observed in filling of the Registry of Personal Data Operators?

Some organizations are terminating their activities, others are just starting. So the question of whether the Registry would be complete remains open. According to Ms. Aleksandrovna, taking responsibility for the personal data safety has become an important component in developing the image of a reliable organization. The regional Roskomnadzor Departments, in their turn, carry out awareness-raising and preventative activities in order to bring down the number of breaches in the field of personal data.

Detailed information on the procedure of inputting data into the Registry of Personal Data Operators is available on the Personal Data Portal of Roskomnadzor.

More