

March 2012
Taken from an online interview given by the Deputy Director of the Russian Federal Service for the Supervision of Communications, Information Technology and Mass Communications (Roskomnadzor), R.V. Sheredin
Garant Information Agency, www.garant.ru
As of November 2007, when Roskomnadzor (along with Rossvyazokhrankultura) was granted full powers of control and supervision over the conformity of the processing of personal information to the requirements of the legislation of the Russian Federation, we (Roskomnadzor - RS) have carried out 3307 inspections of operators engaging in the processing of personal information.
As a result of these activities, over 4,500 orders to eliminate violations have been issued, and 7,591 reports regarding administrative offences have been compiled and sent to the courts.
1,743 inspections were carried out in 2011, of which 954 were planned and 789 were unannounced.
While by the end of 2009 administrative proceedings for violations of personal data were brought against only 37 operators, with administrative penalties totalling slightly under 22,000 roubles, to this date that amount exceeds 12.5 million roubles.
The number of violators is not difficult to determine, given that the fine for a violation is 3,000-5,000 roubles (~USD 100-150) . Such is the prevailing judicial practice.
The number of complaints (from affected citizens – RS) is constantly growing, from 465 in 2009 to 3,240 at the end of 2011. In response to each specific case we have taken all necessary measures. Approximately 900 files have been sent to the prosecutor's office alone.
At first glance the fines ordered from an organisation that has failed to comply with the requirements of the law on dealing with personal information (as set forth in the Code of Administrative Offences of the Russian Federation) are not particularly high. According to Art. 13.11 of the Code, the fine in question is 5,000-10,000 roubles paid by the organisation, and 500-1,000 roubles from its manager in cases where he/she is found to be at fault for the violation.
However, one must consider that this fine may be imposed for each individual violation. And, as we shall see, the rules on this matter are set abound. Therefore, the 10,000 rouble fine could easily become 50,000 or even 100,000 roubles, even within a single inspection. Taking into account an entire year, these amounts may be even more impressive.
Despite the fact that the Federal Service for Supervision of Communications, Information Technology and Mass Communications (Roskomnadzor) is authorised to monitor compliance with the regime of personal information, it does not possess the power to fine an organisation for non-compliance. The Code of Administrative Offences grants that power only to the prosecutor.
Now, knowing how poor organisation of work with personal data can be a threat, we will move onto the actual rules that govern this work. At this point it needs to be said that these rules do not apply solely to organisations that deal with client databases, but are mandatory for all organisations in which there is at least one employee. This is because under the current law the data received by an organisation upon hiring an employee is also personal, and so the organisation involved must protect this information in full accordance with the law.
Even when an organisation stores all its documentation the old-fashioned way, on paper, does not eliminate the need to organise a system of protection. The law makes no distinction between firms that have implemented high-tech information systems and those who have been working with documents on paper. Both are required to take a number of organisational and technical measures to protect the personal data of employees. Please note that the formal implementation of these measures is exactly what is controlled by Roskomnadzor specialists.
So what are these measures?
The first thing the inspectors will want to see is the order from the head of the organisation for the appointment of those responsible for working with and protecting personal data. As well as this, the organisation must possess a register of the personal information which it actually uses.
In practice, personal information usually includes everything an employee writes about him/herself when applying for the job, as well as the data used later when formulating personnel documentation. Thus, the list of documents containing personal data includes the application for employment, employee profile, personal card and personal data file, labour contract, orders, employment history, evaluation committee materials etc., along with a variety of records and materials kept by the organisation for internal use (for example, that of the parent organisation or shareholders) or presented to various government bodies (tax and labour inspectors, statistics agencies).
Preparation of this list, by the way, is not only important in terms of abiding by the law. It will streamline the use of personal data within an organisation. The fact is that the complexity of protection of personal data depends on the importance of the information. For example, information regarding political and religious beliefs, personal life, health and nationality are legally assigned to the category of information that should be protected by more reliable means and methods than data simply identifying the person. Therefore, the analysis of compiled information, and the exclusion of data which it is not absolutely necessary for the organisation to keep, will significantly reduce the cost of the protection system.
Next, a list must be prepared of all persons authorised to work with personal data, following which said list must be confirmed by the head of the organisation. As well as this, the development and subsequent confirmation of a specialised document, a provision for dealing with personal information, is necessary. This document must contain in detail the requirements for obtaining, storage, combination, transfer or any other use of personal information, as well as a guarantee of its protection.
Finally, one more important point. An organisation must notify Roskomnadzor that it is dealing with personal information. Although, at first glance, the law makes an exception in the case of information on an organisation's own personnel, the control agency insists on the necessity of such notification. In doing so, Roskomnadzor is using contradictions in the provisions of the law. The Article, which, as we have already said, eliminates the need to give notice regarding the personal data of a company's employees, is formulated in such a way that the use of this information in cooperation with a bank for payroll purposes, as well as with government bodies, does not formally fall under this exception. Therefore, in order to avoid unnecessary disputes and fines, it is recommended that such notification be given.
RS' Opinion: According to the law notification is not required to be given if personal data is processed in accordance with the labour laws. At the same time, we believe that the necessity to submit information on employees, including personal data, to the Tax Inspectorate (form PIT-2), the Pension Fund or to the bank stems from the presence of labour relations. Thus, notification of Roskomnadzor is unnecessary.
The opposite approach will lead to 100% of employees being obliged to give notice, which is illogical and wrong.
In judicial practice we see that the courts refuse Roskomnadzor's attempts to place responsibility on employers for failure to notify them on the processing of employees' personal information.
Sofia Ivanova, lawyer, ICLC
Now let's take a closer look at what exactly should be recorded in the Statute on personal data. This document is divided into sections, regulating exactly how an organisation should be collecting and processing personal information; who and in what order should have access to this data; and what steps must be taken to prevent its disclosure.
Let us examine each of these sections in detail. First, in the section on the “collection and processing of personal information”, it is indicated that an organisation can collect and process personal data solely upon receipt of the written consent of the employee. Accordingly, this section should include the application form by which an employee may agree to the use of this information. Such approval should be obtained from new employees immediately upon hiring, and from already established staff immediately after the approval of the provision.
The section that regulates access to personal information specifies the access procedure to said data for employees of the organisation and third parties, including other organisations. Accordingly, here should be a list of personnel with access to personal information. If necessary, levels of access can also be entered here: for example, the director and the management have access to all personal data, the accounting staff have only what is necessary for payroll and taxes, HR have what is needed to process personnel documents, etc.
This section also indicates the procedure for processing and transmission of data. For example, in cases where data transfer is governed by law (such as, for example, the tax authorities, statistics offices, the Pension Fund, etc.) it is sufficient to make reference to the data transmission procedure specified in the laws. But at the same time, be sure to indicate who (and according to what procedure) has the right to prepare information for transmission to state organs.
However, data transmission to relatives, insurance companies, banks, charities and non-state pension funds may be carried out only with the written consent of the employee for each specific piece of data.
The Statute ends with the section on liability for violation of the rules governing the processing of personal information. Here, it suffices to include the norms of the Labour Code (dismissal for disclosure of personal data under Art. 81 LC RF), the Code of Administrative Offences of the Russian Federation (we are already familiar with Article 13.11) and, if necessary, the Criminal Code (Art. 137).
SUMMARY:
1. Any organisation with at least one employee is required to take measures to protect personal information. Thus, it is the duty of EVERY organisation in Russia.
2. It is not enough to take measures to protect the information; they must be legally formulated, with orders and directives given, and regulations and other documents prepared.
3. In order to minimise risks, notification should be given to Roskomnadzor.
Alexey Krainyev, lawyer,
Exclusively for Russian Srtvey