Personal data

The normative basis for the protection of personal data are the norms of the Constitution of the Russian Federation, the Federal Law “On Personal Data”, the Decree of the President of the Russian Federation “On the List of Confidential Information” and other acts. The legal basis for it was the Universal Declaration of Human Rights, proclaimed by the General Assembly of the United Nations in 1948. According to Art. 12 of this document “no one shall be subjected to arbitrary interference in his personal and family life by arbitrary infringement of his honor and reputation”. The provisions of the Declaration were further developed in other international legal instruments and documents of the European Union, in particular in the European Convention on the Protection of Human Rights and Fundamental Freedoms, adopted on December 4, 1950.

On January 28, 1981, the Council of Europe adopted the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (hereinafter - the Convention for the Protection of Individuals) and the Additional Protocol to the Convention concerning supervisory authorities and cross-border data transmission. Two directives of the European Parliament and the Council of the European Union (Directive 95/46 / EC of October 24, 1995 on the protection of the rights of individuals with regard to the processing of personal data and the free movement of such data and Directive 97/66 / EC of December 15, 1997 were also adopted d. concerning the use of personal data and the protection of privacy in the telecommunications sector); and Recommendations of the Committee of Ministers to member states of the Council of Europe on the protection of privacy on the Internet (February 19, 1999)

The Federal Law of the Russian Federation of July 27, 2006, 152-ФЗ “On Personal Data” is basic in the field of protection of personal data . This law was adopted in order to fulfill the international obligations of the Russian Federation that arose after the signing and ratification of the Council of Europe Convention on the Protection of Individuals during the Automated Processing of Personal Data of January 28, 1981. The Convention was ratified as amended by the Committee of Ministers of the Council of Europe on June 15, 1999, signed on behalf of the Russian Federation in the city of Strasbourg on November 7, 2001.

One of the main requirements of the Convention and 152-FZ is the taking from the subject of personal data of consent to the processing of personal data .

Decree of the Government of the Russian Federation of November 1, 2012 N 1119 "On the approval of requirements for the protection of personal data during their processing in personal data information systems" defines the levels of security and new types of information systems.

The document requires the Federal Security Service of the Russian Federation and the Federal Service for Technical and Export Control to approve, within their competence, the regulatory legal acts and methodological documents necessary to fulfill the requirements stipulated by the Regulation.

In 2008, the following documents were adopted (according to Decree of the Government of the Russian Federation No. 781 - at present, the effect of this decision has been canceled, however, teaching materials are used).

In 2012, a new Government Decision No. 1119 ^{[2] [3]} was adopted, and in 2013 a new FSTEC Order No. 21 was introduced, as well as regular amendments to Federal Law No. 152 of July 27, 2011. These documents present new requirements for the personal data operator ^{[4] [5]} .

Federal Law of the Russian Federation

“On Personal Data” dated July 27, 2006 No. 152-FZ.

Presidential Decree

“On Approving the List of Confidential Information”, Decree of the President of the Russian Federation of March 6, 1997 No. 188.

Decisions of the Government of the Russian Federation

• “On approval of requirements for tangible media of biometric personal data and storage technologies for such data outside personal data information systems” dated July 6, 2008 No. 512;
• “On the approval of the Regulation on the peculiarities of the processing of personal data carried out without the use of automation tools” dated September 15, 2008 No. 687;
• “On approval of the requirements for the protection of personal data during their processing in personal data information systems” dated 11.01.2012 No. 1119.

Methodological materials of Roskomnadzor

• “On the approval of requirements and methods for the depersonalization of personal data”, order of Roskomnadzor dated September 5, 2013 No. 996 (registered with the Ministry of Justice of Russia on September 10, 2013 No. 29935);
• "Methodological recommendations on the application of the order of Roskomnadzor of September 5, 2013 No. 996" On approval of the requirements and methods for anonymizing personal data "approved by Roskomnadzor on 13.12.2013;

Methodological materials of the FSTEC of Russia

• “The basic model of personal data security threats when they are processed in personal data information systems” dated February 15, 2008 ^[6] ;
• “Methodology for determining the actual threats to the security of personal data during their processing in personal data information systems” approved. FSTEC of the Russian Federation on February 14, 2008 ^[6] ;
• “On approval of the Composition and content of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems”, order of the FSTEC of Russia dated February 18, 2013 No. 21 (Registered in the Ministry of Justice of Russia on May 14, 2013 No. 28375).

Documents that do not apply:

• since March 15, 2010 ^[7] :
  • “Main measures for the organization of technical security of personal data processed in personal data information systems” dated February 15, 2008 (the note “for official use” was canceled by the Decision of the FSTEC of Russia dated November 11, 2009 ).
  • “Recommendations for ensuring the security of personal data during their processing in personal data information systems” dated February 15, 2008 (the note “for official use” was removed by the Decision of the FSTEC of Russia dated November 11, 2009).

later:

• • “On approval of the provision on methods and methods of protecting information in personal data information systems” Order of the FSTEC of Russia dated February 5, 2010 No. 58 (registered with the Ministry of Justice of Russia on February 19, 2010 No. 16456).

Order of the FSTEC of Russia on the composition and content of measures to ensure the security of personal data in ISPD

Order of the Federal Service for Technical and Export Control (FSTEC of Russia) dated February 18, 2013 N 21 Moscow “On approval of the composition and content of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems”. The document was registered with the Ministry of Justice of the Russian Federation on May 14, 2013, published on May 22, 2013 in the Rossiyskaya Gazeta (No. 6083), and entered into force on June 1, 2013.

Recognizes the order of the FSTEC of Russia dated February 5, 2010 N 58 “On approval of methods and methods of protecting information in personal data information systems” (registered by the Ministry of Justice of Russia on February 19, 2010, registration N 16456).

Methodological materials of the FSB of Russia

• “Methodological recommendations for ensuring the security of personal data using cryptocurrencies during their processing in personal data information systems using automation tools” dated February 21, 2008 No. 149 / 54-144;
• “Typical requirements for the organization and maintenance of encryption (cryptographic) means designed to protect information that does not contain information constituting a state secret if used to ensure the security of personal data when they are processed in personal data information systems” dated February 21, 2008 No. 149/6 / 6-622. ^[8]
• “On approval of the Composition and content of organizational and technical measures to ensure the security of personal data when they are processed in personal data information systems using the cryptographic protection of information necessary to fulfill the requirements for the protection of personal data established by the Government of the Russian Federation for each level of security” FSB order Russia dated 10.07.2014 No. 378.

In accordance with the provisions of Federal Law of December 27, 2009 No. 363-ФЗ “On Amendments to Articles 19 and 25 of the Federal Law“ On Personal Data “”, which entered into force on December 29, 2009, in Law No. 152-FZ in Part 1 Article 19 excluded the requirement for the operator to use encryption (cryptographic) means when processing personal data. Thus, the requirements of methodological materials developed by the FSB of Russia and aimed at clarifying the requirements for ensuring the security of PD by organizing cryptographic data protection have ceased to be mandatory.

Order of three departments

On February 13, 2008 the so-called “order of three” was signed:

Order of the Federal Service for Technical and Export Control, the Federal Security Service of the Russian Federation and the Ministry of Information Technologies and Communications of the Russian Federation N 55/86/20 “On approval of the Procedure for the classification of personal data information systems”. The document is a methodological recommendation for the classification of information systems.

All personal data operators that process using automation tools should classify personal data information systems.

Canceled by a joint order of the FSTEC of Russia, the Federal Security Service of Russia and the Ministry of Communications of Russia dated December 31, 2013 No. 151/786/461 "On the recognition of the order of the Federal Service for Technical and Export Control, the Federal Security Service of the Russian Federation and the Ministry of Information Technologies and Communications of the Russian Federation as invalid dated February 13, 2008 No. 55/86/20 “On approval of the classification procedure for personal data information systems” ^[9] .

By virtue of Art. 13 of the Federal Law of December 22, 2008 N 262-ФЗ "On Ensuring Access to Information on the Activities of Courts in the Russian Federation" Publication of information on the activities of courts in the mass media is carried out in accordance with the legislation of the Russian Federation on mass media, which include the Law of the Russian Federation dated 12.27.1991 N 2124-1 "On the media", as well as other regulatory legal acts of the Russian Federation published in accordance with it. Based on paragraph. Part 2 of article 14 of the Federal law of 22.12.2008 N 262-ФЗ "About both In order to obtain access to information on the activities of courts in the Russian Federation, the Internet contains information about cases in court: registration numbers of cases, their names or subject of dispute, information about participants in the trial, information about the progress of cases in court, and information on the issuance of judicial acts based on the results of consideration of cases.

Information about the participants in the trial is posted on the Internet, taking into account the requirements provided for in Article 15 of the Federal Law of December 22, 2008 N 262-ФЗ "On Ensuring Access to Information on the Activities of Courts in the Russian Federation". By virtue of para. 1 h. 4 tbsp. 15 ^[10] , personal data are the last names, first names and patronymics of the participants in the trial, date and place of birth, place of residence or stay, phone numbers, details of a passport or other identification document, tax identification number of an individual, main state registration number individual entrepreneur, insurance number of an individual personal account; When posting texts of judicial acts adopted by courts of general jurisdiction, the Supreme Court of the Russian Federation on the Internet, with the exception of texts of judicial acts adopted by the Supreme Court of the Russian Federation in accordance with arbitration procedural legislation, in order to ensure the safety of participants in the trial and protect state and other secrets protected by law from these acts exclude personal data specified in paragraph 4 of Article 4 of the Federal Law N 262-FZ.

Instead of excluded personal data, initials, pseudonyms and other designations are used that do not allow identification of participants in the trial.

The taxpayer identification number of the individual entrepreneur, the main state registration number of the individual entrepreneur, last name, first name and patronymic of the plaintiff, defendant, third party, civil plaintiff, civil defendant, administrative plaintiff, administrative defendant, interested person, person with respect to whom administrative case, last name, first name and patronymic of the convicted, acquitted, court clerk , Judges (judges), hearing the case, and the prosecutor, lawyer and representative.

The Federal Law “On Personal Data” regulates relations associated with the processing of personal data carried out by federal government bodies, government bodies of constituent entities of the Russian Federation, other state bodies, local authorities, other municipal bodies, legal entities and individuals using automation , including in information and telecommunication networks (Part 1 of Article 1). According to Part 2 of Article 8 of the Law on Personal Data, information about the subject of personal data should be excluded from public sources of personal data at any time at the request of the subject of personal data or by decision of a court or other authorized state bodies. By virtue of clause 5 of part 2, the aforementioned Federal Law does not apply to relations that arise when the authorized bodies provide information on the activities of courts in the Russian Federation in accordance with Federal Law of 22.12.2008 N 262-ФЗ "On providing access to information on the activities of courts in the Russian Federation Federation ", which is a special law to be applied to disputed legal relations.

Responsibility for the disclosure of personal information occurs, in accordance with part 1, 2, art. 13 of Federal Law No. 323-ФЗ "On the Basics of Protecting the Health of Citizens in the Russian Federation" in relation to information that constitutes, for example, medical confidentiality , the disclosure of which is not allowed, including after the death of a citizen. These include ^[11] :

• information about the fact of the citizen's appeal for the provision of medical care;
• information about the state of health and the diagnosis of a citizen;
• other information obtained during a medical examination and treatment of a citizen.

Also in the footnote to Article Art. 137 of the Criminal Code of the Russian Federation states that it provides for criminal liability for the illegal collection or dissemination of information about the private life of a person constituting his personal or family secret without his consent, or the dissemination of this information in a public speech, a publicly displayed work or media, as well as for those the same acts committed by a person using his official position. From the above articles it is clear that any person violating the Federal Law can be held liable. It turns out that while mobile applications ( social networks , etc.), as well as the Internet of things (IoT) do not perform any actions without their confirmation, that is, the requirements of the law are respected, but it is worth noting that special user care is required when confirming certain rights to access to confidential information. This also applies to corporate data protection standards ^[11] .

Protection of personal data in social networks

Although it is possible to configure user access in social networks, this does not solve the problem of protecting personal data. There are other ways of data leakage, namely: publicly available data voluntarily posted by users on social networks can be processed by third-party services , but an individual always has the right to exclude this data by sending a corresponding request to the personal data operator (for example, a telecom operator or to the hoster ), according to which the latter is obliged to immediately stop processing the personal data of this person ^[12] .

Another aspect of personalization is the growing prevalence of open data on the Internet. Many companies provide their data on the Internet through APIs, web services and open data standards. ^{[13] The} data provided in this way is structured so that it can be linked and reused by third parties. ^[14] Access to data available in the user's personal social graph may be provided by third-party application software suitable for a personalized web page or information device.

Веб-страницы могут быть персонализированы на основе характеристик пользователей (интересов, социальной категории, контекста и др.), действий, намерений совершить покупку, проверить статус объекта или т.д. Обратите внимание, что этот опыт редко является просто приспособлением для пользователя, но представляет собой взаимосвязь между пользователем и желаниями дизайнеров сайта при осуществлении конкретных действий для достижения целей (например, увеличение конверсии продаж на странице).

Персонализация также рассматривается для использования в менее открытых коммерческих приложениях для улучшения взаимодействия с пользователем в Интернете. ^[fifteen]

Mass personalization is defined as individual customization in accordance with the tastes and preferences of end users. Mass personalization can be seen as a collaboration between customers and manufacturers who have different sets of priorities and need a joint search for solutions that best suit the individual needs of customers with manufacturers customization options.

The main difference between mass customization and mass personalization is that customization is the company's ability to provide its customers with the ability to create and select a product in accordance with certain specifications, but has limitations. One example of mass personalization: a website, knowing the user's location and shopping habits, will offer offers adapted to the demographics of that user. Each user is classified according to a specific characteristic (location, age, etc.). Behavioral targeting is a concept similar to mass personalization.

• Council of Europe Convention on the Protection of Individuals with regard to Automatic Processing of Personal Data (Neopr.) .