Personal data in the Russian Federation
-
Upload
oleg-kuzmin -
Category
Documents
-
view
249 -
download
4
Transcript of Personal data in the Russian Federation
www.i-teco.ru I-Teco company, Information security Department 2012
Structure and organization of works
for ensuring the compliance to the requirements
of Federal Law “On personal data” (152-FL):
what should operator of personal data do?
2 www.i-teco.ru
What does personal data operator expect?
• Compliance with Russian legislation on personal data • Lack of claims from the regulators • Lack of claims from the PD subjects • Capacity to do business and the compliance with the requirements for normal operation of company
What products and services do contractors offer in the field of
personal data? • Survey and the following report on the presence of personal data and proposals
of concerning its protection • Required documents (25 template)
with possible adaptation of them • Technical protection design
• Implementation of technical and organizational protection means
3 www.i-teco.ru
At the moment the authorized agency for regulation in the field of personal data (which is appointed in accordance to the article 23 of FL “On personal data”) is the Federal Supervision Agency for Information Technologies and Communications (Roscomnadzor). This federal agency is responsible for ensuring the control and surveillance concerning the compliance with the requirements of federal law “On personal data” of personal data processing which is implemented by operators. FSB and FSTEC are responsible for ensuring the compliance with 152-FL requirements for technical protection.
4 www.i-teco.ru
Scheduled inspection Inclusion in annual plan
Documentation inspection Field inspection
Notifying PD operator no later than 3 working days before
an inspection (by registered mail or other means)
Inspection of data in documents
supplied by PD operator
In case of doubtful veracity of supplied
information inspectors request with attached
copy of order for inspection, authenticated by
stamp, of PD operator for additional
information
Sending to Roscomnadzor documents
specified in the request (as copies
without notarial certification) during the
next 10 working days
Exposure of discrepancies, non-conformities,
violations — sending the request to PD
operator for supplying the written
explanations during next 10 working days
Signs of violation
Presentment of certificate of employment
and bringing to notice of PD operator the
order or decree concerning the
scheduling of inspection and description
of its purpose
Making documentation available,
providing access to territory, etc.
Up to 20 working days Up to 50 hours for
company of small size
Up to 15 hours for company of very small size
In exceptional cases, related to the need
for complex investigations, the duration
of field inspection could be extended till
20 working days (15 hours for the
companies of small and very small size)
Inspection can be carried out only
by the executives which are
specified in the order for
inspection
Up to 20 working days
5 www.i-teco.ru
This stage
frequently
forgotten!
Resolution of legal issues and
compliance risks
related to PD
Survey
of information systems
with personal data
Development of organizational
and technical means
for PD security
Implementation personal data
protection system
• Correctly written by subject of PD agreement for PD processing
• Agreement for distributing PD to public access
• Correctly composed notification of Roscomnadzor
• Coordinated phrasing and terms in agreements with third parties and in
operator’s internal documentation
• Other legal issues related to PD processing
• Recognition of automatic processing
• Recognition of non-automatic processing
• Classification of information systems with personal data
• Preparing projects assignments
• Approving the acts of classification of information system with
personal data , threats identification, development protection
design documentation
• Development and maintaining necessary organization
documentation
• Installation and configuration of protection software and
appliances
• Trial operation of information security system
• Verification of information systems with personal data (if
necessary)
6 www.i-teco.ru
The goal of the works is conforming to the law of the Russian Federation "On personal data",
including resolution of legal issues with data processing, creation of personal data information
systems and a protection system which includes applying a comprehensive set of
organizational and technical means to insure personal data protection while processing
personal data in information systems in accordance with the Russian law.
Scope of the works
Works are implemented in 4 stages:
1. Gathering and analysis of original data on current state of information security (IS) in personal data
information system, evaluation of compliance of IS in personal data information system to the regulatory
requirements of Russian federation On personal data, preparation of concept for building the personal data
protection system (PDPS) in personal data information system, development of technical enquiry for PDPS.
Resolution of legal issues concerning the processing and transfer of PD;
2. Development of technical design for creation of PDPS;
3. Implementation of necessary organizational and technical protection means in accordance with the
developed technical design of PDPS;
4. Verification of information system with personal data (if necessary).
Objective of the works
7 www.i-teco.ru
Analysis of used systems and standard data storages
Allocation of PD processing Analysis of gathered data
Legal prerequisites evaluation for personal data processing
Usually they are missing. It is necessary to obtain
the agreement in written form.
It’s also necessary to clarify all possible aspects
of PD obtaining without subject’s consent
Resolution of issues of PD transfer
Resolution of issues with open for public access and depersonalized PD
Compliance with legal requirements Resolution of issues related to PD distribution
8 www.i-teco.ru
Generation of processed PD list
Defining the guidelines for PD processing
and the duration of its storage Approving the list by CEO
Defining the limits for storage duration after cancellation
of agreement with employee/client
Defining based on legislative requirements
(labor legislation, pensionary legislation) Period of limitation
Development of Statement of compliance PD security
during its processing in personal data information system
Exclusion of unauthorized access
(by the way accidental access)
Development of procedure for granting access
to PD defined by working requirements
9 www.i-teco.ru
Implementation of PD system classification
Defining processed categories of PD Defining the type of information system
(standard, specialized)
Development of internal regulatory documents concerning the confidential data
List of PD; PD security threat model;
classification acts of information system
with personal data
PD protection system description;
Official letter for personal
data protection system usability
Development of system for controlling the PD processing security
Internal control system State control system
10 www.i-teco.ru
• Gathering and analyzing the
information about information system
with personal data
• Development of recommendations
for personal data information
systems classification
• Resolution of legal issues
concerning PD processing and
transfer of PD to third parties
Development of acts
of classification
for personal data information
systems and notifications
to Roscomnadzor
•Development of project
assignments
• Development technical design
and working documentation
for protecting personal data
in information system
Development of models
of threats for each
personal data information system
• Development of regulatory
documents set which regulate
PD protection
• Verification of protection
system of personal data
System commissioning and
validation of compliance
to regulatory requirements
11 www.i-teco.ru
www.i-teco.ru Oleg Kuzmin, Director of information security
department, I-Teco
Thank you for your
attention!