Approval of the Regulation on the Protection of Personal Data - sample order. Order on personal data Order approving the provision on the protection of personal data

The development of information technology has made the topic of personal data protection one of the most discussed at various levels. Large-scale scandals involving leaks of confidential information from the White House or personal information of millions of visitors to an international dating site have thundered throughout the world. There are also smaller cases, at the organizational level (for example, the use by HR department employees of pages with personal information of employees as draft “back pages”, the posting in the public domain of information about students of educational institutions or patients of clinics). This often happens out of ignorance: not all officials understand. However, the search phrase “download a sample order on the protection of personal data of employees 2019” is in the leading positions in search engines. And there are quite understandable reasons for this.

The state’s attitude towards such “missteps” is changing decisively towards tougher punishments for them. In order to avoid trouble, you need to organize the protection of personal data as required by Chapter 14 of the Labor Code of the Russian Federation and Law No. In this article we will briefly talk about what package of documents needs to be prepared, and also provide a sample order on the protection of personal data of employees.

Organization of protection (package of documents)

The head of the enterprise must, by order, appoint one of the employees responsible for the processing and storage of confidential information and instruct him to draw up local regulations. Here is a small list of them:

  • the organization’s policy regarding personal data (in this case, a sample order will be drawn up approving the policy for processing personal data for the organization as a whole);
  • regulation on the processing and protection of confidential information (order to approve the regulation on the protection of personal data);
  • list of persons who have access to it;
  • (in general, consent must be obtained from employees, in particular cases, for example, for schools - from parents, for medical institutions - from patients, for newspapers, magazines and publishing houses - from authors, etc.);

Development and approval procedure

How well organizations comply with the requirements of 152-FZ is checked by Roskomnadzor in accordance with the Administrative Regulations approved by Order of the Ministry of Telecom and Mass Communications of Russia dated November 14, 2011 No. 312. In order for the inspector not to have a reason to “take measures,” it is necessary to prepare the documents listed above and approve their orders from the leader. The fundamental order will be the approval of the Regulations - see the sample order for the approval of the regulations on personal data (2019).

Sample order on personal data of employees 2019

It is extremely important to comply with the rule formulated in Art. 86 of the Labor Code of the Russian Federation: everything that we know about the employee, we must learn from him himself. As a last resort, you can turn to the so-called third party if the employee does not have the necessary information (forgot, lost...), but only with his knowledge (for example, request a copy of the diploma in the university archive). The employee must be notified of this and his consent must be obtained: this is done in the form of a statement of consent to receive information from a third party.

All this must be written down in the regulations, which the employee must be familiar with before signing the employment contract.

Regulations on the Protection of Personal Data of Workers 2019

Access to personal data

Personal data of employees is, figuratively speaking, “gold and diamonds”, access to which is limited even for employees of the organization. The director decides who will have access to them. General requirements for work in this area are prescribed in the regulations (a sample order for approval of the regulations on the protection of personal data in 2019 can be made in free form; there is no unified form for this document). At the same time, a separate regulatory document states who, when and for what purpose has access to certain personal data. As a rule, full clearance is granted to:

  • general director and his deputy for security;
  • Head of HR Department

Other specialists, including accountants, can only have access to the information they need to perform their job duties.

Special cases

It happens that information changes (for example, a woman gets married and changes her last name or a student receives a higher education diploma). In this case, the employee submits an application, and on its basis an order is issued to amend a number of documents (see sample order to change the employee’s personal data). However, this order does not apply to documents the availability of which is dictated by Federal Law-152 - this is one of the standard personnel orders.

There is information that is extremely confidential (see sample order for access to personal data of employees), and attempts to find out from an employee what communities he is in, what his religious beliefs are, how he feels and what political views he holds are illegal. However, there is a long list of conditions under which this is still possible (Article 10). Such exceptions (among others) include, for example, cases of receipt of motivated requests (containing the purpose of the request, justification of the authority’s competence and the legal basis of the request) from the prosecutor’s office, the Ministry of Internal Affairs or the Labor Inspectorate, as well as medical information if it is necessary to provide assistance to the patient. Indeed, patients of medical organizations are very sensitive to privacy, but they are protected by the duty of the health worker to maintain medical confidentiality (Article 73 of the Federal Law No. 323-FZ).

A medical organization is obliged to be especially attentive to data processing and prepare its own industry-specific documentation, for example, have an order approving the regulation on the protection of personal data and an order “List of personal data of patients to be protected.”

Employee personal data- this is information relating to a specific person that is necessary for the employer in connection with labor relations. The legislation provides for a number of obligations regarding the receipt, storage, transfer and protection of personal data of employees. The employer should be guided not only by the provisions of the Labor Code of the Russian Federation and federal laws, but also by local regulations, which should be in every organization. Such a local act is the Regulation on Personal Data.

In Art. 3 of the Federal Law of July 27, 2006 N 152-FZ “On Personal Data” it is indicated that personal data is any information relating to a directly or indirectly identified or identifiable individual. Personal data includes: last name, first name, patronymic, age; education, place of residence, marital status, nationality, religious and political beliefs, sexual orientation, etc.

As regards the sphere of labor relations, the employee’s personal data is considered only that information that is necessary for the employer in connection with the labor relationship. This is information about education, specialty, qualifications, health status (for engaging in certain types of activities), presence of children, income (for filling civil service positions). An employer does not have the right to request information from an employee, for example, about his religion or nationality, so as not to violate the right to privacy.

By virtue of Art. 85 Labor Code of the Russian Federation the employer processes personal data of employees, which includes actions to receive, store, transfer or otherwise use it. In addition, the employer must ensure their protection from misuse and loss in the manner established by the Labor Code of the Russian Federation (clause 7 of article 86 of the Labor Code of the Russian Federation) and other federal laws, at its own expense.

Storage and processing of personal data, as a rule, is carried out simultaneously using an electronic storage system and on paper. What data in a particular organization is subject to storage and processing as personal, who has access to such data, how it is protected from unauthorized access - all this is stipulated in the Regulation on Personal Data (hereinafter referred to as the Regulation), which must be developed in each organization.

Employees of the organization must be familiarized with the Regulations against signature, and newly hired persons should, in accordance with Art. 68 of the Labor Code of the Russian Federation, familiarize yourself with the Regulations before signing an employment contract. Employees involved in the processing of personal data must agree to non-disclosure of personal data.

It is important to know! Documents that set out provisions on the processing and protection of personal data can be checked by regulatory authorities, in particular by Roskomnadzor employees. Therefore, it is recommended that the employer take a responsible approach to their development.

Procedure for approval of the Personal Data Regulations

The regulation on personal data in the organization must be developed and approved as a local act. If the organization has a trade union, then the Regulations are approved taking into account its opinion in the manner prescribed by Art. 372 of the Labor Code of the Russian Federation (if this requirement is established by a collective agreement or agreement): the employer sends the draft Regulations to the elected body of the primary trade union organization, which no later than five working days from the date of its receipt, sends the employer a motivated opinion on the project in writing.

If it does not contain agreement with the draft Regulations or contains proposals for its improvement, the employer may agree with this or is obliged within three days after receiving such opinion, conduct additional consultations with the elected body in order to achieve a mutually acceptable solution.

If agreement is not reached, then a protocol of disagreements is drawn up, after which the employer has the right to accept the Regulations. But at the same time, it can be appealed by the elected body of the primary trade union organization to the state labor inspectorate or to the court. The trade union also has the right to initiate a collective labor dispute procedure. If the organization does not have a trade union, but there is another representative body of workers, the Regulations must be agreed upon with this body.

If there is neither one nor the other, the employer approves the Regulations independently, following the approval procedure established by the local regulatory act of the organization. The adopted local act is agreed upon with the head of the personnel department, chief accountant, lawyer or other employees. The regulation is put into effect by order of the head of the organization.

Structure of the Personal Data Regulations

The regulation should consist of the following sections:

  1. General provisions: indicates the purpose for which this Regulation is being adopted and what issues it regulates.
  2. Basic Concepts. Composition of personal data of employees: this section reveals which documents in the organization contain personal data.
  3. Storage of personal data: this section specifies the procedure and place of storage of documents (cases) containing personal data.
  4. Processing of personal data: This section should indicate what conditions must be met when processing the employee’s personal data.
  5. Transfer of personal data: the procedure for transferring personal data of employees within the organization, as well as to third parties and government bodies is prescribed.
  6. Access to personal data: the section should contain information on the procedure for accessing personal data of employees. Access is divided into internal (provision of personal data to individual employees of the organization) and external (transfer of personal data to representatives of other organizations and government bodies).
  7. Responsibility for violation of rules governing the processing and protection of personal data: in this section you need to specify who in the organization is responsible for violating the rules for storing and using personal data.

Additional sections can be added to the Regulations if necessary.

The order approving the regulation on the protection of personal data is a mandatory document for all companies and individual entrepreneurs that collect and somehow use citizens’ personal information in their activities. Among these organizations are employers. Therefore, they are required to take steps to protect the information of their employees. We invite you to study and download the regulations on the protection of personal data of employees 2019, thereby avoiding punishment from inspection authorities.

The global trend in the development of legislation in the field of personal data protection demonstrates the tightening of standards regulating punishment for the illegal use of personal information. Russian law does not stand alone on this issue and also strives to strengthen control over data leakage. When organizing the protection of confidential information at an enterprise, it is necessary to rely on Chapter 14 of the Labor Code of the Russian Federation and Federal Law of July 27, 2006 No. 152-FZ “On Personal Data”. They will help you figure out what a correct sample order on the regulation on the protection of personal data looks like.

What data is considered personal?

Before examining a sample order for approval of a personal data processing policy, it is worth understanding what information relates to them. By law, this information is:

  • FULL NAME.;
  • age (year of birth);
  • Family status;
  • education;
  • profession;
  • residential address;
  • race and nationality;
  • religion;
  • biometric data;
  • Political Views;
  • health status.
This list is by no means exhaustive and may include many other types of information about a person. However, all of them cannot be disclosed or processed without the permission of the person to whom they relate. Law No. 152-FZ of July 27, 2006 speaks about this.

An exception is, for example, cases when the disclosure of this information is necessary to prevent a threat to the security of the individual or the state. In order not to violate these rules, enterprises must develop a local regulatory framework. And all these nuances are contained in a sample order for access to personal data of employees.

Sample order on personal data of employees 2019: where to start

The enterprise must appoint an employee responsible for preparing a package of documents on the protection of confidential information. Such an appointment is made on the basis of the relevant order of the manager. The appointed employee must prepare a certain package of documents, including:

  • Regulations on the processing and protection of confidential information. A sample order for approval of the regulation on personal data 2019 is described in detail in a special material;
  • sample order for storing personal data;
  • the company's policy regarding such information;
  • list of persons who have access to them;
  • non-disclosure agreement;
  • data transfer log.

The listed documents are put into effect by the relevant order of the head of the organization.

Sample order for approval of the regulation on the protection of personal data (2019)

Please note that it is not enough to approve such an order. All employees must be familiarized with it under their signature ( Art. 86 Labor Code of the Russian Federation).

Responsibility for lack of documentation

The package of these documents will help not only comply with the law, but also protect the organization from claims from Roskomnadzor, the inspection body in this area. The rights and obligations of the regulatory body and the inspected organization are regulated by Order of the Ministry of Telecom and Mass Communications of Russia No. 312 dated November 14, 2011. And on February 23, 2019, Government Decree No. 146 of February 13, 2019 came into force, which describes the rules for conducting checks to ensure compliance with the legislation on the processing of personal data.

Inspectors pay attention to the availability of documentation and to the implementation of the security measures provided for in it. For the disclosure of personal information of employees, the employer and its officials (manager, accountant, secretary, personnel department employees) may face liability:

  • disciplinary - on the basis of paragraphs. “c” clause 6 part 1 Art. 81 Labor Code of the Russian Federation;
  • administrative - based on Art. 13.11 Code of Administrative Offenses of the Russian Federation(fine up to 75,000 rubles);
  • criminal - subject to the provisions Art. 137 of the Criminal Code of the Russian Federation(fine up to 300,000 rubles or imprisonment for up to 3-4 years).

What else is worth knowing

The employer must remember that all information about the employee must be obtained from himself or from third sources, but only with his written consent. You can use this opportunity if any documents are lost.

There are often cases when information about an employee changes, for example, when a last name changes or a change in marital status. The legislation does not establish a specific period within which the employee must notify the employer of changes. Therefore, it is recommended to fix the deadlines in local regulations. The employer must be notified by means of an appropriate statement supported by documents certifying the changes.

Sample

At some enterprises, based on an application, an order is issued to change information about an employee. A sample of this document can be downloaded below. But to facilitate the procedure, an additional agreement is often simply prepared, changes are made to the employee’s personal card, work book and other documents if necessary.

Particular attention is paid to the confidentiality of information about patients in medical institutions. First of all, the obligation to remain silent about the condition of patients lies with the doctor himself. But this does not relieve the administration of the medical institution of the need to issue an order “List of personal data of patients subject to protection.”

June 25, 2012 Moscow

Order No. 203 on approval of the Regulations on personal data of employees of SATURN LLC

Pursuant to Ch. 14 of the Labor Code of the Russian Federation, Federal Law of July 27, 2006 N 152-FZ “On Personal Data”, other current regulations, as well as for the purpose of bringing local regulations of SATURN LLC into compliance with the current legislation of the Russian Federation

I ORDER:

1. Enter into force from June 26, 2012 the Regulations on personal data of employees of SATURN LLC (hereinafter referred to as the Regulations).

2. HR manager L.A. Kukina by June 29, 2012, bring the Regulations to the attention of all employees of the organization against signature.

3. Until June 27, 2012, request from employees processing personal data listed in the Regulations an obligation to non-disclose personal data of employees of SATURN LLC (in the form of Appendix No. 1 to the Regulations).

4. Determine the office of the organization’s HR department as the storage location for the Regulations.

5. I leave control over the execution of this order to the Deputy General Director - HR Director N.V. Maksimova.

General Director Korolev /V.V. Korolev / The order has been reviewed by: HR Manager Kukina / L.A. Kukina / HR Director Maksimova / N.V. Maksimova/

Personal data includes information that allows you to identify a specific person. Federal Law No. 152-FZ of July 27, 2006 defines a list of information, including full name, gender, age, photo and video of a person, education, place of residence, marital status and other similar information, according to which a specific person can be identified.

In the article we will answer questions about the need to issue and the content of a data protection order, as well as the employer’s responsibility in its absence.

Why do you need an order on personal data?

The administration of the institution must implement a system for protecting information regarding information about employees. One of the elements of this system is the publication of an administrative document that defines the algorithm for working with data.

The Data Protection Order defines the obligation of responsible persons to ensure the confidentiality of personal data about employees and the scope of access of each official.

There is no established sample order for the protection of personal data of employees, but the content of the document accompanying the organization of the information protection process is legally defined:

  • appointment of a person responsible for organizing the data processing process;
  • determination of the list of persons permitted for collection, storage and processing;
  • approval of regulations on the processing and protection of confidential data.

How to correctly fill out an order regarding personal data

Although the 2019 sample order on personal data of employees does not have a set form, it must be drawn up in accordance with the general requirements for administrative documents.

The header of the document contains the name of the organization, the name and number of the document, the place and date of preparation.

The preamble must contain the rationale for its publication (the circumstances that gave rise to its creation) or the basis (a direct reference to a specific document or legislative act)

The main part of the order on personal data must contain:

  • the actual order on approval of the regulations on personal information, as well as the list of persons admitted to their processing and the degree of their access;
  • an indication of the person responsible for ensuring the data processing process, his position and full name;
  • instructions to the responsible person to familiarize employees with the administrative document;
  • identify an employee who will monitor execution (maybe the manager himself).

The manager must sign the document. All employees of the institution who use such information in their work activities must be familiarized with it by signature.

Sample order to change an employee’s personal data

How to fill out

The order may consist of the following sections:

  1. General provisions. The section indicates the purpose of the provision and the range of issues that it regulates.
  2. Basic concepts. Composition of information about employees. It is necessary to indicate which specific documents in the organization contain the specified data.
  3. Data processing. This section specifies the conditions that must be met during processing.
  4. Data transfer. It is necessary to establish a procedure for transferring information within the organization, third parties and government agencies.
  5. Access to data. Includes information about the procedure for internal and external access to employee data.
  6. Responsibility for violation of rules governing the processing and protection of information. Indicate who in the organization is responsible for violating the rules for its storage and use.

The provisions on personal data must be brought to the attention of all employees. Actual familiarization with the position can be recorded in the text of the employment contract, in the position in the sheet of familiarization with it, or in the log of familiarization with the local regulations of the institution.

Sometimes information about an employee changes (for example, due to marriage, the last name changes). In this case, the employee sends an application to the employer, on the basis of which the latter issues an order to amend a number of documents.

Responsibility for absence

Employee information must be protected from unauthorized access. Roskomnadzor checks the organization's compliance with the requirements of 152-FZ.

The law does not directly establish types of violations and liability for them. 152-FZ refers the employer to other industry legislation. Thus, the Criminal Code of the Russian Federation contains rules providing for liability for the unlawful use of information about employees.

The main responsibility for violating the norms of 152-FZ is administrative, which can be incurred for violating the procedure for collecting, storing and using information, for its failure to provide it at the request of authorized structures.

For violation of 152-FZ, an official may be subject to disciplinary liability for improper performance of job duties when processing information, including dismissal under paragraphs. "c" clause 6 of Art. 81 Labor Code of the Russian Federation.

Related publications