Sample act on destruction of expired documents


General procedure for handling documents containing PD

PD is stored no longer than required by the purposes of its processing and is subject to destruction. To do this, there is the following procedure :

  1. Media containing personal information are subject to destruction in accordance with the approved order of the head of the organization. A special commission is in charge of the destruction.
  2. Distributors containing PD are deleted within a period that does not exceed 30 days from the moment the purpose of processing personal data is achieved or the need to achieve it ceases.
  3. The commission selects machine-printed and paper PD media to be deleted.
  4. A report is drawn up on distributors selected for destruction. Corrections in the act are not allowed.
  5. The commission checks all media included in the act.
  6. At the end of the reconciliation, the act is signed by all members of the commission, and then it is approved by the head of the organization.
  7. Distributors of PD subject to removal and included in the act, after verification by the commission, are put in the right place and sealed.
  8. Personal data may be destroyed in any way that does not allow for further processing.

2. Rules for the destruction of media containing personal data

2.1. According to these Regulations, the destruction of media containing personal data of hotel clients must comply with the following rules:

— be as reliable and confidential as possible, excluding the possibility of subsequent recovery;

- be formalized legally, in particular, by an act on the allocation of media containing personal data of hotel clients for destruction and an act on the destruction of media containing personal data of hotel clients;

- must be carried out by a commission for the destruction of personal data;

— destruction should concern only those media containing personal data of hotel clients that are subject to destruction in connection with the achievement of the purpose of processing the specified personal data or the loss of the need to achieve them, without allowing accidental or intentional destruction of current media.

back to contents

Registration of procedure support

The removal of media containing personal data occurs under the control of a special Commission. It is created by order of the head of the organization. During the manipulation, an act of destruction of personal data is drawn up . After drawing up the act, they are sent to the head of the organization for approval within 3 days.

Attention! After its approval, the act is kept in the safe of the head of the relevant department.

The fact of deletion of a medium with personal data is entered in the “Registration Journal of Information Media Containing Personal Data and Other Confidential Information”, where the relevant data is entered in the column “Date and number of the act of destruction”. This journal is confidential documentation and, together with the acts of destruction, it is stored in a safe

Procedure for destruction of personal data

To minimize errors during the procedure, when implementing it, it is necessary to follow the procedure defined by law:

  1. The company, by order of management, must create a special commission to identify irrelevant personal data and subsequently destroy it and draw up an accompanying report. Employees of the personnel department, accounting department, and clerical workers are most often involved in this matter.
  2. The commission identifies a list of documents necessary for liquidation and carries out the destruction procedure.
  3. The commission draws up an act with a list of destroyed documents. The function of this paper is to certify that the procedure was completed according to all the rules. Members of the commission put their signatures on the act in confirmation of this.
  4. Destroyed paper media with personal data must be written off from various books and journals of such documents.

Important! If employees leave the organization, then the originals, and in some cases also copies of documents, must be handed over to them; only copies of documents are destroyed and only after a certain storage period. The same goes for the company's clients.

Deletion act

The commission draws up and signs a corresponding act regarding the removal of media. It is sent to the head of the organization for approval. The act contains the following information :

  • date, place and time of destruction of personal data;
  • positions, surnames, initials of commission members;
  • type and quantity of media destroyed containing personal data of individuals;
  • grounds for deleting personal data;
  • method of destruction.

General provisions

1.1. This Regulation on the procedure for destroying personal data of hotel clients (hereinafter referred to as the Regulation) was developed on the basis of the Federal Law of July 27, 2006 N 149-FZ “On Information, Information Technologies and Information Protection”, Federal Law of July 27, 2006 N 152-FZ “On Personal Data” and other regulatory legal acts.

1.2. This Regulation establishes the frequency and methods of destruction of media containing personal data of hotel clients.

1.3. The purpose of this Regulation is to ensure the protection of the rights and freedoms of man and citizen when processing his personal data.

1.4. Basic concepts used in the Regulations:

— hotel — an organization providing hotel services to the client;

- client - an individual, consumer of hotel services, subject of personal data;

- personal data - information stored in any format relating to a specific or determined on the basis of such information individual (subject of personal data), which alone or in combination with other information available to the hotel, allows the client to be identified;

- processing of personal data - actions (operations) with personal data, including collection, systematization, accumulation, storage, clarification (updating, changing), use, distribution (including transfer), depersonalization, blocking, destruction of personal data;

- destruction of personal data - actions as a result of which it is impossible to restore the content of personal data in the personal data information system or as a result of which material media of personal data are destroyed;

- personal data carriers - both electronic (floppy disks, CDs, tapes, flash drives and others) and non-electronic (paper) personal data carriers.

1.5. These Regulations are approved by [name of the hotel manager].

back to contents

How to remove from various media: step-by-step instructions

From the Internet

Depending on the type of media, there is a different way to remove PD from the Internet:

  1. Google .
    You need to go to the settings page and click “close your account and delete all services and information associated with it.” This step is considered the most radical, but at the same time effective, in case you want to permanently remove traces of your presence on the Internet.
  2. In contact with .
    Go to the personal settings page, scroll to the end and click on the “delete your page” link. Now you need to indicate the reason for this decision and write a last message to your former friends. But this is done at will. You can simply delete the page and all data, without any explanation.
  3. Facebook.
    Removing personal data from this social network is a little more complicated. Since this company does not intend to store PD for several years, and they do not have time to sort out requests for compilation, it is advisable to save a copy of it before erasing the account. To do this, go to the settings page and select “Download a copy” from the list of general settings at the bottom.

    After that, you can download photos, likes, chat history and friends list in a single archive. This also includes technical information on login IP and cookies. Now through the search engine you need to find “account deletion”. Deleted information will be stored in “reserve” for 1 to 3 months.

    After this time, all data will be lost forever. But there is another, less “bloody” method. To do this, select the “Security” item in your account settings, and then click “Deactivate account”. This operation will allow you to hide all your personal information, including the “friends list”,

From paper

When the storage period of documentation has come to an end, the removal occurs by shredding into small parts or in another way , excluding the possibility of further recovery of information. Paper media may be burned.

From electronic

Upon completion of the specified storage periods, computer storage media of personal data subject to destruction are physically removed so that they cannot be restored and subsequently used. This can be achieved by deforming, violating the integrity of the carrier and burning it. Files to be destroyed and located on the computer’s hard drive are deleted using the operating system and then emptying the recycle bin.

Deletion of personal data is a destruction procedure with the impossibility of further use and processing. The destruction method depends on what type of media was used to store the PD. All manipulations performed by a special commission must be included in the relevant act.

Methods of destruction

The methods by which personal data storage media are destroyed depend on the type of storage media itself. But they all must meet one rule - the impossibility of recovering the data they contain.

For paper media you can use:

  • chopping (scissors or shredder);
  • burning;
  • hydroprocessing (mixing).

Machine readable media can be:

  • physically damaged (bent, broken, severely scratched);
  • burned;
  • demagnetized (subjected to chemical influence in aggressive environments);
  • formatted.

Files contained on the computer's hard drive are deleted using operating system methods.

Members of the commission are responsible for the effectiveness of the destruction process.

Violations of the procedure for liquidation of statements and responsibility for their commission

For violation of the legislation on personal information, the operator faces administrative liability under paragraphs 5 and 6 of Art. 13.11 Code of Administrative Offenses of the Russian Federation:

  1. According to clause 5, punishment occurs for failure to comply with the deadlines for deleting and blocking files. The violator is subject to a warning or a fine of 1,000 to 2,000 rubles. for citizens, for officials - from 4,000 to 10,000 rubles, for individual entrepreneurs - from 10,000 to 20,000 rubles, for legal entities - from 25,000 to 45,000 rubles.
  2. According to clause 6 - for failure to use automation equipment that ensures the safety of information during storage, if the inaction led to illegal use, if there is no criminal offense involved, a fine is imposed on the operator: for citizens - from 700 to 2000 rubles, for officials - from 4,000 to 10,000 rubles, for individual entrepreneurs - from 10,000 to 20,000 rubles, for legal entities - from 25,000 to 50,000 rubles.

Actions that are criminal in nature are qualified under Art. 137 of the Criminal Code of the Russian Federation, as a violation of privacy.

After revocation of permission to process personal records, they are subject to destruction. The author of the video below will tell you how to draw up such a refusal.

https://youtu.be/Q8OMzvPQ-yU

Sample personal data processing policy in 2020

8 0 4712

Government bodies and employers pay special attention to working with personal data of citizens and employees. Concern for information security and ensuring the confidentiality of personal information is an important aspect for the functioning of any enterprise or institution.

Federal Law No. 152 establishes the concept of personal data (PD). This is any information relating to the subject, as well as allowing him to be identified directly or indirectly. The legislation does not establish a specific list of information that can be classified as personal data.

In the field of labor relations, PD may include:

  • FULL NAME;
  • passport details;
  • date of birth;
  • place of residence and actual registration address;
  • TIN or SNILS number;
  • information about education;
  • information about work experience, etc.

This list can be considered minimal. Any data provided by an employee to the employer can be classified as personal if it allows the employee to be identified.

PD can also include:

  • conditions and nuances of the employment agreement;
  • military registration data;
  • data from the medical record;
  • social payments;
  • information about awards or disciplinary actions.

All this must be kept in the employee’s personal file and cannot be used against him. Information also cannot be transferred to third parties without the consent of this employee.

Any employer is a PD processing operator, that is, the employer is responsible for the collection, storage and accumulation of any data in relation to the employee.

Data processing can be carried out by the manager or employee of the HR department manually or using automated technologies. Confidentiality must be maintained both during the actual work of an individual at the enterprise and upon completion of employment.

Federal Law No. 125 obliges enterprises to keep employees’ personal files in archives for 75 years. During this period, no information can be transferred to third parties or used for personal gain. A set of appropriate measures should be aimed at confidentiality.

How to make a position

The need to create confidentiality and the procedure for working with personal data must be reflected in the PD Processing Policy.

For 2020, the regulation on PD protection has the following structure:

  1. General provisions indicating the goals and objectives of the document, as well as a list of the main legal acts on the basis of which the privacy policy was created.
  2. Basic concepts with explanation of terms and meanings used in the document.
  3. Composition of the personal data, including a list of personal information of employees.
  4. Conditions for processing personal data within a specific enterprise, based on the legislation of the Russian Federation.
  5. A list of documents presented by the employee to the employer, which contain personal information.
  6. Procedures for access to information, including conditions for both internal and external access to the database and personal files.
  7. Protection of personal data, including a phased set of measures aimed at creating complete confidentiality and creating security for storing information.
  8. The rights and obligations of the employee regarding the processing of personal data, as well as the conditions for making changes and the need to notify about these changes.
  9. Responsibility for violation of confidentiality, including explanations of various cases and penalties based on the legislation of the Russian Federation.

A sample personal data processing policy for 2020 can be downloaded from the link.

The implementation of the PD processing policy takes place in several stages:

  1. Development of policies and coordination of document contents with department heads and lawyers.
  2. Approval of the policy as a normative act. The document must be approved by the head of the enterprise by issuing an order. When making changes to the act, a corresponding order is also required.
  3. Familiarization of enterprise employees with the order and policy. Also, not only existing employees, but also newly hired personnel should be familiar with the documents.
  4. Confirm familiarization with the text of the document with the employee’s personal signature in a special journal. Confirmation is not mandatory and is at the discretion of the employer.

In practice, the manager and any employee of the enterprise should be able to refer to the text of the regulation if necessary. For ease of use, many large enterprises post regulatory documents in a resource for general corporate access.

https://www.youtube.com/watch?v=0jYRCm0R5Sg

If there is currently no provision on the confidentiality of personal data, it must be immediately developed and agreed upon with all authorities. A well-drafted document will help avoid many problems and disagreements.

What violations may there be?

Options for violations and possible sanctions are discussed in the table:

Violation Sanctions for individuals Sanctions for officials Sanctions for legal entities
Processing of personal data for “other” purposes. For example, transfer to third parties or advertising companies. Warning or fine in the amount of 1-3 thousand rublesWarning or fine in the amount of 5-10 thousand rublesWarning or fine in the amount of 30-50 thousand rubles
Processing of personal data without consent. Consent must be provided in writing and certified by the personal signature of the individual. It is also necessary to include the date of completion of the document and the expiration date. Fine in the amount of 3-5 thousand rublesFine in the amount of 10-20 thousand rublesFine in the amount of 15-75 thousand rubles
Lack of access to the PD regulations to employees of the enterprise at any time if necessary.Fine in the amount of 700 – 1,500 rublesFine in the amount of 3-6 thousand rublesA fine of 5-10 thousand rubles for individual entrepreneurs and 15-30 thousand rubles for organizations
Hiding information from the data owner about changes in personal data or policy.Fine in the amount of 4-6 thousand rublesFine in the amount of 5-10 thousand rublesFine in the amount of 20-40 thousand rubles
Violation of the security of personal data, as a result of which third parties could obtain information.Fine in the amount of 700 – 2,000 rublesFine in the amount of 4-10 thousand rublesA fine of 10-20 thousand rubles for individual entrepreneurs and 25-50 thousand rubles for organizations

Thus, the transfer of personal information to an employer or other institutions must be accompanied by filling out consent to the processing of personal data.

At the same time, the recipient of consent does not have the right to distribute personal information after the provision of a service or after dismissal for several decades. If the procedure for processing information or confidentiality is violated, the victim can go to court to clarify the situation.

How to block and destroy information on various media?

The procedure for blocking or destroying files is established in the operator’s local acts. The entity authorized to carry out such actions (administrator) may be:

  • the employee responsible for processing who is vested with such powers according to the job description;
  • a commission, the composition and procedure of which is approved by order of the operator company.

Based on the formulation of the concept of destruction of records in the law, two types of deletion can be distinguished:

  • destruction of information with the impossibility of restoring it;
  • removing media.

Since the requirements for the destruction of information are not legally defined, the operator independently deals with the destruction of personal information.

There are many companies on the market that are ready to provide relevant services in different variations.

On paper

If personal information is stored on paper, then operators use the following destruction methods:

  • shredding - grinding on a special device or hydroprocessing;
  • You can also resort to a method in the form of heat treatment (burning papers).

Before using the shredder, the operator has the right to choose one of five levels of confidentiality. Such a procedure is not established by regulation, so the operator is not responsible for the choice.

On electronic media

There are several types of electronic media, including:

  • floppy disks and zip disks;
  • CD and DVD discs;
  • hard drives;
  • hard drives, etc.

Previously, cassettes were also relevant, but now flash media is more actively used.

Deleting files from electronic media must be carried out in accordance with the standards established by Russian and international regulations, for example: GOST P50739-95 (RF), DoD 5220.22-M; NAVSO P-5239-26 (RLL) (USA); VSITR (Germany).

To destroy an electronic carrier, it is necessary to exert an influence that destroys the chemical, magnetic and physical components of the object. This may happen:

  • mechanically - the impact of a press, the use of sandblasting, ultrasonic and electrochemical erosion;
  • chemically – placing the object in an aggressive environment;
  • thermally - set on fire, melted down.

The use of such methods reduces the possibility of reading files from media to zero.

Removing remote storage from databases

Remote storage databases, often also called “Cloud”, are a convenient way to store and synchronize subject information. Removing statements from databases is regulated by the standards of the system developers. To do this, the user must familiarize himself with the rules for using remote storage devices. Typically, developers create a convenient manual for use, including clearing databases of unused files.

Another way to destroy data from storage is to delete the cloud itself.

What is a document destruction act?

In organizations, these procedures are carried out regularly.
After all, every year a lot of papers are sent to the archive for storage. However, you cannot just take and throw away even those documents that are already considered invalid. This procedure must be completed correctly. And this is done with the help of an appropriate act. In essence, this document allows the company to write off unnecessary papers from its balance sheet. Only after completing such a document can you begin recycling. They do this in different ways. For example, if there are few documents, they are simply burned. Although this is not recommended for large volumes. Fire harms the environment, and it is not always convenient to get rid of documents in this way.

Today there are special devices that are capable of shredding documents so much that they cannot be restored. If we talk about large corporations, for these purposes they often turn to specialized companies that deal with the destruction of paper documentation. It is strictly not recommended to send papers to waste paper or simply throw them in the trash. Even documents that have expired contain certain information. It is necessary to do everything possible to prevent it from falling into the hands of competitors and attackers who can use certain information in their own interests.

Who is responsible for document disposal?


To dispose of papers, a special commission is appointed, which must consist of two or more people.
As a rule, this includes employees from different structural divisions. Although there is no fundamental difference who exactly will carry out this procedure. It is advisable that the commission include an employee of the department to which the documents being destroyed belong. Each member of this group must sign their autograph on the document. You need to know that this commission bears full responsibility for the correct destruction of documentation. Here you need to be extremely careful. First, it is necessary to prevent the possibility of information leakage. Secondly, there are situations when, by mistake, unnecessary documents are disposed of and those whose validity period has not yet expired. Everything possible must be done to avoid such a situation.

Do not forget that most primary documents must be stored at the enterprise for five years. If such documentation is destroyed, the organization faces penalties. Such situations are considered as illegal destruction of important documentation, which raises suspicions of any fraudulent activities. It is worth recalling that for this, members of the commission may face not only administrative punishment. Such actions may also result in criminal liability.

Rating
( 1 rating, average 4 out of 5 )
Did you like the article? Share with friends:
Для любых предложений по сайту: [email protected]