How to formalize an obligation of non-disclosure of personal data


How to work with personal information?

Article 86 of the Labor Code of the Russian Federation indicates that the personal data of an employee is information necessary for the employer to enter into an employment relationship with a specific person, while the legislation does not establish a specific list of information required for this.

The same article introduces the concept of processing, which includes receiving, storing, combining, transferring or any other use of an employee’s personal data. The employee indicates this data on a special form when registering under the Labor Code of the Russian Federation.

Find out more about the legal procedure for storing and using personal data of employees on paper and electronic media here.

Thus, information is processed when compiling personal files, lists of employees by organization, structural divisions, positions, qualifications, approving the staffing table, etc. The following documents accompany the processing:

  • Regulations on personal data of employees of the organization.
  • Consent to the processing of personal data.
  • Consent to an employer's request for information from third parties.
  • Order on the appointment of a person responsible for organizing work with personal data.
  • Order on approval of the list of persons who have the right to access confidential information about the employee.

All information concerning the employee’s identity is confidential. In fact, this indicates the need to strictly limit access to them, and persons who have such access (according to the order to perform their official duties) can only work with them with the consent of the owner.

Subscription on non-disclosure of trade secrets/confidential information

I, Last name, First name, Patronymic,

passport
series, number, by whom, when issued
, residing at:
registration address
, I undertake to keep confidential and not to disclose to third parties confidential information received by me in the performance of my official duties in (or when performing work for, or when providing services)
Full the name of the organization to which the subscription is provided
, hereinafter referred to as 'Company', except in cases where the transfer of information is expressly provided for by law or is carried out on behalf of the Company.

Documents establishing the protection procedure

Art. 7 Federal Law “On Personal Data” dated July 27, 2006 No. 152 obliges organizations that are operators for processing personal data of employees to ensure the confidentiality of the information received. To meet these requirements, organizations are developing a number of protective measures to prevent unauthorized access to private employee information.

The list of specialized documents establishing the procedure for data processing may include:

  1. Statement on personal data.
  2. Rules for working with personal information.
  3. An order for permission to carry out actions with this type of information.
  4. Order on approval of the list of persons with access to private data of employees.
  5. Non-disclosure agreement.
  6. The employee’s consent to transfer private information to third parties.
  7. Regulation on the protection of personal information.
  8. Job descriptions.

Read more about how to fill out an application for processing and other operations with an employee’s personal data here.

Moreover, the employer must ensure data protection, both internal and external. For internal protection, for example, lists of employees with access to private information are developed. Their workplaces must be equipped so that no one can easily gain access to view or seize documents containing personal information of employees.

Contents of the obligation

The legislation does not have uniform requirements for the content of the obligation to non-disclose personal information of employees. But special requirements have been established for responsible persons processing personal data without automation. In this case, they must be informed about:

  • the fact that they process this type of data without the use of automation tools;
  • categories of data to be protected;
  • features and rules for their processing established by law and local legal acts of the organization.

Responsibility for storing information

The Labor Code of the Russian Federation also prescribes the need to implement the correct storage of personnel data in accordance with federal laws.

Some employers approve an Order to set aside an area for storing confidential information about employees.

Physical storage is ensured using the following documents:

  • private bussiness;
  • employment history;
  • employment contract;
  • agreement on liability;
  • staffing schedule;
  • application form or resume filled out when applying for a job.

All these documents are stapled into separate folders and arranged in alphabetical order.

With the electronic storage method, all information is stored in a personal data database, and then the organization’s programmers must ensure that it is stored and protected correctly. For this purpose, a Project for a system for protecting the information base storing personal information can be developed. In practice, employers prefer to combine data storage on paper and electronically.

Persons guilty of non-compliance with the legislation on personal data are subject to disciplinary and financial liability, in accordance with Art. 90 of the Labor Code of the Russian Federation, and are also subject to civil, administrative and criminal liability under Art. 13.11 Code of Administrative Offenses of the Russian Federation, art. 137 of the Criminal Code of the Russian Federation).

Requirements according to the Labor Code of the Russian Federation

The employer provides citizens with free jobs and undertakes to pay wages and appropriate remuneration for work on time and in full. In order to correctly organize the work process and comply with the requirements of Russian legislation, the personnel service requires an individual to provide a certain set of documents. After receiving the forms, the specialist and his supervisor undertake an obligation to store and non-disclose the data.

In the Labor Code of the Russian Federation, chapter fourteen is devoted to the procedure for collecting, systematizing, and processing personal information about employed citizens. The HR department of an enterprise has the right to request from an individual only documents permitted by law and necessary for the implementation of specific regulations. The information is used to assist in obtaining a job, education, advanced training, and to guarantee the safety of entrusted property.

In 2020, when approving the scope of the requested data, the employer is guided by Art. 86-90 of the Labor Code of the Russian Federation, the norms of the Constitution of the state. Personal data is provided directly by the owner or his authorized representative on the basis of an official power of attorney. The management of the enterprise does not have the right to request other confidential information that is not relevant for employment, unless otherwise provided by the specific situation and the law. The category of prohibition includes information about participation in public associations and trade union groups.


An employer should not distribute personal data

To make important decisions regarding a specific person, the director of the company and his authorized representatives cannot rely entirely on the digitized version of personal data. The procedure for storing information received on electronic and paper media is organized by the organization and at its expense in accordance with the requirements of the preschool educational institution.

To ensure the protection of citizens’ personal data, the employer undertakes to notify them, against signature, of the procedure for storing, collecting and using information. All participants in the process must act in concert in order to form the most reliable information base, which will be completely protected from penetration by unauthorized persons. The set of measures for obtaining and posting information about a working citizen is prescribed in the internal regulations of the organization, taking into account the requirements of the laws of the Russian Federation.

Providing data to third parties

If an employer needs to transfer a citizen’s personal information to third parties, he is obliged to act in accordance with the requirements of Art. 88 Labor Code of the Russian Federation. To allow outsiders access to information, the head of the company must obtain written consent from the employee. Exceptions include cases of preventing harm to the life and health of an individual. It is prohibited to disclose sensitive data for commercial purposes without the consent of the owner.

The person who receives personal data from working citizens undertakes to use it exclusively for its intended purpose. For violating the secrecy regime, a specialist may be brought to administrative or criminal liability. The provision does not apply to the circulation of information permitted by law. For example, it is allowed to transfer information to the Pension Fund, Social Insurance Fund, Federal Tax Service for the purpose of performing the functions of a tax agent.

Enterprise specialists are provided with limited access to confidential information of workers. Each user uses only the data that is necessary to fulfill official obligations within a particular company, its branch or division. It is prohibited to require an employee to confirm their health status if such parameters are not provided for by the employment rules and the specifics of the activity.

Data can be provided after obtaining written consent

Employee powers

The owner has the right, within the operating hours of the enterprise, to request information accounting registers for review. Additionally, you are allowed to familiarize yourself with the regulations on the collection, storage and processing of this information. Obtaining copies permitted by law is free of charge. The employee has the right to approve the candidacy of an individual responsible for the protection of personal information.

The patient can review medical data about his personal health status with the help of a qualified company employee. If significant deficiencies or errors are found in the information, the employee requires adjustments. The employer undertakes to transfer to subsequent legal users materials about the corrections made. If the management of an organization or its employees have made unlawful use of information, the employee goes to court to restore rights and interests.

Agreement: what is it, what is its content and how to draw it up?

The employee’s consent to the processing of personal data is a document drawn up when an employment relationship arises. By signing the consent, the employee gives the go-ahead to receive, systematize, store, and transfer information about himself. It contains the following information:

  1. name of the operator organization receiving consent;
  2. Full name of the employee giving consent, his address, contact numbers, passport details;
  3. for what purposes does the operator perform actions with information about the employee;
  4. a specific list of information for which consent is obtained;
  5. what exactly will be done with the received information about the employee during processing (storage, combination, transfer);
  6. the period of time for which the consent will apply; after its completion, any actions with the employee’s personal data will be impossible.

The consent form is not unified; it can be developed by the company’s personnel officers; the date and signature of the employee giving consent is required.

Important! The employer must have written consent not only from employees on the organization’s staff, but also from applicants, as well as from employees with whom contract agreements have been concluded.

Basis and procedure for signing the document

The basis for drawing up and signing an obligation not to disclose personal data is that the organization has a need to familiarize employees with information about others, the disclosure of which could cause them harm.
On the other hand, communicating such information to these employees is necessary for the effective functioning of the company. As a result, they proceed as follows: this information is provided to those employees who need to know it, but at the same time they are required to keep it secret both from persons inside and outside the organization who are not authorized to receive such information.

In particular, such a document must be signed by employees who are employed in the following areas:

  • Banking;
  • Tax;
  • Law enforcement;
  • Medical.

Admission regulations

The regulations for access to the processing of personal data are drawn up according to the model in the organization in accordance with the Labor Code of the Russian Federation, the Federal Law “On Personal Data” dated July 27, 2006 No. 152 and other regulations.

The text of the access to personal data contains:

  1. the purpose of access to work with the employee’s personal data;
  2. list of personal data for which processing permission is required;
  3. justification of the reasons for access to actions with personal information about the employee;
  4. procedure for termination of access to processing.

The regulations divide admission into full and partial. The following are usually full: the manager, his deputy, the chief accountant and personnel department employees. Managers at all levels have partial access (to process personal data of their direct subordinates), and accounting employees have access to work with data necessary to perform their immediate job functions.

Form of commitment

A receipt for non-disclosure of personal data is similar to the obligation discussed below.

At the same time, the regulation on working with personal data is a local legal act or, alternatively, it can be included as a section in the internal regulations of the organization. It is developed by the legal department of the enterprise, and the CEO of the company signs it, thereby putting this document into effect.

This document requires you to indicate what tasks and goals the organization sets for itself when it deals with confidential information related to its personnel. Also there you need to provide lists of information classified as secret. In addition, it includes types of operations with such data that are often practiced within a given organization.

The document also describes how access to information is implemented within this structure. It also indicates what rights employees have in terms of using information and what responsibilities are provided for them in the course of using this type of information.

Finally, they establish the extent of liability that may accrue to a given employee if he discloses information to a person to whom it is unacceptable to disclose it.

After its adoption, this document must be familiarized to employees, who, in turn, put their own signatures in the familiarization log maintained by the company’s structural unit responsible for working with personnel.

The order on non-disclosure of government data is issued by the CEO of the company. This document has a specific standard form, described below.

  1. At the top of the sheet there is a company designation, and you must indicate its legal form and name. These details make up the header.
  2. Next, the name comes in the center, first the word “order” is placed in the center, and the line below contains the clarification “On non-disclosure of personal data.” Below is an indication of the document number and the date of its issue.
  3. This is followed by the main text, the wording in such an order is given in the first person. First there is a link to Federal Law No. 152-FZ “On Personal Data”, below the word “I order”, then there are paragraphs related to such an order, it may include the following provision, how to appoint such and such a person (his full name and position are given) responsible for processing personal data.
    The paper may also contain an instruction to allow the following employees to act with such information, after which there is a table showing the positions of such employees, as well as the types of personal data that are available to them in their positions.

    This part is the main one in this document. In addition, the text may require that the employees listed above (in the same table) be held personally accountable for maintaining the personal data of employees.

  4. In addition, the person who is responsible for working with personal information may be ordered, within a certain period of time, to provide employees with an undertaking for signature that they will keep personal data confidential. Such items are usually included in a document of this type.
  5. Below is the final part of the order. It includes the signature of the general director and its transcript. Below them are the signatures of the organization’s employees indicated in the table above indicating that they were familiar with the order, as well as transcripts of their signatures.

Sample document

A sample agreement on non-disclosure of personal data has a specific form and can be found on our website completely free of charge.

Documents for download (free)

  • Mandatory non-disclosure of personal data

First comes the title of this document, located in the middle of the sheet.

Next comes the main text, which is written in the first person. First of all, the author provides his own data. The document begins with the word “I”, followed by the last name, first name and patronymic, followed by the passport data of the obligee (series, number, when and by what institution it was issued).

Next, write “Working at” and indicate the name of the enterprise. Next is the phrase “at the position”, and its name is indicated.

Then the compiler indicates that he understands that, in accordance with the employment agreement and instructions in force in relation to his position, he acquires access to the personal data of employees, including information related to their biography, their personal data, information regarding the total work experience, including specifically labor

Additionally, passport data, family composition of employees, data on their stay on military registration, salary received, social benefits provided to them, acquired specialty, position in the organization, presence of criminal records, home address, telephone number, place of study and work of relatives of employees, relationships with relatives, the content of the employment agreement concluded with them in the company.

Also, the author of the obligation gets access to information about the ownership of material assets, information indicated in the tax return, the contents of orders for personnel, work books of employees, their personal files,

In addition, he can study the grounds for issued personnel orders, files that include materials on retraining and advanced training, and duplicate statistical reports.

This is where the extensive list of information to which the person drawing up such a document has access by position ends and a new paragraph begins:

The compiler indicates that he is aware that when performing his functions in his position, he will need to collect personal data of people, as well as process, store and amend it as necessary.

Further, the author undertakes a number of obligations. In particular, he will be required to keep confidential all confidential information that he learns. In addition, if necessary, he will be required to notify the head of the company about a situation where the procedure for conducting procedures with personal information is violated. He is also required to inform him of any attempts to obtain unauthorized access to information that he becomes aware of in the future.

The document ends with the date of its preparation and signature.

Non-disclosure obligation

All employees involved in working with private information draw up and sign a non-disclosure agreement according to the sample provided to them by the HR department. A sample non-disclosure agreement can be found on relevant websites.

As a rule, it indicates:

  1. Full name, employee position;
  2. a written obligation not to transfer information about employees to third parties, to take the necessary measures to protect personal data, to notify management of cases of unauthorized access to confidential information, etc.;
  3. liability for violation of the agreement;
  4. the employee’s signature confirming the training received on the procedure for working with information relating to the employee’s identity.

Note: after termination of the right to access private information, employees who signed the agreement do not have the right to transfer the received information to third parties for one year.

Results

So, an employee of an organization who, in the course of his activities, processes the PD of other employees must be notified of the need to maintain the confidentiality of the information he receives.
Moreover, he must give a written undertaking of non-disclosure of personal data - this document will confirm that the employee knew about the responsibility that he would bear in case of violation of the law. You can find more complete information on the topic in ConsultantPlus. Full and free access to the system for 2 days.

Person writing the receipt

A receipt for non-disclosure of certain information and materials is drawn up on behalf of an employee of the organization who is given access to a trade secret, but usually the text of the receipt is developed by:

  • legal service of the company;
  • immediate supervisor.

This document has legal significance, since, if necessary, it can be presented to the judicial authorities, therefore, specialists involved in drawing up a non-disclosure receipt must have a certain level of knowledge that allows them to correctly draw up the receipt in accordance with the requirements of civil, administrative and labor legislation.

A certain category of employees of organizations and enterprises that are allowed to use confidential materials are required to issue a receipt for non-distribution of trade secrets after familiarizing themselves with the full list of information related to the protected information in this company. Such employees usually include positions of financial specialists, employees of technical, personnel services, and security departments.

The receipt is issued to the employee at the time of his employment, and sometimes directly during the work process, for example, in the case of transfer to another position that provides access to protected information.

An employee's access to information constituting confidential information is carried out only after signing a non-disclosure agreement.

Sample non-disclosure agreement

Types of information that should not be distributed

There are various types of information that require special protection by signing a receipt for their non-distribution and contain materials in the form:

  • confidential information (data containing information about events related to the economic side of the enterprise’s activities);
  • trade secret (information contained in financial documents
  • enterprises, including payment documentation, intellectual developments and other materials, the distribution of which could cause material damage to the enterprise);
  • official secrets (materials available to civil servants due to the performance of their official duties, for example, military secrets, information about adoption, data obtained during legal proceedings and investigations, etc.);
  • professional secrets (information available to employees of certain categories due to the performance of their official duties, for example, personnel employees in relation to data on company personnel, pawn shop employees in relation to doctors, bank employees).

According to Russian legislation, all types of information that are not subject to dissemination are called trade secrets, which is a special system for preserving certain information in order to prevent unnecessary expenses or save (increase) existing income.

The objects of trade secrets are certain materials about the activities of the organization (data about various new, innovative ideas of the company, developments, know-how, strategic development plans, data about the financial performance of the organization, information contained in contracts and agreements).

Dissemination of protected information means any actions carried out in the following forms:

  • provision to other persons;
  • posting in various media sources for public access;
  • use of data in your own interests or the interests of a third party;
  • publication of confidential materials in the form of analytical articles published on the basis of confidential data.

To establish a trade secret regime enshrined at the legislative level, the owner of the information must take the following measures:

  • establish a list of materials related to confidential information;
  • determine the procedure for using protected information;
  • exercise control over compliance with the established information security procedure, including registration of persons with access to confidential materials, as well as storage of confidential documentation in closed premises and safes;
  • streamline relations in which confidential information is used by concluding an appropriate document on non-distribution of information;
  • put on existing material media containing special materials a mark indicating their relation to the objects of a trade secret.

The introduction of a system for protecting certain information at an enterprise is accompanied, as a rule, by the publication of an internal local regulatory act in the form of regulations or rules that establish a list of materials subject to restricted access, determine the circle of officials who have the right to work with this information and measures of liability for violations of use materials related to trade secrets.

What functions does a local normative act - Regulations - perform?

According to the “Regulations on Employee Personal Data,” each employer is obliged to regulate operations with employees’ personal data, taking into account the norms prescribed in Article 87 of the Labor Code of the Russian Federation, as well as paragraph 2 of Art. 18.1 No. 152-FZ.

You can find out about the law on personal data here.

The employer requests information to carry out the following functions:

  • identifying suitability for the position held;
  • the possibility of providing various compensations and benefits;
  • registration of tax deductions;
  • filling out the employee’s personal card according to the unified T-2 form.

All information must be provided exclusively by the first person, that is, the employee himself.

We solve legal problems of any complexity. #Stay home and leave your question to our lawyer in the chat. It's safer this way.

Ask a Question

Mandatory requirements for drawing up a non-disclosure agreement

At the legislative level, a standard, unified sample of a non-disclosure receipt has not been established, therefore it is allowed to be issued in any form in compliance with the following necessary details:

  • Company name;
  • date, place of drawing up the receipt;
  • document's name;
  • personal data of the employee indicating the full name, details (number, date) of the employment contract;
  • employee non-disclosure obligations;
  • the period during which information is not subject to disclosure, including after the employee’s dismissal.

The receipt has no restrictions on the volume of text, however, following the recommendations of legal specialists, it must be carefully developed, since in the event of a violation of the employee’s obligation, the receipt of non-disclosure of information can serve as indisputable evidence when presented in court.

Therefore, it is recommended to provide in the text of the receipt the obligation of the employee, in the event of termination of the employment contract, to transfer the confidential information he has in the form of paper or electronic media to the responsible person, as well as to provide for liability in accordance with established legislation in case of violation of the obligations assumed.

It is allowed to issue a receipt directly by the employee, by hand or in printed form, using a regular sheet of A4 paper or the organization’s letterhead. At the same time, a mandatory requirement for this type of documentation is the presence of an original signature of the employee with a transcript of his position and surname.

The receipt is drawn up in a single copy and is included in the documents stored in the personal file of the company employee. The validity period of the receipt is, as a rule, the duration of the employee’s work in a particular company, with the addition of several years from the date of termination of the employment contract (dismissal), determined on an individual basis.

In addition, among the common documents drawn up in order to protect confidential information is a bilateral agreement signed by the employer and employee, containing the same details and data as a unilateral non-disclosure agreement, as well as the inclusion of conditions for the preservation of materials, related to trade secrets, in the text of the employment contract with the employee.

Example of a non-disclosure agreement

Is it necessary to have it in writing if the employee refuses?

The employer, by virtue of Art. 88 of the Labor Code of the Russian Federation is obliged to warn persons who receive the employee’s personal data that this data can only be used for the purposes for which they were communicated. He has the right to demand from such persons confirmation that this rule has been observed.

By virtue of the same Art. 88 of the Labor Code of the Russian Federation, persons receiving personal data of an employee are required to observe a regime of secrecy (confidentiality). Therefore, if you refuse to sign the obligation, the ban still applies. Is it possible to fire such an employee? Refusal to sign any local act is not among the grounds for terminating an employment contract. Therefore, in this case there are only general grounds for dismissal.

Even if the obligation of non-disclosure of personal data is not signed, the employer has the right to dismiss the employee for disclosing the personal data of another employee (clause c) clause 6 of Art. 81 Labor Code of the Russian Federation).

What internal document establishes responsibility for non-disclosure of personal data?

All employers must develop and approve a Regulation on Employee Personal Data. The document is drawn up taking into account the provisions of the Labor Code of the Russian Federation and other federal laws, but the employer has the right to determine the work procedure and other procedural issues independently. Each new employee applying for a job signs on the sheet of familiarization with the Regulations.

Regulations on working with personal data of employees

The structure of the Regulations on working with personal data of employees includes sections:

  • general provisions;
  • obtaining and systematizing data;
  • storage of personal information;
  • use and processing;
  • broadcast;
  • confidentiality guarantees.

Adjust the structure of the document taking into account the specifics of working with information in the organization, adapt the norms of the Regulations to the operating conditions of a particular enterprise.

As an appendix, develop document forms accompanying the process of collecting, using and storing information, including a sample non-disclosure agreement. Approve the Regulations on Personal Data by the head of the enterprise.

Questions and answers from the HR System expert

How to organize the processing of employees’ personal data?

Narrated by N. Kovyazina, Deputy Director of the Department of Medical Education and Personnel Policy in Healthcare of the Russian Ministry of Health.

First, determine what personal data you are going to process and for what purposes. Then find out whether the employee's consent is required for data processing. Obtain consent if required. Ask the employee for the necessary information and documents. In this recommendation, we will tell you how to correctly receive, store and transmit personal data of employees...

Rating
( 1 rating, average 4 out of 5 )
Did you like the article? Share with friends:
Для любых предложений по сайту: [email protected]