What are the optimal periods for storing and processing personal data? How long does the subject's consent last?

Home / Other

Back

Published: 03/09/2020

Reading time: 5 min

0

2

• 1 Procedure for storing personal data of employees
• 2 Rules for storing personal data
• 3 Who has the right to process and use personal data
• 4 Physical storage of personal data
• 5 Storage of personal data in electronic form
• 6 Shelf life
• 7 Data protection regulations

Procedure for storing personal data of employees

A special regulatory provision, which defines the rules for the disposal of personal information of employees by the employer, provides for compliance with certain requirements:

• the specific form in which employees’ personal data is stored must meet all requirements and fully identify the subject of the personal information;
• the period for storing information should not exceed the time that will be sufficient to achieve the purposes for which processing is required;
• data must be destroyed immediately after achieving all the purposes for which the information was processed;
• information should be deleted if there is no need for further processing and use of the data.

The processing, transmission and protection of personal information of employees is entrusted to the responsible operator, who must comply with all rules and special legal provisions. If for some reason an official cannot independently perform his direct duties, then he must entrust the processing and protection of information data to another employee on the basis of an officially concluded agreement.

https://www.youtube.com/watch?v=upload

The most important condition of this document is the indication of a special obligation, in accordance with which the processing, transfer and protection of personal information is ensured while maintaining confidentiality and complete security.

The official is obliged to comply with a special provision that regulates the processing, storage and protection of personal information and personal files of employees. The rules and operating procedures must be followed by the employers. These persons must ensure the following functions:

• compilation and storage of primary documentation, which is published in a unified form;
• safety of papers in which personnel records are kept;
• storage of documentation that takes into account the specifics of working time distribution;
• safety of the package of documents in which the calculation of wages for working personnel is carried out.

The procedure and period for storing personal information of civil servants is determined by labor legislation, as well as special departmental regulations.

What to choose: storage time or termination conditions?

The law allows you to choose either a specific period for storing data, or limit processing to the occurrence of a certain condition. However, the operator is obligated to limit the processing of data in time.

Lawyers advise using a specific processing termination period only if the information is needed by the operator for a limited purpose.

For example , on the website of an online store, a survey is conducted, the subject of personal data is asked to indicate his area of ​​residence, purchases over the last year, age, full name, and so on. The store plans to use the information to statistically analyze its success over the past year. After completing the analysis, the information will no longer be needed and will be eliminated.

When drawing up such an agreement, it is taken into account that the analysis will take six months. After this, the online store stops processing the data, having fulfilled the purpose for which it was collected. For similar use cases, there is another option - to set a condition for completing processing, for example, indicating that after analytical work the information will stop being processed.

The combined option “condition + date” is used quite often. Let's take a law firm that plans to store information about clients for two years from the date of the last contact. There are two criteria here – two years (a specific period) and a certain condition – no contact with a lawyer’s organization.

Medical institutions in our country, as a rule, do not limit themselves to clear deadlines, since the law obliges them to store information related to the healthcare sector for quite a long time. The law allows operators to choose exactly how to set the period - by defining the time period of processing or the event the occurrence of which will mean the cessation of processing confidential information.

Rules for storing personal data

The Labor Code of the Russian Federation obliges each employer to develop rules for the use and storage of personnel data at its enterprise, taking into account the requirements of federal laws.

The adopted relevant rules and regulations may be contained in the company’s local act on personal data. Most often, such a document becomes the Regulation on the Protection of Personal Data of Employees, but it is not prohibited to include this section in the Internal Regulations.

We suggest you find out how many days after submitting documents

Each employee must be familiarized with this regulatory act, since the Labor Code of the Russian Federation directly indicates the rights of employees to participate in the development of measures to ensure the security of personal data.

To maintain the confidentiality of personal data, a list of officials who have access to it is compiled and a document form is developed, for example, a “Non-Disclosure Agreement”, which is signed not only by ordinary executive employees (HR specialist, accountants, etc.), but also and heads of departments, general director of the enterprise.

Responsibility of the organization

The specialist responsible for receiving, processing, and storing personal information is appointed by the director of the institution. It also determines the persons who have access to the information. The document must be executed by order. Typically the following are responsible for processing information:

1. Heads of HR department.
2. Personnel inspectors.
3. HR managers.
4. Deputy HR managers.
5. HR specialists.

Based on Federal Law No. 152, the employee collecting and processing personal data is an operator. This is what the leader is. The purposes of processing personal data in an educational institution are the same as in organizations.

Who has the right to process and use personal data

Officials who are involved in the processing and storage of personal information of employees must comply with a special provision. Such documents and rules are drawn up by the employer, and are most often published in the form of job descriptions, collective and individual employment contracts, etc.

The storage and use of personal information of employees is the responsibility of officials who are appointed directly by the employer. The responsibilities of these citizens include compliance with all standards for the processing and disposal of personal data of subordinates. Legislative acts regulate the period, rules, as well as the list of persons in management positions who must work with personal information of employees:

• chief specialist in charge of data protection;
• Deputy Director, whose responsibilities include personnel administration;
• HR manager;
• initial HR departments.

In enterprises and companies, the processing and storage of personal information is also entrusted to ordinary employees, for example, accountants, information security engineers, management and training, document handlers, data protection specialists, etc.

Ordinary executive officials are also faced with the use and protection of information in the performance of their duties, for example, secretaries, assistants, inspectors, etc., who receive applications and various documents.

Principles

It is important to know not only the purposes for collecting and processing personal data, but also the principles. They are indicated in Art. 5 ch. 2 Federal Law No. 152:

1. It is important to respect the legality and integrity of the purposes and methods of processing.
2. Compliance with the purposes stated at the time of collection.
3. Correspondence of the volume and nature of the information processed and methods to the goals.
4. Reliability of information.
5. It is inadmissible to combine databases for incompatible purposes.
6. Storage in a form that allows the data subject to be identified, and for no longer than required by the purposes. Then they are destroyed.

The purposes of processing the employee’s personal data are achieved using the conditions specified in Art. Chapter 6 2:

1. Processing is carried out with the consent of the subjects.
2. If this is contractually entrusted to another person, then confidentiality is important.
3. Processing of special information in a special manner.

There are a few exceptions where subject permission is not required. This happens when:

1. The procedure is carried out on the basis of the Federal Law, which establishes its purpose, conditions, and the range of subjects whose information is subject to processing.
2. Everything is done to fulfill the contract.
3. Requires fulfillment of statistical and other scientific purposes.
4. It is necessary to protect life, health, and vital interests if it is impossible to obtain permission.
5. Postal delivery is in progress.
6. The professional activity of a journalist is carried out.
7. Information subject to publication on the basis of the law is processed.

Physical storage of personal data

Many HR specialists manage employees' personal files in the traditional way and do not want to give it up.

The peculiarities of this are that all information about each employee, presented in originals and copies of documents, is accumulated in a specially designed folder. However, there are no uniform rules for registering personal files in commercial organizations.

Advantages of managing personal affairs:

• all employee data is in one place;
• the possibility of clear systematization;
• quick search for information about a specific person.

Disadvantages of storing personal information with compiling personal files:

• high labor intensity (requires regulations, filing of documents, inventory, reconciliation, archiving);
• additional resources are required (safes, separate rooms, etc.);
• Skills in handling personal matters are required.

We invite you to familiarize yourself with Wages paid to employees

Often, personal information about employees is stored on paper, located in different thematic folders in accordance with the organization’s nomenclature.

All documents relating to employees have one purpose: employment contracts, biographical documents, contracts of liability, etc. are placed in separate folders and arranged in alphabetical order or by registration numbers.

Compared to registering personal files, this method of storing employee data requires less labor and does not require special skills from the personnel officer.

However, separate storage also has its disadvantages:

• searching for information about an employee takes a lot of time;
• there is a higher risk of disclosure of confidential information.

What do the departments think?

The presence of various laws and regulations affects the perception of the topic by inspectors of various departments. For example:

• Experts from Roskomnadzor
  insist that organizations should not store documents related to marriage and children, despite arguments that this data is often needed to calculate deductions and benefits;
• Tax
  inspectors note that, if necessary, they can check all the documents that are the basis for calculations on their own, even if this concerns dismissed employees, and providing a copy of the documents is not legally significant.
• At the Federal Social Insurance Fund,
  experts note that the availability of documents about employees, even dismissed ones, is necessary during a desk audit, otherwise the auditor cannot check the validity, for example, of benefit payments to an employee.

Storing personal data in electronic form

With this storage method, almost all personal information is stored electronically using a personal data base and information systems.

Advantages of storing information on electronic media:

• no need for additional resources;
• saves space and space;
• high speed and ease of working with personal data;
• increased degree of protection against unauthorized access;
• the shelf life is not limited;
• no need for a large archive.

Disadvantages of storing information electronically:

• It is necessary to have backup copies of the personnel database;
• software and special equipment are not cheap;
• information system administration is required;
• High literacy of an employee working with personal data is required.

In order to protect personal data stored electronically, the following methods are used:

• introduction of a permitting system for personnel access to confidential information;
• restricting employee access to premises where technical equipment used for processing personal data is located;
• clear organization of storage and accounting of information media and others.

Each of the considered methods of storing personal data of employees in an enterprise has its own disadvantages and advantages. Often in practice they are combined: both personal files and electronic personnel databases are maintained.

In any case, the employer must have the consent of employees to process their personal information.

It is also necessary to take into account the material capabilities to ensure the protection and safety of documents, labor costs and qualifications of personnel service personnel.

Processing methods

Personal information is processed in 2 ways:

1. Automated.
2. Not automated.

The second option involves processing performed with the participation of a citizen. If this happens without automation tools, then the data must be separated from other information. This is done by marking, for example, in the margins of forms. It is prohibited to place personal information on a single medium if it is known that the purposes of processing personal data are incompatible.

If personal information of citizens is classified into different categories, then it is necessary to use an individual medium for each type. Which systems can be classified as automated and which are not? This is revealed by the following facts:

1. Personal information contained in the personal data system may be processed through a non-automated process if its use is carried out in the personal presence of a person.
2. It cannot be argued that the data is processed automatically, given that it is located in the personal information information system.

Automated processing is performed using computing tools. Processing refers to all actions that are performed on the provided data. This process includes collection, recording, use, destruction.

Shelf life

A special provision on the preservation and protection of personal information regulates the period within which the use and storage of personal data is permitted. Accordingly, work books and duplicates that were not taken away or in the event of the death of employees are placed in the assets of enterprises for a period on demand. If such documents belong to the class of unclaimed papers, then they are placed in the archives of companies for a period of at least fifty years.

We invite you to familiarize yourself with Who is hired for part-time work

The regulation, which defines the specifics of individual accounting in the pension insurance system, establishes the period for storing personal data of citizens by employees of the state pension fund. The shelf life of such papers is at least six years. These documents must meet the following requirements:

• contain any information about the individual account of a person who is insured by the social insurance program;
• be drawn up in the prescribed written form and certified by the corresponding signatures of citizens;
• be presented in electronic form, since the legal force of such documents must be confirmed by an electronic digital signature, subject to compliance with the legal signing procedure;
• contain data on all insurance contributions of individuals and the insurance experience of citizens;
• provided by employers to state pension insurance institutions for the purpose of individual registration of citizens in the general compulsory insurance system for the provision of social pensions.

Other documents that contain information about pension insurance are stored in the archives of pension institutions for at least three years. Relevant documents must be destroyed when their retention period expires.

Acts indicating cases of investigation of occupational diseases must be stored for at least 75 years in the assets of a government agency that specializes in sanitary and epidemiological surveillance and conducted the investigation of a specific incident. Employers must retain the following documents for 45 years, with copies and investigation materials:

• reports of accidents at work;
• acts on accidents that concern a group of persons;
• serious accident investigation documents;
• papers on fatal accidents, etc.

Personal data processing operator

According to Law N 152-FZ, the person (legal or individual) who organizes and (or) carries out the processing of personal data, determines its composition, the purposes of processing, and the actions performed with personal data is called an operator

(Clause 2 of Article 3 of Law No. 152-FZ). In our case, this is the employer.

Processing of personal data

- any action performed with them. Operations for processing personal data:

• collection;
• record;
• systematization;
• accumulation;
• storage;
• clarification (update, change);
• extraction;
• usage;
• transmission (distribution, provision, access);
• depersonalization;
• blocking;
• deletion;
• destruction of personal data.

Data protection regulations

When developing local regulations that relate to the protection of personal information of employees, the legislative provisions are taken into account, as well as the specifics of the enterprise. The relevant regulations regulate the following provisions:

• a list of personal information of employees that the employer needs to perform all job duties;
• list of persons who have the right to receive personal data;
• rules for storing, processing, transferring, protecting and providing personal information;
• an official who has the right to store personal data of employees, as well as exercise control over the process of storing information.

In addition to the responsibilities of the employer, the regulations include a list of rights and responsibilities of employees, which relate to the need to provide reliable information, as well as ensure secure storage of data and compliance with confidentiality.

Responsibility

If employees violate the procedure for collecting, processing, and issuing information, they bear disciplinary and criminal liability according to the law. In Art. 5 of the Federal Law states that personal information collected for processing by automated principles or other means must be produced in such a form that the data subject can be identified.

The determination of the subject cannot be longer than required for processing. If it is completed, then personal data cannot be destroyed for some time. Personal data of employees is stored in the institution for 75 years. Thus, every enterprise must comply with the rules for storing and processing information.

Familiarization of employees with the Regulations

Employees must be familiar with the Regulations against signature (clause 8 of Article 86 of the Labor Code of the Russian Federation). This fact can be recorded:

• in the text of the employment contract for each employee (listing of local regulations with which the employee is familiar with before signing the contract);
• — a sheet for familiarizing yourself with the Regulations (sample on p. 91);
• — a logbook for familiarizing employees with local regulations (sample on p. 91).

Sample sheet for familiarization with local regulations

Fragment of the log of familiarization with
the Statement on Personal Data
Note. Personal data storage period

Local regulations (regulations, instructions) on personal data must be stored permanently. As for employee statements of consent to data processing (they will be discussed in future issues), and other employee documents, they are stored for 75 years. This is stated in the List approved by Order of the Ministry of Culture of Russia dated August 25, 2010 N 558.

Examples of targeted use of personal information

In various spheres of the economy and public life, the personal data of citizens is vital.

In a medical facility

It is important to know details about a person's health throughout his life. In this case, the owner of personal information is the patient. The operator who uses them is a clinic or other medical institution. She is required to obtain permission from Roskomnadzor for processing. If a clinic transfers data, for example, to a specialized hospital, it must obtain the written consent of the citizen.

For the bank

It is vital when granting a loan to make a reasonable guess as to whether the applicant will be able to repay the money borrowed or does not have suitable financial resources. This will require details about income, employment, family composition and some others. The owner of the information is the client. The bank is the operator that carries out the processing. The client has the right to revoke permission to use information about him. The goals of working with information are to ensure compliance with the requirements of banking legislation of the Russian Federation.

It is impossible to do without providing this or similar information. But it is important that its use does not violate the requirements of current regulations.

Violations related to misuse of personal data

Starting from July 1, 2020, the Code of Administrative Offenses has been amended to define liability for violation of Law No. 152-FZ. If the established rules are violated, the law provides appropriate punishments.

If information is collected in cases where there is no legal basis for this or processing is carried out for illegal purposes

, a fine is imposed. For individuals, the amount will be from 1 to 3 thousand rubles, officials will pay from 5 to 10 thousand rubles, enterprises - from 30 to 50 thousand rubles.

If there was a disclosure of information

, the fine is assessed in connection with each individual such case. It can range from 500 to 1000 rubles. from the employee through whose fault the violation occurred. If we are talking about an organization that is responsible for what happened, then the amount increases. Now it can range from 5 to 10 thousand rubles.

The regulatory act in question states that compliance with the provisions of Law 152-FZ should be monitored by Roskomnadzor

.
Before processing under Article 22 of the Personal Data Protection Law begins, he must send a notification there. In particular, he carries out appropriate checks and, if violations are detected, issues orders regarding deficiencies that need to be eliminated. If the order is not carried out
, a fine is imposed on the perpetrator, which can amount to 20 thousand rubles.

The author of the next video will tell you how to properly organize work with other people’s data.