Federal Law #152-FZ “On personal data” dated 27.07.2006 took legal force in January 2007, that is, 180 days after its publication. Its latest amendments were introduced by Federal Law # 242-FZ dated 21.07.2014. According to the law, the amendment will take effect on 01.09.2016. However, a new amendment is being considered now, that will shift the deadline to 01.01.2015.
Apart from the main law # 152-FZ, three government regulations were also adopted (#1119 on automated processing, #687 on non-automated processing, and #512 оn biometric information storage media). Also, note should be taken of the decree #21 on means for protecting personal data issued by FSTEC FSTEC issued 2 currently relevant regulatory guidance documents (FOUO restriction released in November 2009), and FSB – 2. Licensing of technical and encryption safeguards is described in government regulations #79 dated 03.02.2012 and #957 dated от 21.11.2011, respectively.
Notifications to Roscomnadzor about processing of personal data must be filled in accordance to the Recommendations (adopted by Order 706 of Roscomnadzor dated 19.08.2011).
Legal entity rights in the exercise of Government control and supervision are determined by Federal Law #294 of December 26, 2008. Although 242-FZ will exclude the control functions related to personal data from the scope of the above law (as of 01/09/2016)
The Law main objective is to protect human rights. Thus organizational, regulatory and technical measures taken by operators must be directed to the goal of protecting citizens’ rights. Technical protection of personal data is just one of the aspects of the Law.
Personal data (PD) - any information related to, or used to identify a natural person (personal data subject). For example: his/her name, first name, patronymics; date, month, year and place of birth; address; family, social, property status; education; professional occupation; income, and other information.
Operator - a state or municipal body, a legal entity or a natural person, who on his own or together with other entities arranges for, and/or processes personal data, and determines goals, content of personal data, and operations for their processing.
Personal data processing – any actions (оperations) or combination of actops upon personal data, with or without using IT equipment, including data collection, recording, organization, accumulation, storage, rectification (updates, alterations), use and dissemination (also, transmission, delegation, provision of access), depersonalization, blocking, deletion and destruction.
Automated personal data processing – processing of personal data using IT equipment.
ISPD (Information System for Personal Data) means cumulative personal data residing in a database as well as information technologies and technical measures enabling processing of personal data.
Part 1 Article 18.1: Operator must undertake necessary and adequate measures to fulfill obligations required by this Law.
Part 5 Article 6: In case the Operator delegates personal data processing to another party, Operator bears responsibility to the subject of personal data. The party actually processing personal data delegated by the Operator bears responsibility to the Operator
MICROS-Fidelio software products are not recognized as ISPD. They are just one part of information technology components which along with other components, tools and the data themselves constitute ISPD.
It is not MICROS-Fidelio products that should be protected, but personal data being processed in ISPD (one part of which is MICROS-Fidelio software). The choice of protective tools and measures should be made based on a specific ISPD’s protection level. Required protection level depends on volume and content being processed by the ISPDn and the actualized threat types.
According to the Government Decree 1119 dated 01.11.2012,
for each specific ISPD Operator estimates (probably, by creating a Threat model, although it’s not mentioned there) what types of threats are actual:
1 type – undocumented/undeclared features in the system software;
2 type – undocumented/undeclared features in the application software;
3 type – other threats, but not threats of 1 and 2 types.
Also the type of personal data processed in the ISPD is considered:
Public –processes only data received from sources declared “public” in accordance with Article 8 of 152-FZ
Biometric – processes data pertaining to biological and physiological characteristics, providing identification of the subject
Special – data pertaining racial or ethnic origin, political opinions, religious or philosophical beliefs, health or sex life.
Other – processes only data that do not fall into one of the above categories
…and who they belong to:
Only operator’s employees
Other subjects, who are not operator’s employees
Based on the above classifications, for each ISPD the required protection level is then defined (1 is the highest, 4 is the lowest)
The edition of Federal Law dated 25.07.2011 introduces the term “levels of protection of PD", that are defined by the Government of Russian Federation.
In more details required levels of protections are defined in Government decree 1119 dated 01/11/2012.
Correct determination of required protection level for a given ISPD is the operator’s responsibility and liability. A typical hotel management system stores clients’ personal data that fall into other category and belong not only to operator’s employees. Provided these data contain less than 100000 records, and that the threat types 1 and 2 are proved not actual, the system will require protection level 4; when the number of records exceeds 100000 – as level 3. Additional factors to consider include existence of connections to public networks, cross-border transmission, etc.
The name of the field is not important. Consider the information that is stored and processed. Most probably is not nationality (ethnical classification), but citizenship (that is, what country issued the passport of the guest). Thus, that field by itself does not automatically make your ISPD class 1. In order to eliminate the ambiguity, you can rename the field. Please, contact HRS Client Services Center if technical advice is required.
Based on the Government decree #1119 dated 01.11.2012 and also clause 3 part 2 article 19 of 152-FZ (edition 25.07.2011) protection tools used in ISPD must pass the compliance check procedure.
Technical tools for the security of confidential information must be certified by FSTEC. Encryption tools must be certified by FSB.
MICROS-Fidelio products do not relate to either technical or encryption tools, and do not require certificates from either FSTEC or FSB
Based on cl.2 part 2 article 6 of Federal Law #152, subject’s consent is not required if the subject is part of an agreement for the fulfillment of which data is being processed. Client’s stay at a hotel may then be viewed as an agreement with the hotel. However, clients’ personal data are retained at a hotel for a longer period than the term of their actual stay. Also, hotels provide personal data to other institutions. Therefore, written consent of the subject is required. We recommend that an appropriate clause is added to hotel guest registration card.
Please note that international transfer of PD to the countries that do not provide adequate protection of the personal rights, a written consent (conforming to the Law requirements) of the subject is required.
To the countries, that provide adequate protection for personal rights. First of all, these are countries who signed the European Convention for the Protection of Human Rights
In addition FSTEC Order # 274 dated 15.03.2013 approved the following list of countries: Australia, Argentina, Israel, Canada, Morocco, Malaysia, Mexico, Mongolia, New Zealand, Angola, Benin, Cabo Verde, Republic of Korea, Peru, Senegal, Tunisia, Chili, Hong Kong Special Administrative Region, Switzerland.
To the orher countries personal data can be transferred at subject’s written agreement or at several exceptional cases listed in 152-FZ.
Operators classify and protect personal data that are actually stored and processed in their ISPD. That is, the data entered into the system by the users and accessible via reports and other output documents. Thus, the auditors will be interested in the screen forms and output samples in the first place, and only these items should be evaluated by the integrator.
The Operator controls (himself or with the help of contracted 3rd party) that the requirements of Government decree 1119 are fulfilled. The control should be conducted at least once every 3 years.
If a 3rd party is involved, it must have a license by FSTEC to provide services on technical protection of confidential information (and by FSB in case of encryption tools).
First of all, audit all ISPDs that are in use.
Develop or refine organizational and regulatory documentation (handling the grounds for data processing, user eligibility list, regulations for personal data storage and destruction, receipt of subject’s consent, etc.)
Submit the Notification of PD processing to Roscomnadzor
Define actual threat types for each ISPD
Define required protection level
Assess compliance of existing safeguards with the requirements
Design a project for implementing data protection policies and roll it out
The answer to this question may not be given until after the audit has been carried out, a threat types and protection level defined and protection requirements - determined. To receive a qualified assistance in this matter, you should contact companies engaged in the field of information security.
HRS made no research or studies with regard to ratings of companies engaged in information security. Every operator should make its own choice.
We recommend that you examine a potential partner's web site.
Verify that a given company has licenses for technical protection of confidential information, and for the development and production of appropriate safeguards.
If you anticipate use of encryption safeguards, then licenses will be required for the development and production, distribution and maintenance of data encryption safeguards, and for providing services in the field of data encryption.
When at a meeting with potential partners’ representatives, ask them questions in regard of your ISPD and request for their current client list and references. Ask for a quotation. Upon receipt of it, in addition to the overall amount specified, pay attention to the ISPD details used for making the quotation. Also, be advised that any quotation is bound to indicate that the selection and cost of proposed technical safeguards will only be determined based on ISPD initial audit results. Any precise recommendations without due analysis are indicative of a given company’s lack of expertise.
The notorious amendment by 242-FL actually says:
When collecting personal data, including collection via Internet, the operator must ensure recording, systematization, accumulation, storing, validation (updating, changing), retrieving personal data of Russian citizens using databases located on the territory of Russian Federation.
a)The amendment does not forbid cross-border transfer of personal data, including countries “without proper data protection policies” – in the last case, subject to a written consent of an individual.
b)Neither it forbids Russian companies to delegate personal data (PD) processing to a third party (including a foreign company) subject to existing delegation contract.
c)The amendment doesn’t say “using only databases…”. Thus, if there’s at least one database server (providing the above-mentioned processing operations for Russian citizens) is located in Russian Federation, it fulfills the requirement of the law. At least in its current version.
d)That amendment is not yet in operation. In the current revision it will take effect on 01/09/2016. Although there is yet another amendment being considered by our government that moves deadline to 01/01/2015
Only specialized companies licensed by FSTEC to provide services on information protection are entitled to carry out attestation tests. If encryption is used for data protection, then FSB license is required. Special accreditation in FSTEC and/or FSB is required only to attest organizations that work with State Secrets.