Policy regarding the processing of personal data in the Federal State Budgetary Institution "FTSSSH" of the Ministry of Health of Russia (Astrakhan)
1. This Policy on the processing of personal data establishes procedures aimed at identifying and preventing violations of the legislation of the Russian Federation in the field of personal data, as well as determining for each purpose of processing personal data the content of the processed personal data, the categories of subjects whose personal data are being processed, the terms of their processing and storage, the procedure for destruction upon achievement of the purposes of processing or upon the occurrence of other legal grounds (hereinafter referred to as the Policy).
The processing of personal data in the Federal State Budgetary Institution “FTSSSH” of the Ministry of Health of Russia (Astrakhan) (hereinafter referred to as the Center) is carried out using automation tools or without using such tools, including collection, recording, systematization, accumulation, storage, clarification (updating, changing), retrieval , use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data of subjects whose personal data are processed in the Center.
2. The Center, in accordance with Federal Law No. 152-FZ of July 27, 2006 “On Personal Data”, is the operator processing personal data, as well as determining the purposes of processing personal data, the composition of personal data to be processed, the actions (operations) performed with personal data (hereinafter referred to as the Personal Data Operator).
3. The policy was developed in accordance with the Federal Law of July 27, 2006 No. 152-FZ “On Personal Data” (hereinafter referred to as the Federal Law), Ch. 14 of the Labor Code of the Russian Federation.
4. Subjects of personal data are employees of the Center, citizens of the Russian Federation, foreign citizens and stateless persons, information about which is contained in the information systems of the Center.
5. The objectives of the Policy are:
- ensuring the protection of rights and freedoms in the processing of personal data of employees of the Center, personal data of citizens contained in the information systems of the Center;
- establishing the responsibility of the Center's employees for failure to comply with regulatory legal acts governing the processing and protection of personal data.
6. Procedures aimed at identifying and preventing violations of the legislation of the Russian Federation in the field of personal data:
a) exercising internal control over the compliance of the processing of personal data with the Federal Law and the regulatory legal acts adopted in accordance with it, with the requirements for the protection of personal data;
b) an assessment of the harm that may be caused to personal data subjects in the event of a violation of the Federal Law, the ratio of the said harm and the measures taken by the Center aimed at ensuring the fulfillment of the obligations of the personal data operator provided for by the Federal Law;
c) familiarize the employees of the Center directly involved in the processing of personal data with the provisions of the legislation of the Russian Federation on personal data, with the requirements for the protection of personal data.
7. In case of detection of illegal processing of personal data carried out by the Operator of personal data, the Operator of personal data, within a period not exceeding 3 working days from the date of detection of illegal processing of personal data, is obliged to stop the illegal processing of personal data or ensure the termination of the illegal processing of personal data.
If it is impossible to ensure the legality of the processing of personal data, the Personal Data Operator, within a period not exceeding 10 working days from the date of detection of illegal processing of personal data, is obliged to destroy such personal data or ensure their destruction. The operator of personal data is obliged to notify the subject of personal data or his representative about the elimination of illegal processing of personal data or the destruction of personal data.
8. If the goal of processing personal data is achieved, the Personal Data Operator is obliged to stop processing personal data and destroy personal data within a period not exceeding 30 working days from the date of achieving the goal of processing personal data.
9. In the event that the subject of personal data withdraws consent to the processing of his personal data, the Personal Data Operator is obliged to stop processing personal data and, if the storage of personal data is no longer required for the purposes of processing personal data, and destroy personal data within a period not exceeding thirty days from the date of receipt of this review, unless otherwise provided by the contract. The operator of personal data is obliged to notify the subject of personal data about the destruction of personal data within thirty days.
10. If it is not possible to destroy personal data within the periods specified in paragraphs 7-9 of the Policy, the Personal Data Operator blocks such personal data, ensures the destruction of personal data within 6 months, unless another period is established by the current legislation of the Russian Federation.
11. The storage of personal data must be carried out in a form that allows determining the subject of personal data, no longer than the purpose of storing personal data requires, if the period for storing personal data is not established by the Federal Law.
The processed personal data is subject to destruction or depersonalization upon reaching the goals of processing personal data or in case of loss of the need to achieve these goals, unless otherwise provided by the Federal Law.
12. The processing of personal data in the information systems of the Center is carried out in accordance with the Decree of the Government of the Russian Federation dated 01.11. 2012 No. 1119 "On approval of requirements for the protection of personal data during their processing in personal data information systems."
13. Ensuring the security of personal data in personal data information systems is achieved by:
a) determining threats to the security of personal data during their processing in personal data information systems;
b) application of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems;
c) the use of information security tools that have passed the conformity assessment procedure in accordance with the established procedure;
d) assessing the effectiveness of the measures taken to ensure the security of personal data prior to the commissioning of personal data information systems;
e) accounting of machine carriers of personal data;
f) detecting facts of unauthorized access to personal data and taking measures to stop unauthorized access;
g) recovery of personal data modified or destroyed due to unauthorized access to them;
h) establishing access rules (password, login, etc.) to personal data processed in personal data information systems, as well as ensuring registration and accounting of all actions performed with personal data in personal data information systems.
14. Employees of the Center having access to information systems of personal data are obliged to:
a) take measures to prevent unauthorized access to the software and hardware used;
b) keep records of electronic media containing personal data and store them in metal cabinets or safes;
c) to record personal data (separate files, databases) on electronic media only in cases regulated by the procedure for working with personal data;
d) comply with the established procedure and rules for access to information systems, prevent the transfer of personal codes and passwords to personal data information systems;
e) take all necessary measures to secure the codes and passwords for access to personal data information systems;
f) work with information systems of personal data within the scope of their powers, not allow them to be exceeded;
g) have the skills to work with anti-virus programs to the extent necessary to fulfill functional duties and information security requirements.
15. When employees of the Center work in personal data information systems, it is prohibited:
a) record the values of codes and passwords for access to personal data information systems;
b) transfer codes and passwords for access to personal data information systems to other persons;
c) use in the work the codes and passwords of other users of access to information systems of personal data;
d) select codes and passwords for access to information systems of personal data of other users;
e) record third-party programs and data on electronic media with personal data;
f) copy information with personal data to unaccounted for electronic media;
g) take out electronic media with personal data outside the territory of the Center;
h) leave the workplace with the personal computer turned on without using hardware or software to block access to the personal computer;
i) bring, independently install and operate on a personal computer any software products that are not accepted for operation;
j) open, disassemble, repair personal computers, make changes to the design, connect non-standard blocks and devices;
b) transfer information containing personal data subject to protection through open communication channels (fax, e-mail, etc.), as well as use information containing personal data subject to protection in open correspondence and when negotiating by phone.
16. Collection, systematization, accumulation, storage, updating, modification, transfer, destruction of documents (hereinafter referred to as Document Processing) of employees of the Center containing personal data on paper, is carried out by employees of the Center in accordance with Chapter 14 of the Labor Code of the Russian Federation.
17. All personal data must be obtained directly from the employees of the Center.
18. Documents containing personal data are destroyed by shredding in a paper cutting machine.
19. When changing the employee responsible for recording paper documents containing personal data, an act of acceptance and delivery of these materials is drawn up, which is approved by the head of the relevant structural unit of the Center.
20. When working with paper documents containing personal data, employees of the Center authorized to process personal data are required to:
a) to get acquainted only with those documents containing personal data to which access was obtained in accordance with the business need;
b) keep confidential information that has become known to them, containing personal data subject to protection, inform the immediate supervisor of the facts of violation of the procedure for working with personal data and attempts of unauthorized access to them;
c) about committed violations of the established procedure for work, accounting and storage of documents containing personal data, as well as about the facts of disclosure of information containing personal data subject to protection, provide written explanations to the immediate supervisors.
21. Employees guilty of disclosure or loss of information containing personal data are liable in accordance with the legislation of the Russian Federation.
22. Control over the fulfillment by the employees of the Center of the requirements of the Policy is assigned to the heads of the structural divisions of the Center and the responsible person appointed by order for organizing the processing of personal data.
