Policy regarding the processing of personal data in the Federal State Budgetary Institution "FSSCC" of the Ministry of Health of the Russian Federation (Astrakhan)

 

1. This Personal Data Processing Policy establishes procedures aimed at identifying and preventing violations of the legislation of the Russian Federation in the field of personal data, as well as determining for each purpose of personal data processing the content of the personal data being processed, the categories of subjects whose personal data are being processed, the timing of their processing and storage, the procedure for destruction when the processing goals are achieved or upon the occurrence of other legal grounds (hereinafter referred to as the Policy).

Processing of personal data in the Federal State Budgetary Institution "FCSSH" of the Ministry of Health of the Russian Federation (Moscow Astrakhan) (hereinafter referred to as the Center) is performed using automation tools or without the use of such tools, including collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data of subjects, whose personal data is processed at the Center.

2. Центр в соответствии с Федеральным законом от 27.07.2006 № 152-ФЗ «О персональных данных» является оператором, осуществляющим обработку персональных данных, а также определяющим цели обработки персональных данных, состав персональных данных, подлежащих обработке, действия (операции), совершаемые с персональными данными (далее – Оператор персональных данных).

2. The Center, in accordance with Federal Law No. 152-FZ dated 07/27/2006 "On Personal Data", is an operator that processes personal data, as well as determines the purposes of processing personal data, the composition of personal data to be processed, actions (operations) performed with personal data (hereinafter referred to as the Personal Data Operator).

3. The Policy was developed in accordance with Federal Law No. 152-FZ dated 07/27/2006 "On Personal Data" (hereinafter referred to as the Federal Law), Chapter 14 of the Labor Code of the Russian Federation.

4. The subjects of personal data are employees of the Center, citizens of the Russian Federation, foreign citizens and stateless persons, information about which is contained in the information systems of the Center.

5. The objectives of the Policy are:

- ensuring the protection of rights and freedoms in the processing of personal data of employees of the Center, personal data of citizens contained in the information systems of the Center;

- establishing the responsibility of the Center's employees for non-compliance with regulatory legal acts regulating the processing and protection of personal data.

6. Procedures aimed at identifying and preventing violations of the legislation of the Russian Federation in the field of personal data:

a) implementation of internal control over the compliance of personal data processing with the Federal Law and regulatory legal acts adopted in accordance with it, requirements for the protection of personal data;

b) an assessment of the harm that may be caused to personal data subjects in case of violation of the Federal Law, the ratio of the specified harm and the measures taken by the Center aimed at ensuring the fulfillment of the duties of the personal data operator provided for by Federal Law;

c) familiarization of the Center's employees directly engaged in the processing of personal data with the provisions of the legislation of the Russian Federation on personal data, with the requirements for the protection of personal data.

7. In case of detection of illegal processing of personal data carried out by the Personal data Operator, the personal data Operator, within a period not exceeding 3 working days from the date of detection of illegal processing of personal data, is obliged to stop the illegal processing of personal data or ensure the termination of illegal processing of personal data.

If it is impossible to ensure the legality of the processing of personal data, the Personal data Operator is obliged to destroy such personal data or ensure their destruction within a period not exceeding 10 working days from the date of detection of unlawful processing of personal data. The personal data Operator is obliged to notify the personal data subject or his representative about the elimination of unlawful processing of personal data or the destruction of personal data.

8. In case of achievement of the purpose of personal data processing, the personal data Operator is obliged to stop processing personal data and destroy personal data within a period not exceeding 30 working days from the date of achievement of the purpose of personal data processing.

9. If the personal data subject withdraws consent to the processing of his personal data, the personal data Operator is obliged to stop processing personal data and, if the storage of personal data is no longer required for the purposes of personal data processing, and destroy personal data within a period not exceeding thirty days from the date of receipt of this withdrawal, unless otherwise provided the contract. The personal data operator is obliged to notify the personal data subject about the destruction of personal data within thirty days.

10. If it is not possible to destroy personal data within the time limits specified in paragraphs 7-9 of the Policy, the Personal data Operator blocks such personal data, ensures the destruction of personal data for up to 6 months, unless another period is established by the current legislation of the Russian Federation.

11. The storage of personal data must be carried out in a form that allows you to identify the subject of personal data, no longer than the purpose of storing personal data requires, unless the period of storage of personal data is established by Federal Law.

The processed personal data is subject to destruction or depersonalization upon achievement of the goals of personal data processing or in case of loss of the need to achieve these goals, unless otherwise provided by Federal Law.

12. The processing of personal data in the information systems of the Center is carried out in accordance with the Decree of the Government of the Russian Federation dated 01.11. 2012 No. 1119 "On approval of requirements for the protection of personal data during their processing in personal data information systems".

13. Ensuring the security of personal data in personal data information systems is achieved by:

a) identification of threats to the security of personal data during their processing in personal data information systems;

b) the application of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems;

c) the use of information security tools that have passed the compliance assessment procedure in accordance with the established procedure;

d) evaluating the effectiveness of measures taken to ensure the security of personal data prior to the commissioning of personal data information systems;

e) accounting for machine-based personal data carriers;

f) detection of unauthorized access to personal data and taking measures to stop unauthorized access;

g) recovery of personal data modified or destroyed as a result of unauthorized access to them;

h) establishing rules for access (password, login, etc.) to personal data processed in personal data information systems, as well as ensuring registration and accounting of all actions performed with personal data in personal data information systems.

14. Employees of the Center who have access to personal data information systems are obliged to:

a) take measures to prevent unauthorized access to the software and hardware used;

b) keep records of electronic media containing personal data and store them in metal cabinets or safes;

c) record personal data (individual files, databases) on electronic media only in cases regulated by the procedure for working with personal data;

d) comply with the established procedure and rules for access to information systems, prevent the transfer of personal codes and passwords to personal data information systems;

e) take all necessary measures to ensure the reliable safety of codes and passwords for access to personal data information systems;

f) to work with personal data information systems to the extent of their powers, not to allow them to be exceeded;

g) have the skills to work with antivirus programs to the extent necessary to fulfill functional responsibilities and requirements for information protection.

15. When employees of the Center work in personal data information systems, it is prohibited:

a) record the values of codes and passwords for access to personal data information systems;

b) transfer codes and passwords for access to personal data information systems to other persons;

c) use the codes and passwords of other users of access to personal data information systems in their work;

d) to select codes and passwords for access to information systems of personal data of other users;

e) record extraneous programs and data on electronic media with personal data;

f) copy information with personal data to unaccounted electronic media;

g) to take electronic media with personal data outside the territory of the Center;

h) leave the workplace with the personal computer turned on without using hardware or software to block access to the personal computer;

i) to bring, independently install and operate on a personal computer any software products that are not accepted for operation;

k) open, disassemble, repair personal computers, make design changes, connect non-standard units and devices;

b) transmit information containing personal data subject to protection through open communication channels (fax, e-mail, etc.), as well as use information containing personal data subject to protection in open correspondence and when negotiating by phone.

16. The collection, systematization, accumulation, storage, updating, modification, transfer, destruction of documents (hereinafter referred to as Document Processing) of employees of the Center containing personal data on paper is carried out by employees of the Center in accordance with Chapter 14 of the Labor Code of the Russian Federation.

17. All personal data must be obtained directly from the employees of the Center.

18. Documents containing personal data are destroyed by shredding in a paper cutting machine.

19. When changing the employee responsible for accounting for paper documents containing personal data, an act of acceptance and delivery of these materials is drawn up, which is approved by the head of the relevant structural unit of the Center.

20. When working with paper documents containing personal data, employees of the Center authorized to process personal data are obliged to:

a) to get acquainted only with those documents containing personal data to which access has been obtained in accordance with official necessity;

b) keep confidential information that has become known to them, containing personal data that is subject to protection, inform the immediate supervisor about violations of the procedure for working with personal data and attempts of unauthorized access to them;

c) provide written explanations to the immediate supervisors about violations of the established working procedure, accounting and storage of documents containing personal data, as well as about the facts of disclosure of information containing personal data subject to protection.

21. Employees guilty of disclosing or losing information containing personal data are liable in accordance with the legislation of the Russian Federation.

22. Control over the fulfillment of the Policy requirements by the employees of the Center is assigned to the heads of the structural divisions of the Center and the person responsible for organizing the processing of personal data appointed by the order.

 

 


 

 

 

 

Share