Personal Data Protection in Russia: Compliance Requirements and Security Measures for Data Operators

 

August 21, 2023

BRACE Law Firm ©

Any company or individual entrepreneur working with the personal data (the "PD") of individuals is considered a personal data operator. A key duty of a personal data operator is to ensure the security and protection of personal data against unlawful actions.

Currently, information security matters are under close government oversight due to the development of digitalization across nearly all fields of activity, geopolitical factors, international events, and the large-scale expansion of cybercrime.

This article examines the measures a personal data operator must develop and implement to protect the personal data of individuals and the liability for non-compliance.

What Personal Data Must a Personal Data Operator Protect and Against What?

Before examining the topic, we shall address terminology. Pursuant to Clause 1 of Article 3 of Federal Law No. 152-FZ dated July 27, 2006, On Personal Data (the "Law on Personal Data"), (the "Federal Law No. 152-FZ"), personal data means any information relating to a directly or indirectly identified or identifiable individual (the "subject of personal data"). Thus, personal data constitutes any information about a person that directly or indirectly allows for their identification, ranging from full name, passport details, mobile phone number, and email address to photo and video images or dactylographic data.

Under Part 1 of Article 19 of Federal Law No. 152-FZ, during processing, a personal data operator must protect personal data from unlawful or accidental access, destruction, modification, blocking, copying, provision, or dissemination, as well as from other unlawful actions. To achieve this, the operator must develop and adopt legal, organizational, and technical measures for PD protection. Legal measures include the adoption of relevant internal regulations; organizational measures include the appointment of responsible persons and the training of employees involved in data processing; and technical measures involve actions aimed at preventing security threats.

A list of potential measures is provided in Articles 18.1 and 19 of the Law on Personal Data. Furthermore, these measures are subject to additional regulation in the administrative acts of regulatory authorities: the FSTEC of Russia and the FSB of Russia. Federal Law No. 152-FZ does not provide an exhaustive list of personal data protection measures. The operator develops them independently, taking into account the requirements of secondary legislation and the specifics of the personal data operator's activities.

Note that upon request from Roskomnadzor, a personal data operator must submit documents or otherwise confirm the adoption of protection measures (Part 4 of Article 18.1 of Federal Law No. 152-FZ).

Legal Measures for Ensuring the Security and Protection of Personal Data

To protect personal data, a personal data operator must develop a set of internal regulations. Generally, this set includes the following documents:

• Regulations on Personal Data Protection;
• Policy Regarding Personal Data Processing;
• Order approving the list of persons with access to personal data;
• Employee's non-disclosure obligation regarding personal data;
• A set of documents regulating technical information protection measures (an order approving the list of personal data information systems, instructions for the person responsible for organizing personal data processing, instructions for organizing anti-virus protection, etc.).

The personal data operator must familiarize employees directly involved in personal data processing with the provisions of personal data legislation and internal regulations, and conduct training for said employees (Clause 6 of Part 1 of Article 18.1 of Federal Law No. 152-FZ).

Organizational Measures for Ensuring the Security and Protection of PD

Organizational measures for the security and protection of PD primarily consist of appointing responsible persons. For personal data operators processing PD without the use of automation tools, it is sufficient to appoint a person responsible for organizing data processing.

If personal data is also processed in information systems, a person responsible for ensuring personal data security must also be appointed. Typically, this is an information security specialist, a computer professional, or another trained technical specialist. The Law on Personal Data does not contain specific requirements for the position or education of the person responsible for security. However, if it is necessary to organize information protection (including personal data) at critical infrastructure facilities (information systems of state authorities, healthcare organizations, transport, communications, energy, banking, chemical industry, etc.) [1], then pursuant to Order of the FSTEC of Russia No. 235 dated December 21, 2017, On Approval of Requirements for the Creation of Security Systems for Significant Objects of the Critical Information Infrastructure of the Russian Federation and Ensuring Their Functioning, employees of the structural security unit must meet the following requirements:

• possession of a higher professional education in the field of information security or another higher professional education;
• a document confirming the completion of a professional development program in the field of "Information Security" with a training period of at least 72 hours (for the head of the unit — at least 360 hours).

In other companies, to ensure professionalism when performing personal data protection work, we recommend following these requirements when appointing the person responsible for organizing protection.

Technical Measures for Ensuring the Security and Protection of PD

Technical protection measures include both physical protection measures (equipping premises with locking doors and cabinets, bars, etc.) and software and hardware measures (using anti-virus protection, using certified protection tools, etc.).

Below, we examine in detail the organizational and technical measures for protecting personal data processed with and without automation tools.

Specifics of PD Protection during Non-Automated Processing

Non-automated processing refers to actions with personal data provided that their use, clarification, dissemination, and destruction are carried out with the direct participation of a human being.

Let us clarify what the legislation means by automated processing and processing without the use of automation tools. Under Article 3 of the Law on Personal Data, automated processing means data processing using computer technology. In turn, according to Clauses 1 and 2 of the Regulations on the Specifics of Personal Data Processing Carried Out Without the Use of Automation Tools, approved by Decree of the Government of the Russian Federation No. 687 dated September 15, 2008 (the "Decree No. 687"), non-automated processing refers to actions with personal data provided that the use, clarification, dissemination, and destruction of personal data are carried out with the direct participation of a human being. Personal data processing cannot be recognized as being carried out using automation tools solely on the grounds that the personal data is contained in a personal data information system or was extracted from it.

It should be noted that, at present, official clarifications regarding this issue are absent. However, personal data processing in MS Word and Excel may be regarded by Roskomnadzor as processing using automation tools. Furthermore, the fact that an operator processes personal data through a CRM system (software for automating and controlling company interaction with clients) or through the 1C accounting system may also indicate data processing using automation tools.

The requirements for organizing the protection of personal data on paper media are not detailed in the Law on Personal Data. Measures to ensure the security of personal data during non-automated processing are formulated in Decree No. 687 and include the following:

• determining the storage location of physical personal data media and the list of persons processing personal data or having access to them;
• organizing the separate storage of personal data (physical media) processed for different purposes;
• ensuring the preservation of PD and excluding unauthorized access to them.

The specific list of preservation measures, the procedure for their adoption, and the list of persons responsible for implementing said measures are established by the personal data operator. For example, equipping storage rooms with metal doors, alarms, and window bars, and ensuring the storage of physical media in locking drawers or safes.

Specifics of Protection during Personal Data Processing in Information Systems

When processing occurs using information systems, new potential threats arise that must be minimized or ideally eliminated. Therefore, the requirements for personal data protection are regulated in more detail.

Article 19 of the Law on Personal Data regulates the requirements for personal data protection in personal data information systems (the "ISPDn"). Thus, pursuant to Part 2 of Article 19 of Federal Law No. 152-FZ, ensuring personal data security is achieved, in particular, by:

• identifying threats to personal data security during their processing in an ISPDn;
• applying organizational and technical protection measures;
• using information security tools that have undergone the established compliance assessment procedure;
• assessing the effectiveness of the measures taken before commissioning the ISPDn;
• accounting for computer media containing personal data;
• adopting measures to detect, prevent, and eliminate the consequences of computer attacks on the ISPDn and responding to computer incidents within them;
• restoring personal data that has been modified or destroyed due to unauthorized access;
• establishing rules for access to personal data processed in the ISPDn, as well as recording and accounting for all actions performed with personal data in the ISPDn;
• monitoring the measures taken to ensure personal data security and the security level of the ISPDn.

Detailed requirements for personal data protection during processing in an ISPDn are regulated in Decree of the Government of the Russian Federation No. 1119 dated November 1, 2012 [2] (the "Decree No. 1119"), as well as in the orders of regulatory authorities:

• Order of the FSTEC of Russia No. 21 dated February 18, 2013, On Approval of the Composition and Content of Organizational and Technical Measures to Ensure the Security of Personal Data during Their Processing in Personal Data Information Systems (the "Order of the FSTEC No. 21");
• Order of the FSB of Russia No. 378 dated July 10, 2014, On Approval of the Composition and Content of Organizational and Technical Measures to Ensure the Security of Personal Data during Their Processing in Personal Data Information Systems Using Cryptographic Information Protection Tools (the "Order of the FSB No. 378").

The Order of the FSB No. 378 regulates protection measures for personal data operators using cryptographic protection tools in information systems and, due to the limited format, will not be addressed in this article.

Pursuant to the Order of the FSTEC No. 21, ensuring personal data security in an ISPDn requires the following:

I. Identifying threats to personal data security during their processing in an ISPDn.

Security threats are understood as a set of conditions and factors creating an actual danger of unauthorized (including accidental) access to personal data during their processing in an information system, which may result in the destruction, modification, blocking, copying, provision, or dissemination of personal data, as well as other unlawful actions (Clause 6 of Decree No. 1119).

Decree No. 1119 establishes three types of security threats:

• Type 1 threats — threats related to the presence of undocumented (undeclared) capabilities in system software (e.g., in the operating system, service programs, or anti-viruses);
• Type 2 threats — threats related to the presence of undocumented (undeclared) capabilities in application software (e.g., in accounting or HR software);
• Type 3 threats — threats not related to the presence of undocumented (undeclared) capabilities in system or application software.

The determination of the type of security threats relevant to the information system is performed by the personal data operator, taking into account the assessment of potential harm.

II. Selecting the personal data security level.

Decree No. 1119 defines four security levels. The security level is selected in accordance with Clauses 8–16 of Decree No. 1119 and depends on the following factors:

• the determined type of threat;
• the category of personal data being processed.

Personal data is divided into four categories:

1. Special categories of PD, which include information on the subject's nationality, race, religious, philosophical or political beliefs, and information regarding health or intimate life.
2. Biometric PD, meaning data characterizing the biological or physiological characteristics of the subject used to establish identity, such as a photograph or fingerprints.
3. Publicly available PD, meaning information about the subject to which full and unlimited access has been provided by the subject themselves.
4. Other categories of PD not included in the three previous groups:

• of the personal data subjects whose data is being processed;
• of the operator's own employees;
• of other subjects not associated with the operator-company through labor relations;
• the number of subjects whose PD are being processed (fewer than 100,000 subjects or more than 100,000 subjects).

To determine the security level of an ISPDn, one may use a special online calculator available on the FSTEC website. An ISPDn with an established security level of 1 requires more serious protection measures than a system with level 4.

III. Determining protection requirements depending on the selected personal data security level.

For each security level, Decree No. 1119 provides its own protection requirements. Thus, to ensure the 4th security level, it is necessary to meet the following requirements:

• approve the list of persons authorized to access personal data in the ISPDn;

• ensure the security of the premises where the ISPDn is located, preventing unauthorized entry by persons without access rights;
• ensure the preservation of personal data media;
• use information security tools (the "IST"), such as firewalls, intrusion detection systems, etc., that have passed the compliance assessment procedure under information security legislation.

For the 3rd security level, it is additionally necessary to appoint a designated official responsible for ensuring personal data security in the ISPDn.

To ensure the 2nd security level, in addition to the above requirements, it is also necessary that access to the content of the electronic message log be possible exclusively for employees who require this information to perform their labor duties.

To ensure the 1st security level of personal data, the following requirements must also be met:

• creation of a structural unit responsible for personal data security in the ISPDn or assigning such security functions to an existing structural unit;
• ensuring the automatic recording in the electronic security log of changes to an employee's personal data access permissions.

Personal Data Protection Measures in an ISPDn

Personal data protection measures in an ISPDn are regulated by the Order of the FSTEC No. 21. These measures include:

• identification and authentication of access subjects (users) and access objects (devices);
• access management for access subjects to access objects (differentiation of user rights to devices and monitoring compliance);
• software environment restriction (installing and running only authorized software);
• protection of computer personal data media (excluding unauthorized access to them and unauthorized use of removable computer media);
• recording of security events (collection, recording, storage, and protection of information about security events);
• anti-virus protection;
• intrusion detection (prevention);
• control (analysis) of personal data security (conducting systematic security analysis activities);
• ensuring the integrity of the information system and personal data (detecting unauthorized violations of ISPDn integrity and the personal data contained therein);
• ensuring personal data availability (authorized access for users with access rights to personal data);
• protection of the virtualization environment (excluding unauthorized access to personal data processed in the virtual infrastructure);
• protection of technical means (excluding unauthorized access to stationary technical means processing personal data, means ensuring ISPDn functioning, and the premises where they are permanently located; protecting technical means from external influences, as well as protecting personal data);
• protection of the information system, its tools, communication systems, and data transmission systems;
• identifying incidents that may lead to failures or malfunctions of the ISPDn or threats to personal data security, and responding to them;
• configuration management of the ISPDn and the personal data protection system.

The specific list of measures depending on the security level is provided in the Appendix to the Order of the FSTEC No. 21. The selection of measures is carried out as follows:

• a baseline set of measures is determined in accordance with the Appendix to the Order of the FSTEC No. 21;
• the baseline set is adapted based on the characteristics of the ISPDn and its functioning specifics. Generally, this involves excluding measures from the baseline set that are not used by or are not characteristic of the ISPDn;
• taking into account economic feasibility, other (compensating) measures aimed at neutralizing actual security threats are developed. Generally, these are non-mandatory measures for the given security level from the Order of the FSTEC No. 21, the replacement of certain technical protection measures with organizational ones, or the adoption of other technical solutions. The application of compensating measures must be justified.

The Order of the FSTEC No. 21 also establishes requirements for the IST used. IST must be certified according to information security requirements.

• In ISPDn of the 1st security level, IST of at least class 4 and trust level 4 must be used, as well as computer equipment of at least class 5;
• In ISPDn of the 2nd security level — IST of at least class 5 and trust level 5, as well as computer equipment of at least class 5;
• In ISPDn of the 3rd security level — IST of class 6 and trust level 6, as well as computer equipment of at least class 5;
• In ISPDn of the 4th security level, information security tools of class 6 and trust level 6 are used, as well as computer equipment of at least class 6.

IST classes and trust levels are established in accordance with FSTEC regulations by manufacturers during IST certification.

It should be noted that the requirements discussed above are technical in nature and are intended primarily for information security specialists. These measures may be organized and conducted by the personal data operator independently and/or by involving, on a contractual basis, legal entities and individual entrepreneurs holding a license to carry out activities for the technical protection of confidential information. Monitoring of compliance with the requirements must be conducted at least once every three years.

Requirements for Physical Media of Biometric Personal Data

Decree of the Government of the Russian Federation No. 512 dated July 6, 2008 [3] (the "Decree No. 512"), established requirements for physical media of biometric personal data and technologies for their storage outside an ISPDn.

According to Clause 2 of Decree No. 512, physical media means a machine-readable information carrier (including magnetic and electronic) on which information characterizing a person's physiological characteristics and allowing for their identification is recorded and stored.

The physical media used for recording must ensure:

• protection against unauthorized repeated and additional recording of information after its extraction from the ISPDn;
• the possibility for the personal data operator and its authorized persons to access the biometric personal data recorded on the physical media;
• the possibility of identifying the ISPDn into which the biometric personal data was recorded and the personal data operator that performed the recording;
• the impossibility of unauthorized access to the biometric personal data contained on the physical media.

As a general rule, the operator is entitled to independently determine the type of physical media used (memory card, USB drive, external hard drive, etc.). At the same time, the operator is obligated to account for the number of copies of physical media and assign a unique identification number to the media, allowing for the precise identification of the operator.

When storing biometric personal data outside an ISPDn, the personal data operator must ensure the recording of facts of unauthorized repeated and additional recording of information after its extraction from the system.

Liability for Violation of Personal Data Protection Requirements

Violations of personal data protection requirements may result in administrative liability:

1. Under Part 6 of Article 13.11 of the CAO RF, "Failure to fulfill the duty to preserve personal data during processing without the use of automation tools, if this resulted in unlawful actions regarding the personal data (access, destruction, copying, modification, etc.)". The maximum penalty for officials is a fine ranging from 8,000 to 20,000 rubles; for individual entrepreneurs — from 20,000 to 40,000 rubles; and for legal entities — from 50,000 to 100,000 rubles.

A prosecutor's office conducted an audit of a business entity's compliance with personal data protection legislation. The audit established that the business entity, acting as a personal data operator, had entered into an agency agreement with a management company for the generation of utility bills and their delivery to addressees. In performance of the agreement, the management company delivered the bills in a non-enveloped format, which failed to ensure the confidentiality of personal data; specifically, the personal data of citizens was available for viewing by an unlimited number of persons during delivery and storage in mailboxes. By order of a justice of the peace, the business entity was found guilty of an administrative offense under Part 6 of Article 13.11 of the CAO RF and was subjected to an administrative penalty in the form of a fine in the amount of 25,000 rubles.

2. Under Part 6 of Article 13.12 of the CAO RF, "Violation of information protection rules". The fine for officials ranges from 1,000 to 2,000 rubles; for legal entities — from 10,000 to 15,000 rubles.

As established in one case, the FSB Department revealed during operational-search activities that an organization had not determined personal data security levels in its ISPDn, had not approved access rules for premises where personal data is stored, and had not approved the list of persons with access rights. By order of the FSB Department, the organization was found guilty of an administrative offense under Part 6 of Article 13.12 of the CAO RF and was fined 15,000 rubles. The court found the classification of the violation to be correct but deemed the offense minor and replaced the fine with a warning [4].

In another case, operational-search activities revealed that malicious software was functioning on computers within an institution, capable of providing third parties with access to stored information. Personal data of the institution's employees was processed on said computers; however, anti-virus software was not installed. The director of the institution was held administratively liable under Part 6 of Article 13.12 of the CAO RF and fined 1,000 rubles. The director attempted to challenge the order in court. The court refused to vacate the order and noted that the presence of licensed anti-virus software on two computers did not indicate compliance with the requirements of Decree No. 1119, since at least 11 computers in the institution were interconnected in a single local area network connected to the Internet [5].

Furthermore, an employee may be held disciplinarily liable for violating personal data protection rules. Pursuant to Article 192 of the Labor Code of the Russian Federation, disciplinary liability takes the form of a warning, reprimand, or dismissal.

In the most serious cases, there is a risk of criminal liability under Article 272 of the Criminal Code of the Russian Federation, "Unlawful access to computer information resulting in the destruction, blocking, modification, or copying of information". Punishment may reach up to 7 years of imprisonment. Unlawful access to computer information is defined as obtaining or using such information without the consent of the information owner by a person not endowed with the necessary powers, or in violation of the procedure established by regulatory acts, regardless of the form of such access.

This is illustrated by a judicial case. A case was initiated against the head of an information security department of the tax service who, by virtue of her position, was an information security administrator. The court established that the department head, using her official position and without legal grounds or the consent of the tax authority's employees, intentionally gained unlawful access to the victims' office computers and copied files of the employees' personal correspondence. By court verdict, she was convicted under Part 3 of Article 272 of the Criminal Code of the Russian Federation and sentenced to 1 year and 6 months of imprisonment (suspended). Subsequently, a court of cassation remanded the case for a new trial, indicating that the verdict did not provide a sufficient analysis of the convict's official powers [6].

In conclusion, we emphasize once again the importance of developing and adopting personal data protection measures by the operator to minimize negative consequences. Given the complexity, large volume, and technical focus of the regulations governing personal data security requirements, we recommend involving specialists with the relevant experience and competencies in this work.

_______________________

References

1. The list of critical infrastructure subjects is provided in Article 2 of Federal Law No. 187-FZ dated July 26, 2017, On the Security of the Critical Information Infrastructure of the Russian Federation.
2. Decree of the Government of Russia No. 1119 dated November 1, 2012, On Approval of Requirements for the Protection of Personal Data during Their Processing in Personal Data Information Systems.
3. Decree of the Government of Russia No. 512 dated July 6, 2008, On Approval of Requirements for Physical Media of Biometric Personal Data and Technologies for Storing Such Data Outside Personal Data Information Systems.
4. Decision of the Pervomaysky District Court of Krasnodar dated April 23, 2019, in case No. 12-185/19.
5. Decision of the Birobidzhan District Court of the Jewish Autonomous Region dated March 5, 2021, in case No. 12-174/2020.
6. Resolution of the Ninth Court of Cassation of General Jurisdiction dated February 16, 2023, No. 77-258/2023.