Data Privacy Law No. 152 – What is Information System of Personal Data
According to the Russian Federal Law No. 152-FZ "On personal data" the operator is obliged to fulfill a number of the organizational and technical measures regarding processing of personal data.
All information systems of the organization processing personal data of clients, employees and contractors are subject to protection.
To protect the data, you need to know how much the system in which it is stored vulnerable to threats. First, you need to determine the type and class of the system and data itself. In this article we cover what is Information System of Personal Data (ISPD) and what is necessary to know about such systems if you work with personal data.
What is Information System of Personal Data (ISPD)
ISPD refers to the information system, which is a complex of the personal data contained in a database, together with information technologies and technical means, allowing carrying out processing of such personal data with or without use of means of automation.
Let us say you have a website where users can buy things or order services. Then you are a personal data operator and your ISPD includes:
Personal data itself: names and surnames, e-mails, phone numbers, date of birth, marital status.
Website if it collects contact information (online applications and online consultants, call order and feedback forms, etc.), as well as indicates the data of employees working in the organization.
Customer relationship management systems – information systems, programs and services for registering customers, making records about them, maintaining profile information about them.
Systems for storage and transfer of information about clients – software products (including antiviruses, firewalls and other similar software) and services, file storages and servers storing information about clients.
Systems and computers involved in transferring customer data to third party information systems – workstations of employees responsible for transferring data to third party institutions.
How to classify the information system of personal data?
Protection levels for personal data and classes of security of ISPD
Level of protection of PD is a complex parameter which characterizes compliance with the requirements neutralizing threats of safety of ISPD. In total, there are four of them - the higher the level, the more serious protection the data needs. Security levels are defined in 1119 Government Decrees, protection measures – in 21 FSTEC order.
To determine the level of security it is necessary to establish:
categories of processed personal data of subjects (physical persons);
type of processing in the form of relations between subjects and the organization;
number of subjects;
type of threats relevant for information system.
Categories of personal data
Group 1 – special categories of PD. Include information about the national and racial belonging of the subject; religious, philosophical or political beliefs, information about health of the subject;
Group 2 – biometric PD, i.e. data characterizing biological or physiological features of the subject, for example a photo or fingerprints;
Group 3 – publicly available PD, i.e. information about the subject, full and unlimited access to which is provided by the subject himself;
Group 4 – other categories of PD, not presented in the three previous groups.
According to the form of relationship between your organization and subjects, processing is divided into 2 types:
processing of personal data of employees (subjects with whom your organization is connected by labor relations);
processing of personal data of subjects who are not employees of your organization (for example, your clients).
By the number of subjects, whose personal data is processed, the regulatory act defines only two categories:
less than 100,000 subjects;
more than 100,000 subjects.
Data types, relationships with subjects and the number of subjects are easy to determine. As for threat types, they are more complex. According to the document "Methodology for Determining Actual Data Security Threats during their Processing", threats are the conditions and factors that can provide unauthorized access to personal data and lead to its leakage or corruption.
Types of threats
Type 1 – the most serious threat associated with undocumented capabilities in system software, such as the operating system.
Type 2 – threats related to undocumented capabilities in the application software, e.g. in the installed programs.
Type 3 – threats that are not related to the software, for example, vulnerabilities in the hardware.
There is no universal way to determine the type of threat that is relevant to your system. If you use FSTEC-certified software, then type 1 and 2 threats may be considered irrelevant. In case you do not have certificates, only an information security professional can determine the level of threats.
If you need to store sensitive personal data (3,4 level) your Information System of Personal Data must be certified by FSTEC. More easy and convenient way is placing personal data in the cloud. When deciding on a cloud, give preference to providers with FSTEC certification. This guarantees that provider meets the requirements of the law regarding technical requirements for data safety.