Get best of the week

Processing personal data remotely: risks and possible consequences

image

It is all about the same recommendations of the country's leadership on transferring employees of enterprises (state and non-state) to the remote mode in a pandemic.

Is it possible to organize the process of working with personal data (PD) at home and what do the laws and technical requirements dictate to us?

We will try to answer all these questions in this article.
 
So, according to the recommendations, the employer should provide the employee with all the necessary equipment for the isolation period for the effective implementation of the tasks. What is required when working with PD?

An automated workstation, a secure high-speed uninterrupted connection (about the level of protection a bit later), a key medium (token) and access to the enterprise database. But is it so simple at first glance?

11 2014 . :

«.3


.3:

— .
— :

1) ,
;
2)
,  
();
3)
.1;
4) .


-
.

.3:

1) (
, ),
;
2)
,
,
;
3) ,  
;
4)  
 
».

Imagine that an employee of an institution does not have the opportunity to carry out their professional activities remotely on a home computer (or not at all). In this case, the employer may provide the workstation at personal responsibility.
 
From this excerpt, it follows that the removal of MNI from the institution is legally permitted and the rules for controlling movement are established, requirements for the status of the person performing the movement are made, and the whole process is determined by the presence of specific tasks.

However, the implementation of the item on the periodic check of the presence of PIM for an employee who is in a self-isolation regime during the pandemic period leads to certain thoughts. A completely different question is how regulators will treat this in the field of PD processing and information protection.
 
The next requirement to ensure the process of working with PD is to ensure a trusted download of computer equipment.
№21 18 2013.:

«.17
 
() () .

:

— () ;
— ;
— .

( -, ).

- .

.17:

 1) - ;
 2) - , - ;
 3) ;..»

It should be understood that the use of trusted boot tools on household computers, of course, although technically feasible, is not provided. Moreover, the use of SDZ is provided on those “machines” to which you must connect remotely. This raises quite logical questions: who should give the go-ahead to launch in the remote mode and what to do if a failure occurs and a reboot is required?

In such cases, there is only one option: the main “machine-station” is put into startup mode (which in itself is a violation of the rules creates certain risks, which we will analyze a little later).

Protection against changing system files is provided by the system integrity control function, the quality of which FSTEC also imposes certain requirements in order No. 27 of February 15, 2017.

Technically, all these requirements can be implemented within the framework of the ongoing transition to the "remote site". But all these technical organizational issues are fading into the background when we begin to look for the answer to the question: how to minimize (or better not to allow) the leakage of processed information, including PD in such conditions.

Despite the measures taken in the field of information protection, leakage risks have always been, are and will be. Guiding documents in the field of ZI quite clearly describe the list of organizational and technical measures to minimize and prevent them.

As you know, at home and the atmosphere is homely ... And it works easily, and the walls help. Working at home with PD is probably easier only for single people.
 
Let’s take a look at a simple example: A

dad, an employee of the certification center of the federal financial department that processes personal data, brought his computer from work. The boastful son accidentally spied a scan of the passport of the minister, the prosecutor of a constituent entity of the Russian Federation or the governor. Well, I took pictures to show my friends. And now another example: imagine a batch upload of personal data for the purpose of marketing, etc.

The objective side of the crime considered in part 1 and 2 of Art. 137 of the Criminal Code, is described alternatively by the following actions in relation to relevant information:

  1. Collection.
  2. Spread.
  3. Distribution in a special way: in the media, in a public work or in a speech.

To be held accountable, these actions must be carried out:

  • illegally (with any violation of the procedure established by law);
  • without the consent of the subject of PD.

As a rule, the illegal distribution of PD is preceded by their collection. The interpretation of the concept of “distribution” in the criminal law is wider than in the law No. 152-FZ. So, according to paragraph 5 of Art. 3 of Law No. 152-FZ, the distribution of PD is their disclosure to an indefinite number of persons. To bring to justice the disclosure of PD under Art. 137 of the Criminal Code, it is enough to inform at least one person.

Thus, ordinary prank and indiscretion can lead to quite sad consequences, both criminal and reputational, and so on, both for the employee and the employer.

Summarizing the above, it should be said that the remote mode, of course, encourages employees and their environment to commit offenses, which may entail consequences of a different scale.

In addition, the current situation is a signal for the state to study and create legislative assistance to regulate work with PD in the remote mode.

More articles:


All Articles