• Home
  •  > 
  • Mobile devices
  •  > 
  • What is depersonalization of personal data, what is it for, what are the rules for working with it? Personal data: what you need to know about it.

What is depersonalization of personal data, what is it for, what are the rules for working with it? Personal data: what you need to know about it.

This is information with which you can identify a person: full name, place and year of birth, registration address, passport details, etc.

The history of the issue of the protection of personal data begins in 1976, when the Committee of Ministers of the Council of Europe decided to develop a Convention “On the protection of individuals with regard to the processing of personal data carried out at the international level,” which in 1981 was opened for signature by European countries. In Ukraine, this Convention was signed and ratified only at the beginning of the 2000s, after which the formation of a regulatory framework in the field of use and protection of personal data began. In 2010, it was adopted, which clearly regulated all issues relating to the receipt, use, transfer and other actions with personal data, as well as issues of their protection.

According to the Law, personal data is absolutely any information that relates to a specific or identifiable (directly or indirectly) individual. The main personal data found in everyday life, are the surname, name, patronymic of the subject (individual), date of birth, address of residence or registration, social, property, marital status, information about income, education, profession, etc.

Example of personal data

Legislation a clear list of information about individual, which are personal data, in order to be able to apply the provisions to various situations, including when processing personal data in information (automated) databases and personal data files that may arise in the future due to changes in technological, social, economic and other spheres of public life.

Types of personal data

There are four types of personal data, which are divided according to the degree of information content:

First view- special categories of personal data, which include information about the subject’s nationality and race, religious or philosophical beliefs, information about the subject’s health and intimate life.

Second type contains information by which you can identify a person and obtain additional information about him, for example, full name, address and information about earnings.

third type- this is information that only allows you to identify the subject, that is, for example, last name, first name and date of birth.

TO fourth type includes publicly available or anonymized personal data. Publicly available are personal data that, in accordance with the law, cannot be hidden, that is, cannot be confidential, for example, information about the income of government officials, or personal data, access to which is granted with the permission of the subject himself. Anonymized personal data is information from which it is impossible to determine its affiliation with a specific individual.

Personal Database

It should be noted that according to , the object of protection is only personal data when processed in personal databases.

At the same time, under "personal data database" The Law refers to a named set of ordered personal data in electronic form and/or in the form of personal data files, and under “processing of personal data” means a certain action or set of actions performed in whole or in part in an information (automated) system and/or in personal data files related to the collection, registration, accumulation, storage, adaptation, change, update, use and distribution (distribution, implementation, transfer ), depersonalization, destruction of information about an individual.

Processing of personal data

Personal data databases are subject to mandatory state registration carried out by a special government body for the protection of personal data in State Register personal data bases. Registration of personal data bases is carried out on an application basis by notifying the authorized government body. Despite this, the authorized body has the right to refuse registration if the registration application does not comply with the requirements of the Law.

According to the Law, the processing of personal data can be carried out for specific and legal purposes, determined with the consent of the subject of personal data or in cases provided for by the legislation of Ukraine, in the manner prescribed by law. If the purpose of processing changes, then consent must be obtained from the subject of personal data to process personal data for the new purpose. At the same time, it is not permitted to process personal data about an individual without his consent, except in cases established by law, and solely in the interests of national security, economic well-being and human rights.

The law also establishes that the composition and content of personal data must be consistent and not redundant with respect to the purpose of their processing. At the same time, the volume of personal data that is included in the personal data database must comply with the conditions of consent of the subject of personal data. The subject of personal data has the right, by providing such consent, to limit the right to process his personal data.

In addition, it should be noted that the law grants the right of the subject of personal data to know about the location of the personal data base that contains his personal data, as well as the location of the owner and manager of such a database, the right to information about third parties to whom his personal data is transferred, and also on free access to your personal data contained in the relevant personal database. The Law also establishes certain cases, in which the subject of personal data must be informed in writing about his rights or actions performed with his personal data.

The owner of the personal data base may be an individual entrepreneur or a legal entity who is granted the right to process personal data by law or with the consent of the subject of personal data. Such a person must approve the purpose of processing personal data, establish the composition of the data being processed and the procedures for their processing, unless otherwise provided by law.

The owner of the personal data base has the right to transfer personal data for processing to the manager of the personal data base on the basis of a written agreement.

According to the Law, the bank is required to obtain written permission to process them. Such permission is usually requested at the client survey stage. If you consent, personal data may be transferred to third parties and used to promote the bank's products and services.

If a person refuses to process his data, then by law the credit institution can use information about the client only for the purpose of fulfilling the contract concluded with him. However, many banks, if the client does not agree to data processing, may refuse to provide services to him at all.

Every person has personal or private data. But not everyone knows what it is. In this article we will learn what personal data is. In addition, we will familiarize ourselves with the law on their protection.

What is personal data?

Each person understands this formulation differently. But we will build on the one provided by our legislation. The Personal Data Act states that personal data is nothing more than simple information (or a collection of information) about a specific individual who can be identified. Agree, this wording is so vague that the term “personal data” cannot be unambiguously interpreted. In addition, thanks to this very inaccuracy, information can be abused by authors and users of databases. In particular,

Lawyers who are not indifferent to this situation propose to correct this concept and formulate it as follows: personal data - about an individual, which makes it possible to identify this person. There is a minimum set personal information, which is necessary for such a procedure. First of all, this is your full name, year and date of birth, address (postal, home or even electronic), telephone number (home or mobile) and Taxpayer Identification Number.

The same law states that the use of the above personal data is possible only for the purpose of processing, which has been confirmed and formulated with the consent of the subject - their owner. Any changes to the final purpose of processing must be re-agreed with the carrier. If this rule has been violated, the concept of “personal data protection” is applied.

The Personal Data Law is created to protect and process personal data. In particular, it aims to protect the fundamental rights and freedoms of every person. Among other things, this law controls the fact that everyone has the right not to be interfered with by anyone. Violation of the above law is subject to a fine.

Many law-abiding citizens believe that they created the law primarily for themselves, since it is often violated in relation to other people, and no one is responsible for it.

Journalists and personal information

The good news is that such restrictions (the provisions of the law on the protection of personal information) do not apply to people who are engaged in journalistic activities. That is, every journalist has the right to access the personal information of any person, including those at the top of power. But access to it is provided solely for professional purposes, and finding this information is not so easy. Members of public and trade unions and political parties do not register a personal data base. They freed themselves from this...

Journalists should not abuse their official position and cross the line of legality, using essentially secret information to create a “sensation.” However, the Personal Data Act itself does not specify where exactly this fine line lies.

Depersonalization of personal information is an integral part of the processing of materials. In article 7 Federal Law RF dated July 27, 2006 “On Personal Data” it is reported that depersonalization of statements is understood as an action that makes it impossible to determine whether information belongs to a specific person. In this case, we are talking only about identifying the physical or legal entity based on messages that are anonymized.

Article 7 of Federal Law No. 152 of July 27, 2006 “On Personal Data”. Confidentiality of personal data

Operators and other persons who have access to personal data are obliged not to disclose to third parties or distribute personal data without the consent of the subject of personal data, unless otherwise provided by federal law.

The same information can help determine which Russian the statements relate to if they are used additional sources. Depersonalization is carried out using both automated systems(computers, programs), and without the use of such tools.

The algorithm is available only to operators who have personal information at their disposal. After depersonalization of materials, the operator is relieved of the requirements to ensure maximum confidentiality.

Now you're in general outline you know what it is - anonymized customer data.

Why is it necessary?

Roskomnadzor defines depersonalization as a way to protect information from unauthorized use, but still retain the ability to use it further. In some cases, operators need to maintain access to statements on long term. If it is not possible to dispose of materials, depersonalization will be a viable alternative.

The storage of personal messages is regulated by law and requires the implementation of measures to ensure confidentiality. For example, in electronic form information must be stored in systems that have passed state examination. By making the data anonymized, the operator can reduce its own costs for storing information, because from that moment on it no longer allows identifying its owner.

Important: One of the main characteristic features of personal materials is eliminated - the possibility of identifying a person, and with it the need to save highest level privacy. However, the operator does not have the right to distribute messages that it possesses or transfer them to third parties.

Example

Many of the residents Russian Federation use online stores to make quick and profitable purchases. And each trading portal is an operator of PD (personal data). Suppose a resource stores customer communications electronically.

For each buyer, the operator has the following information: full name, city of residence, list of ordered goods. All these materials are personal, make it possible to identify a person with a high degree of probability, or are capable, in the event of uncontrolled distribution, of causing harm to the citizen who owns the information.

An online store can anonymize personal data, using one of the methods approved by Roskomnadzor Order of September 5, 2013 N 996 “On approval of requirements and methods for anonymization of personal data.”

Let's take the decomposition method as an example. It involves breaking down an array of information (full name, city of residence and list of goods) into several parts, which will be stored separately from each other. All three groups separately cannot become a tool for identifying a person.

Attention: This means that any third party will not be able to establish the city of residence of the person whose full name is indicated and will not know what goods were ordered by him.

However, with any method of data depersonalization, the online store will retain the ability to operate necessary materials, for example, use information for your own statistical research on the popularity of a resource in a particular locality or the demand for a certain product.

Operating rules

Such rules are established by regional municipalities of the Russian Federation based on the already mentioned Federal Law “On Personal Data”.

  • Anonymized PD is subject to requirements for storing information and ensuring the protection of personal information from third parties.
  • Process them using automation tools or without the participation of automation tools
  • Adhere to anti-virus and password policies.
  • Keep physical media in a separate room with limited access.

Now you know what the rules are for working with anonymized client data.

With what is it possible?

So how to depersonalize PD? The main methods of depersonalizing information are approved in the Order of Roskomnadzor, the body supervising the implementation of state policy in the field of mass communication. There are four main methods of depersonalization used today.


Step-by-step instructions: how to do it?

The main regulatory document when depersonalizing information remains the act “On Personal Data” of the Government of the Russian Federation. Depersonalization is considered an option for processing personal data, Therefore, when carrying out the corresponding action, it is necessary to fulfill the basic requirements that apply to processing.