ORDER OF THE GOVERNMENT OF THE RUSSIAN FEDERATION

of November 1, 2012 No. 1119

About approval of security requirements of personal data in case of their processing in personal data information systems

According to article 19 of the Federal law "About Personal Data" Government of the Russian Federation decides:

1. Approve the enclosed security requirements of personal data in case of their processing in personal data information systems.

Approved by the order of the Government of the Russian Federation of November 1, 2012 No. 1119

Security requirements of personal data in case of their processing in personal data information systems

1. This document establishes security requirements of personal data in case of their processing in personal data information systems (further - information systems) and levels of security of such data.

2. Safety of personal data in case of their processing in information system is ensured by means of system of the personal data protection neutralizing the urgent threats determined according to part 5 of article 19 of the Federal law "About Personal Data". The system of personal data protection includes the organizational and (or) technical measures determined taking into account urgent safety hazards of the personal data and information technologies used in information systems.

3. Safety of personal data in case of their processing in information system is ensured by the operator of this system who processes personal data (further - the operator), or person performing personal data processing at the request of the operator based on the agreement signed with this person (further - the authorized person). The agreement between the operator and the authorized person shall provide obligation of the authorized person to ensure safety of personal data in case of their processing in information system.

4. The choice of information security products for system of personal data protection is performed by the operator according to the regulatory legal acts adopted by Federal Security Service of the Russian Federation and the Federal Service for Technical and Export Control in pursuance of part 4 of article 19 of the Federal law "About Personal Data".

5. The information system is the information system processing special categories of personal data if in it the personal data concerning racial, national identity, political views, religious or philosophical beliefs, the state of health, intimate life of subjects of personal data are processed.

The information system is the information system processing biometric personal data if in it data which characterize physiological and biological features of the person based on which it is possible to identify his personality and which are used by the operator for identification of the subject of personal data are processed, and the data belonging to the special categories of personal data are not processed.

The information system is the information system processing public personal data if in it the personal data of subjects of personal data obtained only from public sources of the personal data created according to article 8 of the Federal law "About Personal Data" are processed.

The information system is the information system processing other categories of personal data if in it the personal data specified in paragraphs one - third this Item are not processed.

The information system is the information system processing personal data of staff of operator if in it personal data only of the specified employees are processed. In other cases the personal data information system is the information system processing personal data of the subjects of personal data who are not the staff of operator.

6. Urgent safety hazards of personal data are understood as set of the conditions and factors creating urgent danger unauthorized including accidental, access to personal data in case of their processing in information system which result can become destruction, change, blocking, copying, provision, distribution of personal data, and also other wrongful acts.

Threats of the 1st type are urgent for information system if the threats connected with availability of the undocumented (not declared) opportunities in the system software used in information system are urgent for it including.

Threats of the 2nd type are urgent for information system if the threats connected with availability of the undocumented (not declared) opportunities in the application software used in information system are urgent for it including.

Threats of 3rd type are urgent for information system if the threats which are not connected with availability of the undocumented (not declared) opportunities in system and the application software used in information system are urgent for it.

7. Type definition of safety hazards of the personal data urgent for information system is made by the operator taking into account assessment of possible harm which is carried out in pursuance of Item 5 of part 1 of article 18.1 of the Federal law "About Personal Data" and according to the regulatory legal acts adopted in pursuance of part 5 of article 19 of the Federal law "About Personal Data".

8. In case of personal data processing in information systems 4 levels of security of personal data are established.

9. Need of ensuring the 1st level of security of personal data in case of their processing in information system is established in the presence of at least one of the following conditions:

a) threats of the 1st type are urgent for information system and the information system processes either special categories of personal data, or biometric personal data, or other categories of personal data;

b) threats of the 2nd type are urgent for information system and the information system processes special categories of personal data of more than 100000 subjects of personal data who are not the staff of operator.

10. Need of ensuring the 2nd level of security of personal data in case of their processing in information system is established in the presence of at least one of the following conditions:

a) threats of the 1st type are urgent for information system and the information system processes public personal data;

b) threats of the 2nd type are urgent for information system and the information system processes special categories of personal data of staff of operator or special categories of personal data of less than 100000 subjects of personal data who are not the staff of operator;

c) threats of the 2nd type are urgent for information system and the information system processes biometric personal data;

d) threats of the 2nd type are urgent for information system and the information system processes public personal data of more than 100000 subjects of personal data who are not the staff of operator;

e) threats of the 2nd type are urgent for information system and the information system processes other categories of personal data of more than 100000 subjects of personal data who are not the staff of operator;

Disclaimer! This text was translated by AI translator and is not a valid juridical document. No warranty. No claim. More info