Immanuel Kant Baltic Federal University

Personal Data Processing and Protection Policy of Federal Autonomous Educational Institution of Higher Education “Immanuel Kant Baltic Federal University”

1. Definitions and abbreviations used in the Policy

1.1. Personal data (PD) is any information relating directly or indirectly to specific or determined individual (subject of personal data).

1.2. "Personal data processing" means any action (operation) or set of actions (operations) with personal data performed using automation tools or without using such means, including collection, recording, systematization, accumulation, storage, clarificaton (updating, modification), extraction, use, transfer (distribution, provision, access), anonymization, blocking, deletion, destruction of personal data.

1.3. Dissemination of personal data is actions aimed at disclosing personal data to an undetermined number of persons.

1.4. Provision of personal data is actions aimed at disclosing personal data to a certain person or a certain number of persons.

1.5. Blocking of personal data - temporary suspension of the processing of personal data (unless the processing is necessary to clarify personal data).

1.6. Destruction of personal data - actions, as a result of which it becomes impossible to restore the content of personal data in the personal data information system and (or) as a result of which the material carriers of personal data are destroyed.

1.7. Anonymization of personal data is actions that make it impossible to determine the ownership of personal data to a specific subject of personal data without the use of additional information.

1.8. Personal Data Information System (PDIS) - a set of personal data which contains in personal databases and also information technologies and technical means which ensure their processing.

1.9. Information - is information (messages, data), regardless of the form of its presentation.

2. General terms

2.1. This document determines the policy of the Federal Autonomous Educational Institution of Higher Education "Immanuel Kant Baltic Federal University" (hereinafter - the University) in relation to the processing and protection of personal data.

2.2. Personal Data (PD) Processing and Protection Policy of the University (hereinafter - the Policy) determines:

· The legal framework for ensuring the safety of PD;

· Principles and objectives of PD processing;

· Lists of PD subjects and processed PD;

· Operations performed with PD, and terms of their processing;

· Rights and obligations of the subjects and employees of the University when processing PD;

· The measures taken by the University to protect PD;

· Control and supervision of PD processing.

2.3. The Policy is developed in accordance with Paragraph 2 of Art. 18.1 of the Federal Law “On Personal Data” № 152-ФЗ of 27 July 2006 and taking into account the requirements of the Constitution of the Russian Federation, legislative and other regulatory legal acts of the Russian Federation in the area of personal data, in particular in accordance with:

· Labour Code of the Russian Federation;

· Civil Code of the Russian Federation;

· Tax Code of the Russian Federation;

· Federal Law of 27 July 2006 № 149-ФЗ “On Information, Information Technologies and Information Protection”;

· Federal Law "On Education in the Russian Federation of 29 December 2012 № 273-ФЗ;

· Government decree of the Russian Federation of 01.11.2012 № 1119 “On approval of requirements for the personal data protection when it is processed in personal data information systems”;

· The Charter of the University.

2.4. The purpose of this Policy is to determine the procedure for processing personal data of citizens; ensuring the protection of the rights and freedoms of a person and a citizen in the processing of his personal data, including the protection of the privacy rights, personal and family confidentiality, as well as establishing the responsibility of officials who have the access to citizens personal data for non-compliance with the requirements and standards governing personal data processing and protection.

2.5. The policy applies to all personal data processed at the University, received before and after signing of this Policy.

2.6. This Policy applies to personal data processed with the use of automation equipment and without the use of such tools.

2.7. This Policy applies to all processes in which the processing of personal data of subjects of PD of all categories, as well as officials involved in these processes.

2.8. The main terms of the document can also be extended to divisions of other organizations and institutions that interact with the University as suppliers and consumers (users) of information.

3. The legal framework for personal data safety ensuring

3.1. The policy was developed in accordance with the following regulatory legal acts of the Russian Federation:

- Constitution of the Russian Federation;

- Labor Code of the Russian Federation;

- Civil Code of the Russian Federation;

- Tax Code of the Russian Federation;

- Federal Law dated July 27, 2006 No. 149-ФЗ “On Information, Information Technologies and Information Protection”;

- Federal Law of 27.07.2006 No. 152-ФЗ “On Personal Data”;

- Decree of the Government of the Russian Federation of 01.11.2012 No. 1119 “On approval of requirements for the protection of personal data when they are processed in personal data systems”;

- Charter of the University.

4. Personal data processed by the University

4.1. The University processes personal data of the following categories of subjects:

- employees;

- students;

- applicants;

- patients;

- "Aviakassy" ticket office clients;

- individuals who have a contractual relationship with the University.

4.2. List of personal data of employees processed at the University:

- surname, name, patronymic;

- date and place of birth;

- passport data (series, number, when and by whom issued, the issuing unit code);

- address of permanent registration and residence;

- citizenship;

- sex;

- E-mail address;

- contact phone number;

- the photo;

- taxpayer identification number;

- the Pension Fund of the Russian Federation (SNILS) insurance certificate number;

- information on education, on advanced training, on professional retraining;

- information about the degree, academic titles;

- information on foreign language proficiency, degree of proficiency;

- marital status;

- data on children (name, date of birth);

- immediate family (name, status, date of birth);

- information on military registration;

- position;

- data on work experience, including previous jobs;

- tariff rate;

- information about salary, co-payments and allowances;

- data on tax deductions;

- bank account number, name of the bank;

- information from the policy of compulsory and (or) additional medical insurance;

- medical report on the state of health, the results of tests and medical research / examinations,

information about vaccinations;

- information from the orders on the admission of a person to work, on dismissal, as well as on the transfer of a person to another position;

- information on the presence / absence of a criminal record;

- information from other documents intended for official use.

4.3. The list of personal data of students processed at the University:

- surname, name, patronymic;

- date and place of birth;

- passport data (series, number, when and by whom issued, the issuing unit code);

- address of permanent registration and residence;

- E-mail address;

- sex;

- citizenship;

- registration number;

- data conclusions on the professional examination (number and when issued);

- health / information about health issues (people with special needs, health group / functional group, special medical group for physical education);

- social status;

- preferential training conditions;

- enrolment date;

- orders (date, number, reason for transfer);

- information about the educational activities of students;

- information about the deduction (reason, reason, number and date of the order);

- information about education (specialty, group, course, level, qualification, form of training and the basis);

- information on the calculation of scholarships and other payments;

- contact phone number;

- photo;

- information about legal representatives (name, date and place of birth, registration address and telephone number);

- other personal data.

4.4. List of personal data of applicants processed at the University:

- surname, name, patronymic;

- date and place of birth;

- sex;

- citizenship;

- address of permanent registration and residence;

- the identity document data (passport) (series, number, when and by whom issued, the issuing unit code);

- information about legal representatives (name, date and place of birth, registration address and telephone number);

- the results of entrance examinations (EGE, etc.);

- information about the previously received education (qualification, specialty, degree);

- information about medals received and participation in competitions;

- information on special rights / benefits;

- information about individual achievements;

- information about the state of health;

- E-mail address;

- contact phone number;

- photo;

- information about the previous educational organization (city, name, type, year of graduation);

- information about the education document (type, series, number, date of issue);

- information about the language being studied;

- information on grades from a certificate or diploma (discipline and assessment);

- information on applications submitted (specialty, level, qualification, form of training and the basis);

- other personal data.

4.5. List of personal data of patients processed at the University:

- surname, name, patronymic;

- date of birth;

- sex;

- citizenship;

- address of permanent registration and residence;

- data of the identity document (passport) (series, number);

- the Pension Fund of the Russian Federation (SNILS) insurance certificate number;

- information from the policy of compulsory and (or) additional medical insurance;

- information about the selected medical insurance organization;

- date of registration as an insured person;

- the status of the insured person (working, non-working);

- types, conditions, terms, volumes and cost of medical care provided;

- diagnosis;

- test results;

- phone number;

- other personal data.

4.6. List of personal data of "Aviakassy" ticket office clients processed at the University:

- last name, first name;

- passport data (series, number).

4.7. List of personal data processed at the University of individuals, who have contractual relationship with the University:

- surname, name, patronymic;

- passport data (series, number, when and by whom issued, the issuing unit code);

- address of permanent registration and residence;

- other personal data necessary for drawing up a contract.

5. Actions performed with personal data.

Terms of processing personal data

5.1. The University collects, records, systematizes, accumulates, stores, refines (updates, changes), extracts, uses, transfers (distributes, provides, accesses), anonymizes, blocks, deletes, destroys PD.

5.2. Processing term of employees’ PD - during the term of the employment contract and 75 subsequent years after its termination, unless another period of archival storage is established in accordance with the current legislation.

5.3. Processing term of students’ PD - during the term of tuition, and 75 subsequent years after its termination, unless a different period of archival storage is established in accordance with current legislation.

5.4. Processing term of applicants’ PD in the case of enrollment in Federal Autonomous Educational Institution of Higher Education IKBFU during the term of study, and 75 subsequent years after its termination, unless another period of archival storage is established in accordance with the current legislation. In the case of non-enrollment in Federal Autonomous Educational Institution of Higher Education IKBFU until the end of the last month of the current year.

5.5. Processing term of patients’ PD - during the term of medical care, and 25 subsequent years after, unless a different period of archival storage is established in accordance with current legislation.

5.6. Processing term of "Aviakassy" ticket office clients’ PD - until the client’s departure, and 5 subsequent years, unless another period of archival storage is established in accordance with current legislation.

5.7. Processing of PD of individuals who have a contractual relationship with the University - during the term of the contract, and 5 subsequent years, unless another period of archival storage is established in accordance with the current legislation.

6. Objectives and principles of PD processing

6.1. The objectives of PD processing at the University are:

·Ensuring keeping laws and other regulatory legal acts, assisting employees in finding employment, receiving education and promotion, ensuring the personal safety of employees, monitoring the quantity and quality of work performed and ensuring the safety of property;

·The implementation of educational activities in accordance with the objectives stipulated by the University Charter.

6.2. PD processing is carried out on the basis of the following principles:

· PD processing is carried out on a legal and equitable basis;

· PD processing is limited to achieving specific, predetermined and legitimate objectives;

· PD processing that is incompatible with the purposes of collecting PD is not allowed;

· It is not allowed to merge databases containing PD, which are processed for purposes incompatible with each other;

· Only those PDs are processed that meet the purposes of their processing;

· The content and volume of PD processed corresponds to the declared processing objectives;

· During PD processing its accuracy, sufficiency and, if necessary, relevance with regard to PD processing purposes are ensured.

6.3. PD processing is carried out from the moment they are received by the University and is terminated:

· To achieve the objectives of PD processing;

· Due to the absence of the need to achieve the previously stated objectives of PD processing;

· Due to the withdrawal of consent to PD processing.

7. Rights and obligations of the subject of personal data

7.1. In accordance with Paragraph 3 Art. 14 of the Federal Law “On Personal Data”, a subject of personal data has the right to receive information regarding the processing of his PD.

7.2. Information regarding the processing of subject"s PD provided to the subject should not contain PD related to other subjects of PD, except in cases where there are legal grounds for disclosing such data.

7.3. The subject of PD has the right to demand from the operator who processes it, clarification of this PD, its blocking or destruction if it is incomplete, outdated, inaccurate, illegally obtained or cannot be deemed necessary for the stated purpose of processing, as well as take measures provided by law to protect their rights.

7.4. The right of a subject of PD to access his PD may be restricted in accordance with federal laws.

8. Confidentiality of personal data

8.1. The University and other persons who have obtained access to the PD are obliged not to disclose it to third parties and not to distribute personal data without the consent of the PD subject, unless otherwise provided by federal law.

9. Receipt and transfer of personal data to third parties

9.1. The University in the course of its activities has the right to receive from third parties and transfer PD to third parties in the interests and with the consent of PD subjects, and also without the consent of the subject of PD - in cases stipulated by federal law.

10. Publicly accesible sources of personal data

10.1. In order to provide information to the University, publicly accessible sources of personal data of PD subjects - employees of the University - can be created, including data books and address books. The publicly available sources of personal data may include personal data of the employee with the written consent of the PD subject.

10.2. Information on the PD subject of a must be at any time excluded from publicly available sources of personal data upon the PD subject request, by the authorized body for the rights protection of PD subjects or by a court.

11. Delegation of personal data processing to another person

11.1. The university has the right to entrust the processing of PD to another person on the basis of a contract concluded with it, only with the consent of the PD subject, unless otherwise provided by Federal law. A person who processes personal data on behalf of the University is obliged to comply with the principles and rules for the processing of PD provided for by the Federal Law “On Personal Data” and this Policy.

12. Rights and obligations of the University employees authorized to process PD

12.1. Employees authorized for PD processing are required to :

- know and comply with the requirements of legislation in the field of PD protection;

- keep confidentiality of PD, to inform about violations of the procedure for PD processing and attempts of unauthorized access to PD;

- comply with the rules for the use of PD, the order of its accounting and storage, to exclude access to them by unauthorized persons;

- process only PD accessed due to the official duties performance.

12.2. When processing PD, employees are prohibited from :

- using information containing PD for non-official purposes, as well as for official purposes - when negotiating over the telephone network, in open correspondence, articles and speeches;

- transmitting PD via unprotected communication channels (teletype, fax communication, e-mail) without using certified means of cryptographic protection of information.

12.3. Employees authorized to process PD are entitled to :

- provide PD to third parties with the consent of the subject of PD, as well as in other cases stipulated by current legislation;

- reasonably refuse to the PD subject (or their representative) to satisfy the request for information concerning the PD processing of the subject, if there are grounds stipulated by the legislation of the Russian Federation.

13. Measures to protect PD

13.1. When processing PD, the University takes all the necessary legal, organizational and technical measures to protect it from unauthorized or accidental access, destruction, alteration, blocking, copying, provision, distribution, as well as from other illegal actions.

13.2. The safety of PD is provided, in particular, in the following ways:

13.2.1. Appointment of a person responsible for the organization of PD processing.

13.2.2. The implementation of internal control and audit compliance of PD processing with Federal Law of July 27, 2006 No. 152-ФЗ "On Personal Data" and regulatory legal acts adopted in accordance with it, as well as with the requirements for the protection of PD and local acts.

13.2.3. Acquaintance of the University employees directly involved in the processing of PD with the provisions of the Russian Federation legislation on PD, as well as with the requirements for the protection of PD and local acts regarding the processing of PD.

13.2.4. Definition of threats to the safety of persobal data when processed in PD information system.

13.2.5. The use of organizational and technical measures to ensure the safety of PD when it is processed in PD information system is necessary to meet the requirements for PD protection.

13.2.6. PD carriers listing.

13.2.7. Identification of unauthorized access to PD and the adoption of appropriate measures.

13.2.8. Recovery of PD, modified or erased due to unauthorized access to them.

13.2.9. Establishment of rules for access to PD processed in the PD information system, as well as ensuring that all actions performed with PD are recorded in the PD information system.

13.2.10. Control of measures taken to ensure the safety of PD and the level of PD information system security.

13.2.11. Application of the information security protection measures passed the procedure of conformity assessment in the prescribed manner.

14. Control and supervision of PD processing

14.1. The duties of officials responsible for monitoring the processing and protection of PD, as well as their responsibility, are defined in the Instruction of the person responsible for organizing the PD processing and in the Instruction of the Information Security Administrator of PD information systems.

14.2. The person responsible for organizing the PD processing and the Information Security Administrator of PD information systems are appointed by order of the Rector from among those authorized to process the PD.

14.3. The authorized body for the protection of the rights of PD subjects, which is charged with ensuring the control and supervision of the compliance of PD processing with the requirements of the Federal Law No. 152-ФЗ dated July 27, 2006 “On Personal Data”, is the federal executive body that performs the monitoring functions and supervision in the field of communications, information technology and mass communications (Roskomnadzor).

14.4. The authorized body for the protection of the rights of the PD subjects examines the appeals of the PD subject on the compliance of the PD content and the ways of its processing with the purposes of processing and makes the appropriate decision.

14.5. Roskomnadzor Department in the Kaliningrad region:

Address: 236000, Kaliningrad 4 Communal’naya str.

Tel.: (4012) 45-15-50

Fax: (4012) 93-00-82

E-mail: rsockanc39@rsoc.ru

Website: http://39.rsoc.ru/

14.6. University employees authorized to process PD who are guilty of violating the requirements of legislation on PD protection, including those who allowed the disclosure of PD, bear personal civil, criminal, administrative, disciplinary and other liability provided by the legislation.

15. University information

Name: Federal State Autonomous Institution of Higher Education"Immanuel Kant Baltic Federal University".

Legal address (location address): 236016, Kaliningrad, 14 A. Nevskogo str.

16. Final provisions

16.1. This Policy is approved by the Rector"s order.

16.2. This Policy is mandatory for awareness and observance by all University staff engaged in PD processing.

16.3. Policy duration - unlimited.

16.4. In pursuance of Article 18.1, Part 2 Federal Law of July 27, 2006 No. 152-ФЗ “On Personal Data” this Policy is published on the University website.

16.5. The University has the right to introduce amendments to this Policy. When introducing amendments to the Policy, the date of the last version of the document to be indicated. The new version of the Policy comes into force from the moment of its posting on the website, unless otherwise provided by the new version of the Policy.

16.6. Other local regulations of the University governing the protection and PD processing should be issued in accordance with this Policy and legislation in the field of personal data.

16.7. Monitoring of compliance with the Policy is carried out by the Rector of the University.

Welcome Centre

Address:
14 A. Nevskogo ul., Kaliningrad, 236016

Telephone:
+7 (4012) 59-55-00
fax: +7 (4012) 46-58-13

email:
welcome@kantiana.ru