Personal data stored in medical organizations can conditionally be divided into two groups.
Personal data of the employee provided at the time of conclusion of the employment contract with the employer in accordance with the requirements of the Labor Code of the Russian Federation.
Personal data of the patient , which are provided upon conclusion of the contract for the provision of paid medical services.
Personal information must be protected.
When providing confidential information about themselves, personal information carriers need to know and remember that the information they transmit must be reliably protected. This is prescribed in the Law of the Russian Federation “On Personal Data” No. 152-FZ. Moreover, compliance with the requirements of the Law on Personal Data No. 152- is mandatory for all organizations.
One of the requirements of this law is the development of the “Regulation on the protection of personal data”. From the prevailing practice in medical organizations, it is desirable to develop two such "Regulations". One is the “Regulation on the protection of personal data of employees of a medical organization, the other is the“ Regulation on the protection of personal data of patients ”.
The employer must familiarize the personnel of the medical organization with the developed under signature, establish control over the strict fulfillment of their requirements, appoint responsible persons for processing the information received, take the necessary measures to store and protect personal data.
When processing personal data of patients, it is necessary to take consent from each patient or his legal representative (parents, grandfather, grandmother, etc.) to process personal data. It is imperative to explain to the patient that his personal data cannot be transferred anywhere without his consent, with the exception of the cases listed in the Law on Personal Data.
Do I need to notify Roskomnadzor?
Consider the question of whether it is necessary for a medical organization to notify Roskomnadzor (special federal service) about itself as an Operator? There is an opinion that if notified, then you can incur scheduled inspections of Roskomnadzor. This opinion is erroneous.
Also, do not be fooled by reasoning that you can not notify Roskomnadzor about yourself if personal data received from an employee as a party to an employment contract is processed by a medical organization to fulfill its duties, entered into an employment contract, employee’s personal card, and other personnel documentation and are not provided anywhere.
As a rule, all medical organizations on their website on the Internet upload information about their employee with a photograph, and this is the dissemination of personal data, which must be obtained from the employee. Moreover, in accordance with Art. 79 of the Law on Health Protection, all medical organizations are required to provide information about health workers in order to inform the public.
This information allows you to identify a particular medical worker. Consequently, employee information on , refers to personal data, which, in accordance with the requirements of the law "On Personal Data", must be processed and protected, etc., and the medical organization, as the operator of personal data, must notify Roskomnadzor before processing it.
Remember that for violation of the requirements of the Law on Personal Data No. 152- are provided for;
-disciplinary responsibility (Labor Code of the Russian Federation);
-administrative liability (Code of the Russian Federation on administrative offenses "; - criminal liability (Clause 1, Article 137 of the Criminal Code of the Russian Federation).
The first department of the Markushka children's medical center.