Modern requirements for the protection of personal data in medical organizations

The personal data stored in medical organizations can be conditionally divided into two groups.

Personal data of the employee , provided at the time of the conclusion of the employment contract with the employer in accordance with the requirements of the Labor Code of the Russian Federation.

Personal data of the patient , which are provided when concluding a contract for the provision of paid medical services.

Personal information must be securely protected.

By providing information about yourself in a confidential manner, personal information carriers need to know and remember that the information they transmit must be securely protected. This is stipulated in the law of the Russian Federation "On Personal Data" No. 152-FZ. At the same time, compliance with the requirements of the law "On Personal Data" No. 152-FZ is mandatory for all organizations.

One of the requirements of this law is the development of the "Regulation on the Protection of Personal Data". From the established practice in medical organizations it is desirable to develop two such "Regulations". One is the "Regulation on the protection of personal data of employees of the medical organization, the other is" Regulations on the protection of patients' personal data. "

The employer is obliged to familiarize the personnel of the medical organization with the developed provisions for the protection of personal data against the signature, establish control over the strict observance of their requirements, appoint responsible persons for processing the information received, take the measures necessary to store and protect personal data.

When processing personal data of patients, it is necessary to agree to the processing of personal data from each patient or his legal representative (parents, grandfather, grandmother, etc.). Be sure to explain to the patient that his personal data can not be transferred anywhere without his consent, with the exception of cases listed in the law "On Personal Data".

Do I need to notify Roskomnadzor?

Let's consider the question whether a medical organization should be notified to Roskomnadzor (a special federal service) about itself as an Operator? There is an opinion that if notified, then it is possible to incur planned inspections of Roskomnadzor. This opinion is erroneous.

Also, do not be fooled by reasoning that you can not notify Roskomnadzor about yourself if the personal data received from the employee as a party to the employment contract are processed by the medical organization for the performance of their duties are entered in the employment contract, personal card of the employee, other personnel documentation And are not provided anywhere.

Typically, all medical organizations on their website on the Internet lay out information about their employees with a photo, and this is the distribution of personal data to which you must obtain the consent of the employee. In addition, in accordance with Art. 79 of the Health Protection Law, all medical organizations are obliged to provide information about health workers in order to inform the public.
This information allows you to identify a particular health professional. Therefore, information about the employee on the website of the medical organization refers to personal data that, in accordance with the requirements of the law "On Personal Data", must be processed and protected, etc., and the medical organization, as the operator of personal data, Notify Roscomnadzor of this.

Remember that for violating the requirements of the law "On Personal Data" No. 152-FZ are provided;

- Disciplinary responsibility (TC RF);

- administrative responsibility (the Code of the Russian Federation on Administrative Offenses "; - criminal liability (clause 1 of Article 137 of the Criminal Code of the Russian Federation).

The first department of the children's medical center "Markushka".