Is it possible to keep copies of an employee’s documents (for example, a passport) in his personal file?

About managing personal affairs

The employer is obliged to maintain personal files of employees if this is expressly prescribed by regulations. For example, such a requirement is established for executive authorities. Those companies that are not subject to such acts have no obligation to maintain personal files of employees. However, sometimes employers begin to form them on their own initiative. In this case, they themselves draw up a list of documents that need to be included in their personal file. But it is important to comply with the law on the confidentiality of personal data.

So, for one reason or another, the company decided to create personal files for employees. First of all, you need to draw up a local regulatory act that will define important points and rules. This could be a standard or a position. It is advisable to reflect all the rules for registering personal files and the composition of documents.

The main rule: you should not collect unnecessary information about an employee in reserve - only what is really important. Otherwise, the principles of working with personal data will be violated.

What kind of fraud can happen with a copy of a passport?

As a rule, there are three scenarios for the development of events if passport data falls into the wrong hands:

Loans and microloans

Neither banking organizations nor self-respecting microfinance organizations will ever issue a loan using a copy of a passport, but some collectors can issue a loan via the Internet only using passport data.

In any case, it will be a small amount, up to 30,000 rubles, plus interest (usually 365% per annum).

Taking into account the amendments made by Federal Law No. 554-FZ dated December 27, 2018 to the Federal Law “On Consumer Credit (Loan)”, the maximum amount of penalties and fines accrued from above on microloans from July 1, 2019 should not exceed twice the loan amount, and from January 1, 2020 - one and a half times.

Despite the relatively small loan amount and interest, paying off someone else’s loan will be at least unpleasant for anyone. Not to mention the fact that there may be several loans in different microfinance organizations.

For more information about methods of online fraud for the purpose of concluding fictitious credit agreements or microloans, please follow the link.

2. Property transactions

Passport data can be used to forge any kind of legally significant documents.

The only question is the fraudster's imagination.

You may not be aware that you are the owner of several villas in Spain that were fraudulently registered and sold in exactly the same way in your name.

And it’s up to you to solve the problems. In this case, not only you will suffer, but also the unfortunate buyer, misled by the same scammer.

For example, on July 3, 2021, the Tushinsky District Court of Moscow considered civil case No. 2-2424/2018. Citizen Pchelin D.V. was the owner of the apartment, rented it out until he found out that the apartment had been sold.

Someone with a passport D.V. Pchelin entered into a purchase and sale agreement for an apartment on his behalf with E.V. Ostroukhova. in the presence of a notary, in whom the transaction did not raise any doubts. Pchelin himself learned about the deal only a month later, when, having not received the next rent payment, he came to check the apartment. A forensic examination confirmed that the signature in the purchase and sale agreement was not made by Pchelin, as a result of which the court, citing Pchelin’s lack of will to alienate the apartment, invalidated the purchase and sale agreement and applied the consequences of invalidity of the transaction. Citizen Ostroukhova E.V. I was left without an apartment and without money.

3. Registration of a legal entity or individual entrepreneur

According to Art. 12 of the Federal Law of 08.08.2001 No. 129-FZ “On State Registration of Legal Entities and Individual Entrepreneurs”, to register an individual entrepreneur or legal entity, a copy of the applicant’s identity document is provided to the tax authority. That is, a copy of the passport. As a rule, this copy must be notarized, but not if the application and package of documents are provided personally by the applicant or if the Federal Tax Service has “its own person.”

So, using a fake passport you can easily register an LLC or individual entrepreneur.

What are the risks of registering as an individual entrepreneur or LLC?

Usually debts to pay taxes (for individual entrepreneurs, also debts to the Pension Fund of the Russian Federation and the Social Insurance Fund), debts to other legal entities or individual entrepreneurs under various civil contracts, and even criminal liability if illegal actions are detected in the activities of an LLC or individual entrepreneur.

Most often, shell companies are created to illegally withdraw funds from other organizations. This is called “money laundering,” which also does not bode well for the founder of the company.

Less frequently, but still there are cases where passport data was used for betting and playing for money on the Internet, registering “dead souls” in companies for various frauds, car sharing rentals, online fraud with individuals, purchasing SIM cards, etc. .

Protection of personal information

You can only collect information about an employee that meets the specific purposes for processing personal data . Otherwise, the organization may be fined under Article 13.11 of the Administrative Code in the amount of 30 to 50 thousand rubles . An official will receive a fine in the amount of 5-10 thousand rubles, and a citizen - in the amount of 1-3 thousand rubles.

What is the correct way to deal with employee documents? Let us turn to Article 65 of the Labor Code. It states that documents must be presented by an individual when applying for a job. In other words, the documents must be presented to the employer, after which they are returned to the employee. At the same time, the Labor Code of the Russian Federation does not say that the employer’s specialist has the right to make copies of them.

So, without the employee’s consent, a personnel specialist can only do the following: take the employee’s documents and enter information from them into his personal T-2 card.

In practice, employers often like to collect various information about their employees and store copies of their diplomas, SNILS, and passports. However, all these documents contain personal data of employees, which are protected by law. Collect personal information that serves a legitimate purpose. Moreover, the goal must be quite specific. For example, you cannot store an employee’s personal data in case the prosecutor’s office or the Bailiff Service suddenly requests it. As long as there is no such request, the employer does not need this information. Accordingly, if he collected it in advance and stores it, he thereby violates the law on the protection of personal data.

Important! The processing of a citizen’s personal data is permissible if it is necessary to fulfill an agreement to which he is a party. This is stated in Part 1 of Article 6 of the Law on Personal Data dated July 27, 2006 No. 152-FZ.

How to securely collect and store employee information

Documents that contain personal data of employees, that is, all personnel documents, must be stored in such a way as to protect confidential information. There are several prohibitions from which we will derive rules for storing documents.

Prohibition 1.

Personal data must not be destroyed prematurely. Therefore, you keep HR documents within the specified time frames. A document can be destroyed only after the established storage period has expired and only after an examination of the value of the documents has been carried out.

Prohibition 2.

Personal data must not be disclosed to persons who do not have access to it and have not given an undertaking of non-disclosure. Therefore, you store personnel documents in closed rooms, locked cabinets, safes, and exclude access to them by strangers. All company employees who, due to their official duties, have access to personnel documents, must pledge non-disclosure of information and use it only for official purposes.

Prohibition 3.

Personal data cannot be obtained from third parties without the employee’s consent. Therefore, you store only those personnel documents and their copies that you received from the employee himself or with his written consent.

Employees present documents when applying for a job, send them by mail, and attach them to applications. Accept for storage only those documents that are necessary for labor relations. If you make a copy, it must be certified at the moment you see the original.

To ensure that your personal information is accurate and up-to-date, please always refer to the original. Use a copy of the document only for specified purposes. When you reach your goal, destroy the copy.

Prohibition 4.

Personal data cannot be damaged or lost. Therefore, you create special conditions to ensure the safety of documents for a long time. It is ideal when the company has an equipped archive.

Prohibition 5.

Personal data cannot be stored longer than required for the purposes of their processing. Therefore, you collect only the information that you need for labor relations and store it until you reach the goal, part 5 of Art. 5 of the Personal Data Law.

The most reliable way to avoid accusations from Roskomnadzor is not to keep personal files or get rid of them if you have them.

Another option: collect information about employees, protect it from the attention of strangers, but do not design folders with copies of documents as personal files and do not include them in the nomenclature of files. We are talking specifically about copies of all documents that you collect in one folder for the employee for your convenience.

But if you actually create personal files and try to hide it, the inspector will find out. For example, because it will not find the employee’s documents in other folders, since you filed them in a personal file, or will see the line “Personal files” in the list of files.

If the employee has given consent

It would seem that the problem can be solved simply - you can take a document from the employee stating that he allows the processing of his information. But in reality this is not enough. Even if the employee has agreed, this does not mean that there is a legitimate, specific purpose for processing the data.

Important! Employers need to remember a simple rule: if there is no purpose, then there is no right to keep copies of the employee’s personal documents.

The said law defines the principles for the protection of personal data. The point is this:

  1. There must be specific, pre-determined purposes for which a person's personal data is collected. Once these purposes have been achieved, the processing of his personal data must cease.
  2. Information may not be collected that is inconsistent with the purposes mentioned above.
  3. Only information that corresponds to the specified purposes is subject to processing.
  4. The content and scope of the data processed must correspond to the purpose of the processing.

Consent to the processing of personal data is stated in Article 9 of the law. It must again contain the purpose of processing, as well as a list of actions that can be performed with this data.

Conclusion: you can store copies of employee documents in personnel records only if it is needed for specific purposes.

For example, personal information may be collected for posting on the employer’s website (in the “Our Employees” section) or for issuing a voluntary health insurance policy. An example of a redundant purpose is storing personal data in case of a government request.

About the passport copy

A copy of the passport contains not only the name, date of birth and other information - it can be a source of biometric personal data . In particular, in the photo you can notice the features of a person’s appearance. Such information is protected by law. Accordingly, it is necessary to store copies of employees’ passports, firstly, if there are adequate purposes and, secondly, after obtaining their consent to do so.

What documents can be stored in a personal file with the consent of the employee?

When answering the question of what should be kept in an employee’s personal file in 2021, it is worth mentioning the medical records of employees, which some employers store in the LD.

ARTICLE RECOMMENDED FOR YOU:

Retirement age in Russia from 2021

Indeed, if an employee’s position involves his contact with food, children or, for example, medicines, the employer, according to current legislation, has the right to demand this document. However, its storage becomes possible only after obtaining consent from the employee to process his personal data.

The same rule applies to the following documents:

  • certification sheets;
  • diplomas, certificates and other educational documents;
  • certificates of no criminal record or its presence;
  • documents on advanced training;
  • characteristics from educational institutions, as well as past places of work.

Let us also remind you that employee work books must be stored separately from the rest of the personnel documentation. Most companies use reliable safes for this purpose, to which only HR staff have access.

How to properly manage the personal file of each employee

In any case, every employer must understand that maintaining an employee’s personal file is not a one-time, but a regular activity. After all, over time, the information and documents in the LD will have to be updated. This can only be done by obtaining a written statement of consent from the employee himself and introducing any papers, however, as well as removing them from the file - the personnel officer has no right!


At the same time, the release of the personal file in question can only be carried out by order of the head of the company. The same rule applies to the employee himself for whom the LD is opened. At the same time, each employee has the legal right to familiarize himself with his personal document at any time convenient for him, but to remove it from the personnel officer’s office only with the permission of the employer.

In the event that a third-party organization requests access to the folder, its employees must submit an official request for this, and the transfer of documents will become possible only after receiving the employer’s resolution and drawing up an act in 2 copies.

Let's sum it up

So, if an employer plans to manage the personal affairs of its employees, then simply attaching copies of documents to them is unlawful. To do this it is necessary that:

  • there was a legal basis (legal act or internal document);
  • there was a specific, legitimate and adequate purpose for processing the information;
  • there was a written consent of the employee to the processing of his personal data;
  • the purpose of processing was specified in the consent.

These conclusions are confirmed by judicial practice. In particular, by the decisions of the Fifteenth Arbitration Court of Appeal dated March 14, 2014 No. 15AP-22502/2013 in case No. A53-12557/2013 and the Federal Antimonopoly Service of the North Caucasus District dated April 21, 2014 in case No. A53-13327/2013.

List of documents included in the personal file of employees in 2021

In order not to violate Russian legislation, it is recommended that each employer personally familiarize the personnel officer with the list of papers that should be in each employee’s LD.

ARTICLE RECOMMENDED FOR YOU:

Characteristics from the place of work, sample and design example

This list of documents in 2021 includes such main papers as:

  1. an employment contract signed by the employee, as well as additional agreements accompanying it (if any);
  2. orders to impose penalties or rewards from superiors;
  3. an agreement on the individual financial responsibility of the employee, if his position requires the availability of this document;
  4. a non-disclosure agreement signed by the employee regarding information that is a company secret;
  5. acts of violation of labor discipline;
  6. explanatory and memos;
  7. The order of acceptance to work.

Each additional certificate is filed by the personnel officer in a folder in strictly chronological order, after which he draws up an inventory of documents (this is a mandatory item, failure to comply with which may lead to penalties).

It is worth noting that the documents stored in the employee’s personal file for verification by the labor inspectorate must be supplemented with a signed consent to the processing of his personal data.

About consent to the processing of personal data

Multiple goals in one agreement

A bill has been developed that provides for the combination of several goals in one consent form. As soon as it is accepted, the RKN will adjust its position.

In the meantime, Roskomnadzor believes that it is possible to indicate several purposes in one consent only in some cases. For example, if biometric data, special categories of personal data are processed, in cases where cross-border transfers are carried out to countries that do not provide adequate data protection.

In all other cases of consent, one purpose must be specified in writing.

Obtaining consent to the processing of personal data when concluding a contract

If the processing of personal data is carried out in accordance with the terms of the contract and only for its execution, then consent is not required.

But if the contract includes provisions that are not related to its subject, then such actions must obtain separate consent to the processing of personal data.

For example, a contract for the provision of communication services includes provisions for conducting research or sending out advertising.

If the subject subsequently withdraws his consent for these types of processing, the operator is obliged to terminate it, since it is not the main one in relation to the subject of the contract.

Consent to the processing of personal data of the applicant and close relatives

The Labor Code regulates relations only between employer and employee and does not cover issues of job search. Therefore, the only legal basis for the processing of applicants’ personal data is their consent.

Often, the applicant is asked to fill out forms that provide information about close relatives, but it is very difficult to obtain consent from the relatives themselves. In such cases, it is still recommended to convince the applicant of the need to obtain consent from relatives.

For example, inform about the need to check conflicts of interest.

The processing of personal data of employee relatives has a number of features

Processing of personal data to the extent provided for in unified forms, for example, T-2 cards, does not require consent. But for the processing of personal data that is not contained in standard forms, but is necessary for the employer, consent is required.

Electronic copies of consents to the processing of personal data

It is not prohibited to make scans of written consent forms for processing. But if there are electronic copies, is it possible to destroy the paper original?

Roskomnadzor recommends taking into account the provisions of procedural codes, which stipulate that in the event of a judicial dispute, it is necessary to provide the court with original written evidence. Therefore, when deciding to replace original copies with electronic copies, these risks must be taken into account.

Period of consent to the processing of personal data

According to Roskomnadzor, the period of consent should be limited to a specific period or achievement of the purpose of processing personal data, for example, the execution of a contract.

It is impossible to indicate that consent is given for an unlimited period or to indicate periods that are not provided for by law or are not motivated by anything. For example, it is incorrect to set the consent period to 15, 50 or 70 years.

If it is difficult to determine a specific period, then it is recommended to limit the processing of personal data to the achievement of the processing purpose.

Consent form to receive newsletters from a foreign website

Is it sufficient to obtain consent in electronic form in the form of ticking a check box if the site or its administrator is located outside the Russian Federation?

Roskomnadzor believes that if a site is aimed at Russian citizens, then it is presumed that it complies with the requirements of Russian national legislation - in particular, it complies with the localization rule. Therefore, this form of consent is acceptable.

Agreements for the processing of personal data

Is the cloud service provider an operator?

Of course, the cloud service provider is an operator since personal data is stored on its servers.

When using cloud services, is it necessary to enter into an agency agreement for the processing of personal data?

Yes, because one operator transfers PD to another operator for storage. And this case involves the conclusion of a contract of agency. Additionally, it is necessary to obtain the consent of the subject to the transfer of his personal data under the agency agreement.

Is it possible in the employee’s consent to indicate all third parties to whom PD is transferred under assignment agreements?

It is possible, but only on condition that third parties are involved to achieve a single goal, which is provided for in the text of the consent to the processing of personal data.

For example, for the purposes of personnel records, two organizations are involved. The consent specifies the purpose: maintaining personnel records. In this case, the consent is drawn up correctly.

Should third parties who process personal data under an agency agreement send notifications of processing to Roskomnadzor?

Yes, these persons are operators and are required to provide notifications according to the general rules.

The exception provided for contractual relations does not apply in this case, since the subjects of personal data are not a party to the agency agreement concluded by the operator with a third party.

Is the operator obliged to provide information on the legal basis for the processing of personal data under the agency agreement?

Current legislation does not provide for such an obligation, since only the operator is responsible to the subject, even for the actions of a third party.

Therefore, RKN recommends that this issue be resolved in the contract of assignment for the processing of personal data, if necessary.

Rating
( 2 ratings, average 4.5 out of 5 )
Did you like the article? Share with friends:
For any suggestions regarding the site: [email protected]
Для любых предложений по сайту: [email protected]