Privacy Policy and Data Protection

Consent to the processing of personal data

Hereby, in accordance with Federal Law No. 152-FZ «On Personal Data» dated 07/27/2006, I freely, voluntarily and in my interest express my unconditional consent to the processing of my personal data by the N. I. Pirogov Clinic of High Medical Technologies (hereinafter referred to as the Operator).

Personal data is any information related to an individual identified or determined on the basis of such information. This Consent has been issued by me for the processing of the following personal data:

Last name, First Name and Patronymic
Email address
Mobile phone number

Consent is given to the Operator to perform the following actions with my personal data using automation tools and/or without using such tools: collection, systematization, accumulation, storage, clarification (updating, modification), use, depersonalization, as well as the implementation of any other actions provided for by the current legislation of the Russian Federation as non-automated, and in automated ways.

This consent is given to the Operator to process my personal data for the following purposes:

providing me with services/works
sending notifications to my address regarding the services/works provided
preparing and sending responses to my requests
sending information to my address, including advertising, about events/ services/works of the Operator

This consent is valid until it is revoked by sending a corresponding notification to the email address 6762525@gosmed.ru . If I withdraw my consent to the processing of personal data, the Operator has the right to continue processing personal data without my consent if there are grounds specified in paragraphs 2-11 of part 1 of Article 6, part 2 of Article 10 and part 2 of Article 11 of Federal Law No. 152–FZ «On Personal Data» dated 06/27/2006.

In case of any discrepancies, the Russian version shall prevail.

1. General provisions

1.1. This Regulation on the policy of processing and protection of personal data (hereinafter referred to as the Regulation) is drawn up in accordance with paragraph 2 of Article 18.1 of Federal Law No. 152-FZ dated 07/27/2006 «On Personal Data» and is the fundamental internal regulatory document of the Pirogov Clinic of High Medical Technologies (polyclinics, inpatient) St. Petersburg State University (hereinafter referred to as the Clinics), which defines the key areas of its activities in the field of personal data processing and protection (hereinafter referred to as PD), the operator of which is the Clinic.

1.2. The policy was developed in order to implement the requirements of legislation in the field of personal data processing and protection and is aimed at ensuring the protection of human and civil rights and freedoms when processing personal data in the Clinic, including the protection of the rights to privacy, personal, family and medical secrets.

1.3. The Regulation applies to relations for the processing and protection of PD received by the Clinic both before and after the approval of the Regulation, except in cases where, for legal, organizational and other reasons, the Provisions cannot be extended to relations for the processing and protection of PD received before its approval.

1.4. PD processing in the Clinic is carried out in connection with the performance of functions provided for by its constituent documents and defined by:

Federal Law No. 323-FZ dated 11/21/2011 «On the Basics of Public Health Protection in the Russian Federation»;
Federal Law No. 27.07.2006 152-FZ «On Personal Data»;
Resolution of the Government of the Russian Federation No. 687 dated 09/15/2008 «On Approval of the Regulation on the Specifics of Personal Data Processing, carried out without the use of automation tools»;
Resolution of the Government of the Russian Federation No. 1119 dated 01.11.2012 «On Approval of requirements for the Protection of personal data during their processing in personal Data Information systems»;
other regulatory legal acts of the Russian Federation.

In addition, PD processing in the Clinic is carried out in the course of employment and other directly related relationships in which the Clinic acts as an employer (Chapter 14 of the Labor Code of the Russian Federation), in connection with the exercise of their rights and obligations as a legal entity.

1.5. The Clinic has the right to make changes to this Regulation.

1.6. The current version is stored at the location of the Organization at the address: 154 Fontanka River Embankment, St. Petersburg, the electronic version is available on the website at: http://www.gosmed.ru

2. Terms and accepted abbreviations

2.1. Personal data (PD) – any information related directly or indirectly to a specific or identifiable individual (subject of personal data);

2.2. Personal data processing – any action (operation) or a set of actions (operations) performed with or without the use of automation tools with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data;

2.3. Operator – a state body, municipal body, legal entity or individual, independently or jointly with other persons organizing and (or) processing personal data, as well as determining the purposes of processing personal data, the composition of personal data to be processed, actions (operations) performed with personal data;

2.4. Dissemination of personal data – actions aimed at disclosing personal data to an indefinite circle of persons;

2.5. Provision of personal data – actions aimed at disclosing personal data to a certain person or a certain circle of persons;

2.6. Blocking of personal data – temporary termination of processing of personal data (except in cases where processing is necessary to clarify personal data);

2.7. Destruction of personal data – actions as a result of which it becomes impossible to restore the content of personal data in the personal data information system and (or) as a result of which the material carriers of personal data are destroyed;

2.8. Depersonalization of personal data – actions as a result of which it becomes impossible to determine the identity of personal data to a specific personal data subject without using additional information;

2.9. Automated processing of personal data – processing of personal data using computer technology;

2.10. Personal Data Information System (hereinafter - ISPD) – a set of personal data contained in databases and information technologies and technical means that ensure their processing;

2.11. Patient – an individual who is receiving medical care or who has applied for medical care, regardless of whether he has a disease and his condition;

2.12. Medical activity – professional activity in providing medical care, conducting medical examinations, medical examinations and medical examinations, sanitary and anti-epidemic (preventive) measures and professional activities related to transplantation (transplantation) of organs and (or) tissues, circulation of donated blood and (or) its components for medical purposes;

2.13. Attending physician is a doctor who is entrusted with the functions of organizing and directly providing medical care to a patient during the period of observation and treatment.

3. Principles of ensuring the security of personal data

3.1. The main task of ensuring the security of personal data during their processing in the Clinic is to prevent unauthorized access to them by third parties, prevent deliberate software, technical and other influences for the purpose of stealing personal data, destroying (destroying) or distorting them during processing.

3.2. To ensure the safety of PD, the Clinic is guided by the following principles:

legality: PD protection is based on the provisions of regulatory legal acts and methodological documents of authorized state bodies in the field of PD processing and protection;
consistency: PD processing in the Clinic is carried out taking into account all interrelated interacting and time-varying elements, conditions and factors important for understanding and solving the problem of ensuring the safety of PD;
complexity: PD protection is built using the functionality of information technologies implemented in the information systems of the Clinic and other available systems and means of protection;
continuity: PD protection is provided at all stages of their processing and in all modes of operation of PD processing systems, including during repair and routine maintenance;
timeliness: measures to ensure an appropriate level of safety of PD are taken before they are processed;
continuity and continuity of improvement: modernization and enhancement of measures and means of protection of personal data is carried out on the basis of the results of the analysis of the practice of processing personal data in the Organization, taking into account the identification of new ways and means of implementing threats to the security of personal data, domestic and foreign experience in the field of information protection;
personal responsibility: responsibility for ensuring the security of personal data is assigned to Employees within their responsibilities related to the processing and protection of personal data;
minimization of access rights: access to personal data is provided to employees only to the extent, necessary for the performance of their official duties;
flexibility: ensuring the performance of PD protection functions when changing the characteristics of the functioning of the Clinic's personal data information systems, as well as the volume and composition of PD processed;
specialization and professionalism: the implementation of measures to ensure the safety of PD is carried out by employees who have the qualifications and experience necessary for this;
the effectiveness of personnel selection procedures: the personnel policy of the Clinic provides for careful recruitment and motivation of employees, allowing to exclude or minimize the possibility of their violating the safety of PD;
observability and transparency: measures to ensure the safety of PD should be planned so that the results of their application are clearly observable (transparent) and can be evaluated by persons exercising control;
continuity of control and Assessments: procedures for continuous monitoring of the use of PD processing and protection systems are established, and the results of monitoring are regularly analyzed.

3.3. The Clinic does not process PD that is incompatible with the purposes of their collection. Unless otherwise provided by federal law, upon completion of PD processing, including upon achievement of the goals of their processing or the loss of the need to achieve these goals, the HDPE processed by the Clinic will be destroyed or depersonalized.3.4. When processing PD, their accuracy, sufficiency, and, if necessary, relevance in relation to the purposes of processing are ensured. The clinic takes the necessary measures to remove or clarify incomplete or inaccurate PD.

4.Processing of personal data

4.1. Receipt of PD

4.1.1. All PD should be received from the subject himself. If the PD of the subject can only be obtained from a third party, then the subject must be notified of this or consent must be obtained from him.

4.1.2. The operator must inform the subject about the purposes, intended sources and methods of obtaining PD, the nature of the PD to be received, the list of actions with PD, the period during which the consent is valid and the procedure for its withdrawal, as well as the consequences of the subject's refusal to give written consent to receive them.

4.1.3. Documents containing PD are created by:

a) copying the original documents (passport, education document, TIN certificate, pension certificate, etc.);
b) entering information into accounting forms;
c) obtaining the originals of the necessary documents (work record, medical report, characteristics, etc.).

The procedure for the PD subject's access to his PD processed by the Organization is determined in accordance with the legislation and is determined by the internal regulatory documents of the Organization.

4.2. PD processing

4.2.1. The processing of personal data is carried out:

with the consent of the personal data subject to the processing of his personal data;
in cases where the processing of personal data is necessary for the exercise and fulfillment of functions, powers and duties assigned by the legislation of the Russian Federation;
in cases where when personal data is processed, access to an unlimited number of persons to which is provided by the subject of personal data or at his request (hereinafter – personal data made publicly available by the subject of personal data).

Employees' access to the processed PD is carried out in accordance with their official duties and the requirements of the Clinic's internal regulatory documents.

Employees who are allowed to process PD are familiarized with the organization's documents establishing the procedure for processing PD, including documents establishing the rights and obligations of specific employees.

The clinic eliminates the identified violations of the legislation on the processing and protection of personal data.

4.3. Filling out the form of informed voluntary consent to the processing of personal data.

4.3.1.The patient can leave three types of personal data in the Clinic:

personal data – permanent residence address, contact phone number, passport data;
special health data (of the subject of personal personal data - the patient) – all information related to health the amount of treatment provided, including information about the very fact of contacting a medical organization, is the data that is entered into the medical record;
biometric data (of the subject of personal personal data - patient) – any information about the physiological and biological characteristics of a person, on the basis of which it is possible to establish his identity (dental casts, X-rays, photographs, etc.).

4.3.2. At the first visit to the Clinic organization and each time during hospitalization, the patient is asked to fill out a form of informed voluntary consent to the processing of personal data. During subsequent visits to the Clinic, information about personal data (or their changes) may be clarified by the registry staff.

4.3.3. The information obtained is accumulated in a single computer database of the Clinic, stored and used by medical personnel in the provision of medical services.

The refusal of the patient to give written consent to the processing of his personal data is not a reason for not providing him with medical services at the Clinic.

4.4. The purposes of PD processing:

ensuring the organization of medical care to the population, as well as the most complete fulfillment of obligations and competencies in accordance with Federal Laws dated 11/21/2011 No. 323-FZ «On the basics of protecting the health of Citizens of the Russian Federation», dated 04/12/2010 No. 61-FZ «On the circulation of medicinal products funds» and dated 11/29/2010 No. 326-FZ «On compulsory medical insurance of citizens in the Russian Federation», the Rules for the provision of paid medical services by medical organizations, approved by the Decree of the Government of the Russian Federation No. 1006 dated 4.10.2012;
implementation of labor relations;
implementation of civil law relations.

4.5. Categories of personal data subjects

The Clinic processes personal data of the following subjects:

individuals who are in an employment relationship with the institution;
individuals who are close relatives of employees of the institution;
individuals who have resigned from the institution;
individuals who are candidates for employment;
individuals who are in civil law relations with the institution;
individuals who have applied to the institution for medical care.

4.6. PD processed by the Clinic:

data obtained during the implementation of labor relations;
data obtained for the selection of candidates for work in the organization;
data obtained during the implementation of civil law relations;
data obtained when providing medical care.

4.7. Personal data is processed:

using automation tools.
without using automation tools.

4.8. Storage of personal data

4.8.1. PD of subjects can be obtained, further processed and transferred to storage both on paper and in electronic form.

4.8.2. Personal data recorded on paper are stored in lockable cabinets or in lockable rooms with limited access rights (registry).

4.8.3. Personal data of subjects processed using automation tools for different purposes are stored in different folders (tabs).

4.8.4. It is not allowed to store and place documents containing PD in open electronic catalogs (file sharing sites) in ISPs.

4.8.5. The storage of PD in a form that allows to identify the subject of PD is carried out no longer than the purposes of their processing require, and they are subject to destruction upon achievement of the processing goals or in case of loss of the need to achieve them.

4.9. Destruction of PD

4.9.1. Destruction of documents (media) containing PD is carried out by burning, crushing (crushing), chemical decomposition, transformation into a shapeless mass or powder. Shredder is allowed to destroy paper documents.

4.9.2. PD on electronic media are destroyed by erasing or formatting the media.

4.9.3. The destruction is carried out by the commission. The fact of the destruction of PD is documented by the act of destruction of media signed by the members of the commission.

4.10. Transfer of PD

4.10.1. The clinic transfers PD to third parties in the following cases:

the subject has expressed his consent to such actions;
the transfer is provided for by Russian or other applicable legislation within the framework of the procedure established by law.

4.10.2. List of persons, to whom the PD is transmitted

The Pension Fund of the Russian Federation for accounting (legally);
Tax authorities of the Russian Federation (legally);
Social Insurance Fund (legally);
Territorial Fund of compulsory medical insurance (legally);
insurance medical organizations for compulsory and voluntary medical insurance (legally);
payroll banks (based on the contract);
judicial and law enforcement agencies in cases of, established by law;
credit bureaus (with the consent of the subject);
law firms operating within the framework of the legislation of the Russian Federation, in case of non-fulfillment of obligations under the loan agreement (with the consent of the subject).

5. Personal data protection

5.1. In accordance with the requirements of the Clinic's regulatory documents, a personal data protection system (hereinafter referred to as NWPD) has been created, consisting of subsystems of legal, organizational and technical protection.

5.2. The subsystem of legal protection is a set of legal, organizational, administrative and regulatory documents that ensure the creation, operation and improvement of the NWPD.

5.3. The subsystem of organizational protection includes the organization of the management structure of the NWPD, the licensing system, information protection when working with employees, partners and third parties, information protection in the open press, publishing and advertising activities, analytical work.

5.4. The subsystem of technical protection includes a complex of technical, software, software and hardware tools that ensure the protection of personal data.

5.5. The main PD protection measures used by the Clinic are:

5.5.1. The appointment of a person responsible for the processing of PD, who organizes the processing of PD, training and instruction, internal control over compliance by the institution and its employees with the requirements for the protection of PD;

5.5.2. Identification of current threats to the safety of PD during their processing in the ISPD, and the development of measures and measures to protect PD;

5.5.3. Development of a policy regarding the processing of personal data;

5.5.4. Establishment of rules for access to PD processed in ISPD, as well as ensuring registration and accounting of all actions performed with PD in ISPD;

5.5.5. Establishment of individual passwords for employees' access to the information system in accordance with their work responsibilities;

5.5.6. The use of information security tools that have passed the compliance assessment procedure in accordance with the established procedure, accounting for PD machine media, ensuring their safety;

5.5.7. Certified antivirus software with regularly updated databases;

5.5.8. Certified software tool for protecting information from unauthorized access;

5.5.9. Certified firewall and intrusion detection tool;

5.5.10. Compliance with the conditions ensuring the safety of personal data and excluding unauthorized access to them, assessment of the effectiveness of measures taken and implemented to ensure the safety of personal data

5.5.11. Establishment of rules for access to processed personal data, ensuring registration and accounting of actions performed with personal data, as well as detection of unauthorized access to personal data and taking measures;

5.5.12. Restoration of PD modified or destroyed due to unauthorized access to them;

5.5.13. Training of Clinic employees directly involved in the processing of personal data, the provisions of the legislation of the Russian Federation on personal data, including requirements for the protection of personal data, documents defining the Organization's policy regarding the processing of personal data, local acts on the processing of personal data; 5.5.14. Internal control and audit.

6. The basic rights of the PD subject and the duties of the Clinic

6.1. Basic rights of a PD subject

The PD subject has the right to receive information regarding the processing of his personal data, including information containing:

confirmation of the fact of personal data processing by the operator;
legal grounds and purposes of personal data processing;
purposes and methods of personal data processing used by the operator;
name and location of the operator, information about persons (except for the operator's employees), who have access to personal data or to whom personal data may be disclosed on the basis of an agreement with the operator or on the basis of federal law;
processed personal data related to the relevant personal data subject, the source of their receipt, unless another procedure for submitting such data is provided for by federal law;
the terms of processing personal data, including the terms of their storage;
the procedure for the exercise of rights by the subject of personal data, provided for by Federal Law No. 152-FZ dated 07/27/2006 «On Personal data»;
information about the performed or proposed cross-border data transfer;
the name or surname, first name, patronymic and address of the person processing personal data on behalf of the operator, if the processing has been entrusted or will be entrusted to such a person;
other information provided for by this Federal Law or other federal laws.

The PD subject has the right to require the operator to clarify his personal data, block or destroy them in the event of, if personal data is incomplete, outdated, inaccurate, illegally obtained or is not necessary for the stated purpose of processing, as well as take measures provided for by law to protect their rights.

6.2. Responsibilities of the Clinic

The clinic is obliged to:

when collecting PD, provide information about the processing of its PD;
in cases where PD was not received from the PD subject, notify the subject;
if the PD is refused, the consequences of such refusal are explained to the subject;
publish or otherwise provide unrestricted access to the document defining its policy regarding the processing of PD, to information about the implemented requirements for the protection of PD;
take the necessary legal measures, organizational and technical measures or ensure their adoption to protect PD from unlawful or accidental access to them, destruction, modification, blocking, copying, provision, distribution of PD, as well as from other illegal actions in relation to PD;
provide answers to requests and appeals from PD subjects, their representatives and the authorized body for the protection of the rights of PD subjects.