Regulations on Personal Data Processing at National Research University Higher School of Economics
1. General Provisions
1.1. Personal data processing at National Research University Higher School of Economics (hereafter, the “University”, or “HSE”) is organized in order to ensure personal human and civil rights, pursuant to the requirements of Russian legislation.
1.2. Personal data processing at the University shall be organized in strict compliance with these Regulations, which must be observed by all HSE staff.
1.3. These Regulations are aimed at ensuring protection of personal human and civil rights in the course of personal data processing, with respect to privacy policies, personal and family confidentiality, as well as setting forth the University’s policies as the personal data operator. Furthermore, these Regulations set forth relations between HSE and citizens arising as a result of personal data processing on the part of the University.
1.4. HSE hereby undertakes legal, organizational and technical measures required for ensuring the application of Russian legislation on personal data protection and/or ensures the adoption of such measures.
1.5. These Regulations may be amended without prior notification of the personal data subjects and other persons. The current version of the Regulations may be viewed on HSE’s corporate website (portal) at https://www.hse.ru/data_protection_regulation.
1.6. These Regulations and amendments thereto shall be approved by a directive issued by HSE’s Rector.
2. Terms and Definitions
2.1. The terms and definitions used in these Regulations are presented as per Federal Law No. 152-FZ, dated July 27, 2006 (hereafter, the “Federal Law On Personal Data”) and other bylaws of the Russian Federation, as follows:
2.1.1. Personal data (hereafter, “PD”) includes information, directly or indirectly relating to any particular individual (hereinafter, a “PD Subject”).
PD and related categories thereof may differ in terms of a given PD Subject’s identification and identifiability, as well as depend on whether or not a particular person or citizen (PD Subject) can be identified on the basis of relevant PD.
Any data that does not feature information on personal identity, or does not make it possible to identify persons by use of special procedures, shall not be considered PD. Thus, such information may be processed regardless of Russian legislation on PD processing. Such data can include such common information as gender, age, official position, profession, hobby, etc., as well as information generally available through Internet, until such data may allow the identification of a person or citizen;
2.1.2. PD Subjects are identifiable individuals. Such persons may include HSE staff, applicants, students and alumni, participants in HSE Olympiads, and other events hosted by the University, as well as other persons;
2.1.3. An employeeis an individual working at the University;
2.1.4. A student is an individual studying under an HSE educational programme. In the context of these Regulations, students may also refer to individual learners who acquire knowledge, skills and competencies, or satisfy their educational needs in intellectual, spiritual, physical and/or professional personal growth, as well as applicants;
2.1.5. Graduatesare individuals who have completed their studies in a specific HSE educational programme;
2.1.6. Personal data processing (hereafter, “PD processing”) involves any activity (operation) or a combination of activities (operations), performed manually or relying on automated means for PD processing, including collection, recording, systematization, accumulation, storage, specification (renewal, change), retrieval, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, and destruction of PD;
2.1.7. An operator is a body of the government or municipal authorities, a legal entity or an individual, acting individually or jointly with other persons, who organize and/or engage in PD processing, as well as determine the purposes of such processing activities, the composition of PD that is subject to processing and actions (operations) performed. In the context of these Regulations, HSE is regarded as the operator;
2.1.8. Legislation on PD is specified in the Constitution of the Russian Federation and Federal Law No. 152-FZ “On Personal Data”, dated July 27, 2006, as well as other bylaws and regulations on PD processing.
3. Terms and Conditions on PD Processing
3.1. After receiving PD from staff, students and other persons specified herein, and accepting this information for storage, HSE shall thereby be deemed an operator. The University shall process PD in line with the principles, terms and conditions stipulated in legislation on PD in regards to the following cases:
3.1.1. PD processing shall be performed upon the consent of a given PD Subject. The processing of special categories of PD with respect to one’s race or nationality, political views, religious or philosophical convictions, health, sexual relations, and biometric PD, if the processing of such PD does not come into contradiction with HSE’s bylaws, as well as making any PD available to public and/or disclosing staff-related PD to any third parties, shall be implemented on the basis of the PD Subject’s consent, provided either in writing, by an e-mail certified with a valid electronic signature.
Such cases include, in particular, the processing of PD relating to:
- candidates to open vacancies, as required for reaching final decisions on their candidacies, including references from previous employers, ensuring the due level of security on HSE premises; accumulating and using databases with information on applicants;
- HSE staff, in order to ensure information support for the University’s operations: including the maintenance of online reference books and address books, including the “Information for Faculty and Staff” page («Преподаватели и сотрудники») on HSE’s corporate website (portal), the “Telephone Directory” («Телефонный справочник») corporate information system, as well as other open PD sources; producing and placing information plates; printing and distributing business cards; acceptance, registration and execution of applications and inquiries, as well as other kinds of applications submitted by PD Subjects; issuing mandatory and private health insurance policies; ensuring necessary security at HSE, including applicable access control, video monitoring and recording on the University’s premises; personal identification of HSE staff; holding events at the University and providing relevant information, including video recordings of events; enabling HSE to enter into agreements with issuers of bank cards used for salary payments; enabling HSE to engage third party service providers for the maintenance of staff-related, accounting and tax records; providing information on events at the University, research projects, and related deliverables; promotion of HSE’s products, works and services, (e.g., through directly contacting PD Subjects); ensuring legal protection of intellectual property; completing R&D assignments and rendering services by order of third parties and in the framework of state assignments; engaging in expert and analytical activities; for statistical and other research purposes, as well as HSE’s research and creative activities;
- former HSE staff, in order to maintain consistent staff records: providing information on HSE events, research projects and respective deliverables; issuing certificates to staff, including confirmations of their terms of service and salaries; marketing promotion of HSE’s products, works and services (e.g., through directly contacting PD Subjects);
- participants in academic, educational or research events hosted by and/or involving HSE, in order to register the total number of participants and analyze their professional interests: ensuring necessary security at HSE, including applicable access control, video monitoring and recording on the University’s premises; providing information on events at HSE, research projects and related deliverables; marketing promotion of HSE’s products, works and services, (e.g., through directly contacting PD Subjects);
- HSE students, in order to identify and enhance their talents and abilities: shape effective educational trajectories and introduce practice-oriented components into educational processes, in order to boost the quality of education and facilitate the successful employment of students upon their graduation; making online education opportunities available, in particular, on the basis of the Learning Management System (LMS) and other HSE platforms, including transfer of relevant PD to third parties; taking attendance and academic performance records, as well as establishing the reasons for any negative effect thereon; publishing information on student internships, interim (term) and final examination papers (theses), as well as the texts of such papers, the results of ongoing assessments, interim and final certification on HSE’s corporate website (portal), in order to ensure the transparency of the assessment process; ensuring student involvement in the preparation of papers, including R&D papers, as well as the provision of services on the part of third parties and in the framework of fulfilling government assignments; facilitating student employment upon graduation, including the transfer of related PD to third parties; cultivating a student community with the aim of boosting interest in cross-disciplinary integration; providing information on events at the University, research projects and related deliverables; marketing promotion of HSE’s products, works and services (e.g., through directly contacting PD Subjects);
- HSE graduates, with the aim of facilitating their employment, including transfer of relevant PD to third parties; establishing a student community, including the aim of organizing cooperation with students (coaching) and motivating students; providing information on events at HSE, research projects and related deliverables; marketing promotion of the University’s products, works and services (e.g., through directly contacting PD Subjects);
- managers and other authorized representatives of legal entities, including (potential) counterparties under contracts and agreements (hereafter, jointly referred to as “agreements”), with the aim of making preparations for the conclusion and execution of such agreements and maintenance of related records.
3.1.2. HSE shall perform PD processing acting as an operator, pursuant to Russian legislation, with respect to the requirements of the following respective regulations, including:
- labour legislation (including labour safety laws), including the Russian Labour Code, other federal laws and respective legislation of the constituent bodies of the Russian Federation, relating to labour regulations;
- rules for maintaining a register of concluded procurement agreements, pursuant to Directive of the Russian Government No. 1132, dated October 31, 2014;
- the Procedure for Student Competitions, as approved by Directive of the Ministry of Education and Science of the Russian Federation No. 267, dated April 04, 2014;
- admission procedures for enrolment to degree programmes at the Bachelor’s, Specialist, and Master’s level, as approved by Directive of the Ministry of Education and Science of the Russian Federation No. 1147, dated October 14, 2015;
- other bylaws of the Russian Federation.
Such cases can also include processing PD provided by HSE staff, students, applicants and participants of academic competitions, as well as individuals considered as HSE counterparties.
3.1.3. PD processing shall be required for executing agreements to which a PD Subject is a party, or a beneficiary, or a guarantor, including in cases whereby the operator exercises its right to assign rights (claims) under an agreement, as well as for concluding agreements upon the PD Subject’s initiative, and/or agreements to which the PD Subject is a party, or a beneficiary, or a guarantor.
Such cases include the processing of the PD of students studying on fee-paying places under paid educational services agreements, including students taking part continuing professional development programmes and other HSE clients, as well as individuals acting as counterparties of HSE. Such cases may also include processing performed by HSE on the basis of consent for processing PD provided in regards to the conclusion of such agreements.
3.1.4. PD processing is required in the context of research, literary and any other creative activities, provided that the rights and legal interests of the PD Subject are properly observed;
3.1.5. PD processing is performed for statistical and other research-related purposes, provided that this information must be subject to depersonalization;
3.1.6. PD processing is performed with respect to information, which is publicly available upon consent and/or as per the request of the PD Subject (including PD made publicly available in general).
3.2. The aforementioned data of PD Subjects, groups of PD Subjects and other PD shall be processed as per the requirements for relevant consent for PD processing, including consent provided through employment and independent contractor agreements, and/or official regulations, and/or HSE’s respective bylaws, as well as related regulations and bylaws, or within a given established timeframe. These include, but are not limited to, general terms and conditions for PD processing. Consent for PD processing provided by PD Subjects may be amended with respect to the given purpose, size, methods and deadlines of PD processing.
3.3. PD of other persons shall be processed upon their consent provided in the course of their cooperation/legal relations with HSE. Unless otherwise specified within these Regulations, relevant agreements and/or consent for PD processing provided by PD Subjects, HSE shall exclusively use such information for intended purposes, including answering questions, as well as making certain information and knowledge available.
3.4. Prior to processing PD, relevant HSE staff must make sure that such PD processing is lawful, that the University has respective authorities, and/or related consents have been provided by PD subjects. In case these authorities and/or consent are not available, HSE staff must obtain the PD Subject’s consent for PD processing. The following steps can be undertaken for these purposes:
- requests for a PD Subject’s consent for PD processing may be presented in different online registration forms, messages sent via e-mail and through phone calls, with confirmation provided by the PD Subject in any form, including his/her subsequent personal confirmation;
- a recommended format for written consent is available on HSE’s corporate website (portal) at www.legal.hse.ru/rndip/information_sharing.
3.5. The list of HSE staff involved in PD processing includes:
- President, Vice President, Academic Supervisor;
- First Vice Rectors and Vice Rectors directly reporting to the Rector;
- Vice Rectors directly reporting to First Vice Rectors, senior directors and directors for specific directions;
- HSE Rector’s Office staff;
- Chief Accountant;
- Human Resources Office staff;
- Accounting Office staff;
- Planning and Finance Office staff;
- Legal Support Office staff;
- Visa and Registration Unit staff within the Office of Internationalization;
- Administration and General Services Office staff;
- staff of the Online Media Unit and the Office for Development and Support of HSE Website (portal) Information Systems within the Office of Public Relations and Online Media;
- Admissions Office staff and staff of the Office for Continuing Education - with respect to PD provided by applicants;
- respective staff of the HSE Office of Degree Programmes, Office for Occupational and Gifted Student Guidance, Office for Continuing Education - with respect to PD submitted by students;
- Security Office staff;
- staff of the IT Office and Office for Information Technologies Development.
HSE’s Rector, First Vice Rectors, Vice Rectors, directors and senior directors can delegate part of their authorities to HSE staff, as per the University’s bylaws, and appoint other persons who are directly involved in PD processing in the framework of their employment role.
3.6. If necessary consent for PD processing is unavailable, or there are sufficient grounds to believe that PD processing may result in the violation of the rights of the PD Subject(s), HSE staff shall inform the HSE Office of Human Resources (by sending a letter in hard copy, or by corporate email, or by fax) (in regards to the PD of HSE staff), heads of respective subdivisions implementing degree programmes (in regards to PD of students), and/or the Legal Support Office (in regards to PD of other PD Subjects), in order to select an approach to PD processing, or thereby decide that such PD is not subject to processing.
Heads of HSE subdivisions engaged in PD processing shall take all necessary measures in order to make sure that PD processing is organized in compliance with legislation, including obtaining relevant consent for PD processing, and, if necessary, develop bylaws to regulate terms and conditions of PD processing, with respect to relevant PD Subjects.
3.7. Unless otherwise provided, as per submission of their PD to the University, the PD Subject thereby shall agree to the terms and conditions of these Regulations, and, in their free will and interest, shall control their PD, understand consequences of their PD disclosure and provide their consent to related PD processing for relevant purposes, as well for the purposes of HSE compliance with official regulations and bylaws of the Russian Federation; execution of decisions, orders and inquiries of government authorities, which are deemed as HSE’s founders, as well as other state authorities and related officials; providing information on events organized by HSE, research projects, and related deliverables; marketing promotion of HSE products, works and services, including through directly contacting PD Subjects; implementing HSE activities as per the University’s Charter; as well as accumulating information on persons and entities acting as HSE counterparties, through such activities as gathering, recording, systematization, accumulation, storage, clarification (renewal, change), retrieval, use, transfer (distribution, provision, access), depersonalization, blocking, deletion and destruction, performed both manually and via automated means. The overall volume of PD processed in such situations shall be limited to data provided by PD Subjects. Also, the period for PD processing shall come to 5 (five) years after submission.
Despite a wide range of operations that may be performed with PD upon consent, HSE shall only carry out PD processing for pre-determined legal purposes.
HSE must refrain from selling or making PD available in any form. In turn, PD shall be processed at the University only for the aforementioned purposes upon consent provided by PD Subjects. In any other cases, the use of PD is prohibited.
4. Access to PD
4.1. Access to processed PD at HSE shall only be granted to persons designated and/or specified in these Regulations, as well as persons who are duly authorized by these Regulations and PD Subjects themselves.
4.2. Other HSE staff may acquire PD access in order to read and prepare methodological, analytical, consolidated reports and other materials on any matters relating to the competence of such persons and HSE’s relevant subdivisions. Other staff of the University may be granted PD access only on the condition that such persons undertake to observe effective confidentiality with respect to such information.
4.3. Access to PD maintained in HSE’s electronic databases and information systems shall be granted following a decision of the Senior IT Director or an official authorized to act on behalf of the Senior IT Director. Such decisions shall be made, giving due consideration to a whole range of factors, in order to avert any violation of legislation on PD processing (e.g., unauthorized access to PD and distribution of such information, etc.).
4.4. Persons liable for violations of PD processing rules shall bear responsibility as per Russian legislation. Disciplinary measures may be applied to HSE staff who are liable for violations of PD processing rules.
5. Special Aspects of Staff PD Protection
5.1. PD protection refers to the implementation of legal, organizational and technical measures focused on:
- ensuring PD protection from unauthorized access, destruction, modification, blocking, copying, provision and distribution, as well as other illegal operations with PD;
- PD confidentiality;
- providing rights for access to PD.
5.2. HSE shall ensure the efficiency of its PD security system, including such activities as organizational and/or technical measures, determined with due consideration of actual security risks to PD and the information technologies used in information systems. The HSE Office of Information Technology is responsible for PD protection at the University.
5.3. Protection of HSE staff’s PD from unauthorized access and/or loss shall be ensured at the University’s expense, as per the procedure established by federal legislation.
5.4. PD stored within HSE’s electronic databases and information systems shall be protected from unauthorized access, distortion and destruction, as well as any other illegal operations, through diversification of rights of access, relying on a system of logins and passwords.
5.5. PD storage at HSE shall be organized so as to avert their loss or unauthorized use.
5.6. HSE staff responsible for PD processing, as well as heads of relevant subdivisions, shall organize and monitor the protection of HSE staff’s PD.
5.7. HSE’s First Vice Rectors, Vice Rectors, directors and senior directors, as well as the heads of relevant subdivisions and departments responsible for PD processing at the University, shall observe and implement the following procedures, in order to regulate the access of HSE staff to PD, documents (including e-documents), other material data storage devices, databases and information systems containing PD, in order to prevent unauthorized access of any third parties and protection of the PD of HSE’s staff:
- limiting and setting rules for employees whose job responsibilities require access to PD;
- ensuring strictly selective and rational distribution of documents and other data storage devices containing PD among HSE’s staff;
- ensuring rational distribution of employees’ workplaces in order to properly monitor PD usage and access;
- making employees aware of requirements of applicable laws and bylaws concerning PD protection and confidentiality;
- ensuring adequate conditions on premises for operations with documents and other data storage devices, databases and information systems containing PD;
- determining and regulating the number of employees with the right to access databases and information systems containing PD;
- spelling out procedures for the destruction of PD storage devices, as well as ensuring that this system is properly observed;
- ensuring timely detection of cases of unauthorized access to PD;
- organizing work in respective HSE subdivisions in order to avert and prevent PD loss or disclosure;
- limiting access to documents and other data storage devices, databases and information systems, which contain PD.
5.8. Protection of HSE staff’s PD shall be guaranteed by the following rules and procedures for:
- reception, control and registration of visitors;
- access control;
- registration and issue of passes;
- technical security and signalization system;
- procedures for security on premises, at buildings and means of transportation;
- requirements for PD protection during interviews.
5.9. All measures relating to PD confidentiality that are applicable during PD processing must cover both material data storage devices and any PD that is submitted electronically.
6. Rights of PD Subjects
6.1. PD processing shall be performed by HSE only upon consent of PD Subjects and/or pursuant to terms and conditions of Russian legislation on PD processing unless otherwise stipulated in Russian law.
6.2. PD Subjects shall be acquainted with the text of his/her consent, which is subsequently submitted to HSE and, if necessary, they may refer to the University’s subdivisions specified in the Regulations in order to carry out any steps spelled out in relevant Russian laws on PD processing.
6.3. Any PD Subject shall be entitled to withdraw his/her consent provided to HSE for PD processing (in the same format).
6.4. A PD Subject can exercise his/her other rights as specified by the relevant laws on PD processing.