MOSCOW, 7 Oct — PRIME. The Ministry of Digital Development of the Russian Federation plans to give companies the opportunity to independently depersonalize user data before transferring it to the National Data Management System (NCMS), the Vedomosti newspaper reports, citing amendments to the law “On Personal Data”.
“Placing anonymized data in the system is carried out by commercial and government providers in accordance with uniform formats at the request of the system operator in cases determined by the government,” the bill says.
It is noted that the concept of creating a unified data system was approved by the government in 2019, it assumed the introduction of a new approach to working with state data as early as 2022. Thus, it was supposed to unify the process of collecting, processing, storing and using data. In May 2021, the Ministry of Economic Development and the Ministry of Digital Development prepared a draft law on the creation of a NSUD, which was supposed to perform these functions. In May 2022, a revised version of the document was presented, which proposed to provide businesses with the opportunity to receive national data and use the infrastructure of the NSMS on a paid basis.
The problem with the National Data Management System or another similar system previously was that companies wanted to retain the right to anonymize the data of their customers and users, and departments insisted on doing this centrally, the source of the publication in one of the profile associations explained.
At the same time, Positive Technologies security business consultant Aleksey Lukatsky added that, in accordance with the order of Roskomnadzor, four methods of data depersonalization were defined: the method of introducing identifiers, the method of changing the composition or semantics, the decomposition method, and the mixing method. Not only did he not classify all other methods of ILV as depersonalization methods, but also considered their use illegal.
“As the practice of inspections shows, the position of the RKN is that commercial companies do not have the right to depersonalize personal data, and this is the prerogative of only state structures,” the expert explained.
At the same time, InfoWatch Group Consulting Director Irina Zinovkina notes that depersonalization of data by each individual operator makes sense and will be more effective than other options. “If a single method of depersonalizing data for transmission to a specific system is approved, then this data will only be aggregated. It will be much easier for companies to depersonalize the data they process than for the future aggregator to process the data flow from everyone,” the expert explains.