Disclosure of PD by Roskomnadzor?


What is the article about?

Today we will talk about the quality of Roskomnadzor’s open data using the example of a dataset “Register of operators processing personal data“.

This set is supposed to contain publicly available information about PD operators. Let’s try to understand what problems this set has and what Roskomnadzor can improve in the process of processing notifications about the processing of personal data.

Brief description of the registry

It is located on the pageRegister of operators processing personal data“:

Link to the Registry used for analysis

Link to the Registry used for analysis

General Registry Issues

The contact details of those responsible for PD processing are not always placed in the register:

Example of missing contact information

Example of missing contact information

Legal names of some PD Operators are missing:

An example of empty information about an individual entrepreneur

An example of empty information about an individual entrepreneur

It is logical, individual entrepreneurs are not legal entities, but this information would still be useful if it were in open data and, probably, the data set should be slightly modified.

If you make a request for this TIN through a well-known form:

An example of filling out a form "Operator search"

An example of filling out the form “Search for an operator”

Get more information about the name of the IP and its legal address:

An example of a completed card when searching by TIN

An example of a completed card when searching by TIN

By the way, this form allows you to sort through all the data on the TIN and the number of the PD Operator in the Roskomnadzor database without any restrictions: https://pd.rkn.gov.ru/operators-registry/operators-list/?id=77-22-072180. At least that’s how it is for me it seemed.

Part of the data in open data is a simple mess of text that is difficult to read and even more so to parse:

Lack of structure

Lack of structure

As I understand it, this field in the Roskomnadzor database has an arbitrary filling format, or it was so until a certain moment, but Roskomnadzor employees are required to fill in the full name, phone number, location address of the PD operator responsible for processing PD. As a result, one of the employees of Roskomnadzor fills in this data mainly through a semicolon, someone through a line break, the rest in another arbitrary way.

Open data also contains data not described in XML structure (at the time of writing this is “structure-20220729T0000.xsd”):

Unknown parameter <rkn:transgran>” title=”Unknown parameter <rkn:transgran>” width=”703″ height=”295″ data-src=”https://habrastorage.org/getpro/habr/upload_files/7d5/c10/aaf/7d5c10aaffb5a52f236261e2f348f70f.png”/></p><p><figcaption>Unknown parameter <rkn:transgran></figcaption></p></figure><p><rkn:transgran> is not in the XML structure, but <rkn:transgran_transfer> is.</p><h2>Relevance of contact details</h2><p>The honor of the data, for example, the telephone numbers of those responsible for the processing of the PD do not contain information about the city or country code, yes, it can be assumed from the legal address or other information, but the actual address of the business may not coincide with the registration address of the PD Operator.  E-mail addresses are written with errors, a Russian letter is trite, which is written at the time of switching the layout.</p><h2>Trying to report a problem</h2><div class='code-block code-block-4' style='margin: 8px 0; clear: both;'> <script type=

In general, right on the open data page there is a link: “Submit a suggestion / comments on the dataset“. But for some reason, I did not see it and hastened to report the problem with a comment on this page.

I wrote the following comment (anticipating something interesting, I saved it on purpose):

Comment example

Comment example

Then I decided to write another comment and realized that this form is nothing more than a fiction, a rudiment. Just look at the strange date 11/29/2012 in the screenshot above. Or captcha – it also coincides with the previous one when writing a new comment:

Static captcha

Static captcha

As you can see, no one has been able to leave a comment since 2012, or they managed to leave so many comments that this form no longer functions and all comments have been deleted.

Yury Yevgenyevich Kontemirov, who is responsible for this registry, also ignored the letter about the problem.

Disclosure of PD through open data

Further study of the registry led me to shifts in the output of data – data from other fields was displayed in some fields in some cards of PD Operators. And finally, I came across some very strange information about Personal Data Operators:

Disclosure of personal data

Disclosure of personal data

My assumptions:

  • The RKN has one or several databases from which open data are generated, and so in the software code that generates open data there is a bug that unloaded data from another database / table;

  • The PD operator himself sent it is not clear what was in the PD Processing Notice, and the RKN did not validate what was sent to him and simply made this data open (disclosed?).

The most obvious problem

The most conspicuous problem with open data collection is the simple transfer of text from the PD Processing Notice “as is”. This causes the text of the details part to be shown in lower case:

Lower case example

Lower case example

But after all, with one line of code, you can make the first character of the text capitalized and one-time walk through the entire data set.

Submitting an appeal

I’m not very interested in how the data in the Registry will change, I’m afraid that if this happens, then for a couple of million rubles and not very soon. However, I am interested in the topic of privacy of these citizens of our country. Using the link “Submit a suggestion / comments on the dataset“I registered an appeal, the main message of which was the following:

  • Roskomnadzor needs to better validate data from PD Operators’ Notifications;

  • Disclosed data must be removed from public data;

  • Remove empty tags so as not to evade an empty open data file.

Answer:

In accordance with Part 4 of Art. 22 of the Federal Law of July 27, 2006 No. 152-FZ “On Personal Data”, the information contained in the register of operators, with the exception of information about the means of ensuring the security of personal data during their processing, is publicly available.
In turn, in order to prevent violation of the rights of personal data subjects whose personal data are posted on the Personal Data Portal of Roskomnadzor, a request was sent to *** LLC to correct the information in the Register of Operators Processing Personal Data.

Conclusion

I made the following conclusions for myself:

  • Open data is littered with empty fields, which greatly increases the size of open data and the speed of data processing;

  • The XML schema does not match the dataset;

  • The approach to maintaining open data is formal;

  • Data is not validated enough;

  • According to Roskomnadzor, the company is entirely to blame for the disclosure of the personal data of employees, which made a mistake and disclosed the personal data of its employees to Roskomnadzor, despite the fact that Roskomnadzor, in turn, made them publicly available;

  • Roskomnadzor did not delete or mask open data without an updated Notice, the upload on 03/29/2023 still contained unfortunate personal data;

  • The appointment of a registry with incomplete, incorrect and not up-to-date data is incomprehensible to me.

I didn’t check the open data regularly for the presence of passport and other personal data, perhaps some of the readers will be interested in this and share their research.

My goal was only to study potential problems in the registry and forget them like a bad dream.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *