How Confidential Documents and Personal Data Are Digitized

The essence of digitization is the transformation of information into electronic form, as this aggregate state offers numerous advantages. The final electronic resource, like the original paper array, is the property of the organization and is under its responsibility: it is stored on its territory/server capacities and is regulated by internal regulations.

However, during the transformation process, access to this information is granted to the outsourcer. How can we eliminate the risks of data leakage in this case? It is not enough to simply trust the chosen executor – it is necessary for them to possess the technologies and comply with legal requirements for processing information of this class. This article examines the main organizational and technological aspects of such digitization.

1. Confidentiality Agreement

This is a basic organizational measure, without which it is not advisable to transfer any documents to a third-party organization, even if these documents do not contain sensitive information. This clause must be included in the terms of the agreement. If the right to perform the work is granted to a company that does not specialize in digitization, this requirement will obligate them to additionally control the process and may positively affect the quality of the final resource.

Major market players use such an agreement by default and closely monitor its compliance, as a data leak from a client is detrimental to their reputation and, consequently, results in a loss of clients.

2. Depersonalization

Documents can be processed automatically using special software (text recognition, classification by type, extraction of attributes). However, in 95% of cases, a human is also involved in the process – at least at the stage of verifying the recognized information. This is especially true if indexing documents with handwritten or poorly readable text is required.

How can we eliminate the risks of information leakage through reading it by the indexing operator in this case? Large companies have solved this problem by developing depersonalization technologies long before the implementation of the personal data processing mechanism proposed in accordance with Federal Law No. 149-FZ "On Information, Information Technologies, and Information Protection."

Depersonalization in digitization must be carried out at the level of scan images, which requires quite complex software for their segmentation. Such technologies are available only to a few large companies.

For depersonalization, scanned images are segmented into fragments. Each data entry operator sees and indexes only a specific array (for example, names or birth dates). The possibility of reading any related data, such as a person's first and last name, is excluded. The final indexed database is assembled from fragments in a closed, secure environment. Today, this technology is used for digitizing all documents containing confidential information and personal data: personnel documents, court cases, civil registry books, etc.

3. Working Under Supervision

For this same purpose, large companies adhere to strict internal regulations. Only in this way can an effective digitization conveyor be established, where each stage is performed by trained specialists, all actions are documented, and downtime in work is minimized. As practice has shown, especially in digitization carried out within the framework of government contracts, such regulation is a real aid in processing documents containing personal data.

The fact is that such work is often monitored by the Prosecutor's Office and Roskomnadzor. A notable example is the civil registry office, where almost every project is carried out under such conditions. For an unprepared outsourcing company, constant checks and the need to prepare almost daily reports result in a significant increase in work timelines and, consequently, costs. For large outsourcers, the regime of strict regulation is included in the cost by default, so control from supervisory authorities practically does not affect the speed and cost of work.

4. Licenses

The executor's competencies in working with confidential information can be confirmed by licenses – for processing information and for its technical protection during processing. It is necessary to clarify their availability with the executor, as this can protect the client from a number of claims during inspections. Some works, such as those related to processing information that constitutes state secrets, cannot be carried out without the appropriate FSB license.

Few outsourcers possess such a license. However, its presence indicates that the company has certified premises, certified specialists, and established mechanisms for working with Special Communications and the security departments of clients. Such a company can be entrusted with the digitization of documents and information of any level of confidentiality without hesitation.

Digitizing any documents containing personal data of citizens, as well as information that constitutes state and commercial secrets, is associated with numerous risks. It can only be accomplished without exceeding the planned budget and within the deadline by carefully selecting the outsourcing company.