Every year during the admission campaign St Petersburg University receives thousands of applications with copies of passports, certificates of general education and other documents. After the admission this information is kept and processed at the University.
Svetlana Begeza, Senior Deputy Vice-Rector for Academic Activities and Teaching Methods at St Petersburg University, explains why this information is required and why students can be sure that their personal data is protected from unauthorised use.
Why does the University need students’ personal data? How is this information used?
According to Federal Law No 273-FZ 'On Education in the Russian Federation’, the University has to process the students’ personal data in order to perform its duties on ensuring the right of citizens to receive education. Based on the Provision on processing and protection of the personal data of students, applicants and their legal representatives approved by Order No 3580/1 of 23 April 2018, the volume and content of the processed personal data is defined by the federal laws and other regulatory acts of the Russian Federation. They include the Charter of St Petersburg University, applications for admission, enrolment and accommodation contracts.
The University processes personal data of students, applicants and their legal representatives in order to provide for: admission; education on the degree and non-degree programmes; employment assistance; on-the-job training; and internships. This information is required to perform contractual obligations on: education and accommodation; regular assessment of academic progress; interim and final assessment; and assigning the students for participation in academic, research and nonacademic activities in Russia and in other countries. Without this information St Petersburg University is not able to: implement social policy; provide for the students’ health care, health insurance, personal safety, investigation of accidents (if they occur); and perform calculation, accrual and payment of stipends, bonuses, financial aid and compensations. Personal data is required for: records in accordance with FZ ‘On military duty and military service’; and migration and visa registration of international applicants, and supervision of their compliance with the terms of residency in the Russian Federation. Such information is also required to provide for: security of the University property, employees and students; publication of research, academic, methodological and reference materials; and research and international activity of St Petersburg University.
It should be underscored that the use of personal data is limited to the purposes listed above.
What is the minimal amount of information that a student should provide?
You can learn more about the types and categories of personal data processed by the
The University processes different types and categories of personal data for different purposes. First of all, the applicants and students are required to provide passport data including their last name, first name and middle name, date of birth and place of birth, citizenship, address of registration at the place of residence or at the place of stay. We also ask to attach a photo and contact information. In order to perform bank transactions on behalf of the students, we need personal data to work with financial organisations. Foreign residents may be requested to provide visa information, work permit, migration cards and travel documents, while Russian citizens planning to travel abroad should provide their regular international passport data.
All this information continues to be processed even if the student decides to withdraw the consent for personal data processing.
How long does St Petersburg University keep the information about the student? What happens to the information after the expiration of the retaining period? Are paper and electronic documents destroyed and erased? How does it happen?
According to Federal Law No 152-FZ ‘On personal data’, the preservation of such information should be performed in a way that allows to identify the person no longer than it is required by the purpose of processing. Once the purpose is achieved or in case of no further need in their use, personal data should be destroyed or anonymised. Taking into account that personal data is included in various documents and kept both on paper and electronic carriers, there is no single time period for retaining such data. It is determined for each specific type of data based on the lists of standard documents with the specified retention period approved by legislative and regulatory acts of the Russian Federation. One of such lists, for example, is the List of standard administrative archival documents produced during the activity of state authorities, local government and organisations with the indication of retention period approved by Oder No 236 dated 20 December 2019 of the Federal Archival Agency.
The decision on the destruction of personal data in all electronic data bases and all physical storage media upon reaching the purpose of processing is taken by the Senior Vice-Rector for Academic Activities and Teaching Methods or their deputy. It can also be made by the Head of the Academic Affairs Department and their deputies. If this is the data of the St Petersburg University applicants and their legal representatives, the decision is taken by the Vice-Rector for Student Affairs and Admissions and the Head of Admissions Directorate. The destruction is performed by shredding, which excludes the possibility of restoring. Complete utilisation is organised by other St Petersburg University officials according to the scope of their duties.
I will add that the information from data bases, in particular from the ‘Obuchenie’ [Training] IT system that contains information on the students’ academic progress in academic disciplines, achievements and social benefits is not subject to erasure or destruction, because it will result in distortion of the University statistics for the previous period and inability to provide information upon request of competent authorities.
Can a student withdraw the consent for personal data processing?
Yes, they can. The data subjects can withdraw the consent for their personal data processing. However, even in this case St Petersburg University will have the right to process personal data without the student's consent in the cases provided by clause 2–11, part 1, article 6; part 2, article 10 and part 2 article 11 of Federal Law ‘On personal data’.
For example, the University can implement functions, authority and duties imposed by the legislation of the Russian Federation, or perform a contract with the subject of personal data.
Thus, according to the clarifications from the Ministry of Science and Higher Education of the Russian Federation (letter No MN-20/128 dated 18 August 2020; St Petersburg University incoming letter No 01-118-2299 dated 27 August 2020) in response to the St Petersburg University inquiry on withdrawal of the student’s consent for personal data processing before the completion of education, the student’s information will continue to be processed to the extent necessary for the implementation of academic programmes.