The Commissioner for Information of Public Importance and Personal Data Protection has sent a Letter of Warning to the National Employment Service (NES) for its failure to undertake appropriate measures to protect the personal data contained in the electronic “Single Information System of Records of Unemployed Persons and Recipients of Unemployment Benefits” (SIS) which has resulted in the data contained in those records being freely available to third parties.

The Commissioner ordered the NES to inform him within 15 days of relevant human resources and organizational measures it intends to undertake to remedy the identified irregularities.

The Commissioner had previously conducted an inspection of compliance with the Law on Personal Data Protection by the NES. The inspection was prompted by grievances by citizens who had been offered legal representation services by certain law firms in potential lawsuits against the NES due to miscalculation of benefits and it was obvious from the communication that the persons who offered the legal services had had access to personal data in the SIS.

In the inspection procedure it was found, among other things, that a relatively high number of NES staff had access to the SIS data (personal data, information on the use of benefits, benefit award decisions, payment information), but that, with regard to monitoring unauthorized access to recipients’ personal data, data recording and printing of reports or lists, there were no log files from which it could be determined who was responsible for unauthorized access to the SIS.

It was also found that another group of persons had access to the recipients’ personal data, including the staff of the Postal Savings Bank, which disburses unemployment benefits under the Bank Services Agreement, but the said Agreement did not include provisions on technical, human resources and organizational safeguards for the recipients’ personal data.

In addition to the Letter of Warning sent to the NES, the Commissioner also filed criminal charges with the First Basic Public Prosecutor’s Office in Belgrade against an unidentified official employed at the NES for the criminal offence of unauthorized collecting of personal data, as set out in Article 146 paragraph 3 of the Criminal Code, committed by using the data contained in the records for purposes not originally intended and for disclosing such data to another person.

The Commissioner notes this is just one of many similar cases that are alarmingly illustrative of the inadequate and irresponsible treatment of the citizens’ right to personal data protection by state authorities.