The Commissioner for Information of Public Importance and Personal Data Protection has sent a Warning to the Ministry of Interior (MoI) regarding irregularities in the implementation of the on Personal Data Protection Law (PDPL).
The warning has resulted from the supervision proceedings instituted and conducted by the Commissioner regarding the request of the Police Department in Kikinda that the hospital provide to it personal data of all citizens who are treated based on the diagnosis code "F". In the document of the police department under which the data are requested it is indicated that the data are necessary "in order to act in accordance with the Instructions on the Manner of Organization and Conduct of Internal Affairs in the Security Sector, and to adequately update the sector's file."
In the interest of both the citizens and the MoI itself, the warning would have been submitted earlier, since the Commissioner concluded the supervision at the beginning of May, but this was postponed due to unnecessary complications, regarding the forwarding of the relevant documents or records, created by the MoI.
The Commissioner warned the MoI that it is processing particularly sensitive data on the citizens’ health status, contrary to the provisions of the PDPL, and that it is also processing some other personal data without legal grounds and authorization, such as the personal data of current, retired and former MoI employees living in the sector, persons who possess amateur radio stations, fans and other persons for a purpose that is not clearly defined or has already been achieved, or is even deprived of any meaning.
Namely, it was established during the supervision that the Police Department in Kikinda destroyed all the data from the data file, immediately after the Commissioner’s public announcement that he instituted supervision proceedings. Unfortunately, this was done in a manner that significantly impeded the assertion of relevant facts. They neither formed a committee nor defined the method of destruction, nor compiled reports and official notes on the destruction of data. In the surveillance carried out based on the random sample method in, e.g. Police Department Novi Beograd it was determined that particularly sensitive data on the patients’ health status have not been processed there, but that other above mentioned citizens’ personal data have been processed without valid statutory grounds.
The "statutory grounds" for such data processing are stipulated in the Instruction issued by the Minister of Interior more than 20 years ago. This Instruction, which is contrary to Article 196 now, and Article 120 of the then applicable Constitution, has not been published anywhere and, consequently, it should not have been applied, and, irrespective of the above, in any case, it had to have been repealed by the 2005 Law on Police because it is drastically contrary to it.
Pursuant to Article 42 of the Serbian Constitution, only a provision of the law may constitute valid grounds for personal data the processing, not a provision of any secondary legislation. The fact that any public authority is collecting personal data, in particular, sensitive personal data with reference to such an "Instruction", which is contrary to the Constitution and the PDPL, should be alarming.
The facts from the supervision are not only a problem of the PD Kikinda or the MoI, they are another confirmation of the totally inadequate attitude to the problem of protection of citizens’ data on the state, and global level, which has for years been characterized by the absence of necessary action (which inevitably implies appropriate education) as well as the non-issuing of adequate regulations, which was also pointed out by the MoI's employees during the supervision, who gave the example of the proposal of the Law on Records in the Field of Internal Affairs which had been prepared back in 2015, with good cooperation with the Commissioner, but never issued.
The Commissioner ordered the MoI to notify him of the measures taken and the planned activities for remedying those irregularities in personal data processing within 15 days.