The new service on the e-government portal – “Expressing interest in vaccinating against Govt 19” should not be followed from the point of view of the law regarding the right to privacy and protection of personal data, there are several reasons. In summary, all established principles of data processing – 1. legitimacy, honesty and transparency, 2. limited scope, 3. data minimization, 4. accuracy, 5. limited storage, 6. security and 7. liability – have not been used. Their uniqueness with policies in another area is their “firmness” – these are specific obligations.
Data processing must be legitimate, fair and transparent
The legality of the process implies an adequate legal basis (e.g., legal authority or consent of the person), which is questionable here. If it is an authorization, it must be recommended by some law. The person’s approval for the process is not an adequate legal basis when it comes to government agencies, especially if it concerns his or her ability or purpose of the task. In this case, the legal basis is not even stated. Special conditions and obligations apply as data for the presence of “specific disease” or “health problems” are also processed.
Furthermore, the controller is obligated to report every data matter about all relevant aspects of the process. This processing notice must include the identifier and contact details of the controller, followed by the data protection officer (especially remember that this is a public authority), and the recipient of the data, depending on the purpose of the process and the law (e.g. , As well as the holding period, the rights of the person, the right to complain to the Commissioner, etc. All that is missing in this case.
The scope of the process should be minimal
The purpose of data processing is fundamental to any processing. Therefore, it must be determined that it is a clear goal to be achieved. On top of that Portfolio page It has been stated that the completion of the questionnaire shows interest in the person receiving the vaccine and that this will be the purpose of completing the questionnaire for the individual. However, in terms of data security, the scope controller refers to what it wants to achieve. For example, preparing a vaccine purchase plan (provided that they have not already been purchased and that the vaccine plan has not been completed by the existing person).
Only the required data will be processed
Since any process violates a person’s right, it must be proportional. In other words, only the required data will be processed. Therefore, if it is necessary to know by name who is “interested” in the vaccine, it is necessary to process the data that identifies the person. If only the number of persons and the municipality are important, then processing the JMPG or contact data of persons is superfluous.
It is clear that the realization of this policy, i.e. the obligation not to collect more data than necessary, depends on the specific purpose.
The data must be accurate
In order for an invasion of privacy to be justified, the data must be accurate (and updated in applicable cases). Since this is a questionnaire that only one person can fill, the question is how to ensure accuracy. This service is also available to persons who are not registered in the e-Government portal, i.e. no data verification unless the person’s name and the associated JMPG are compared.
At the same time, the person can fill in the minor’s data, without authorization. Since these data cannot be verified, they are unreliable and therefore the purpose of the process has not been achieved and in this case it has not been provided.
Data processing is limited
It is rare for data to be stored permanently, but the length of storage should depend on the purpose of the process and be determined, for example, by the expiration date or the occurrence of conditions expressed in days. In this particular case, the retention period is not clear, which is the result of an indefinite purpose of re-processing.
Data must be secure
Data processing involves the use of measures to ensure their integrity and confidentiality. These activities can be technical, organizational and personnel. Since it is the processing of data related to health status, it is a special type of data that presents additional security measures. According to Section 42 of the Act, these measures must be structured in such a way that the use of technology in this particular case and the large-scale processing of a special type of data (40,000 people filled out a questionnaire the next day published on the service portal), and the risk to rights and personal liberties, security measures are designed.
Data is handled responsibly
In addition to the principle of limited scope, this principle of liability forms the basis of any process. There is no processing without responsibility, and every data represents an obligation that signifies respect for all legal obligations, especially human rights.
Under the law relating to the protection of personal data, the duties of the controller are general and specialized. In addition to respecting all policies and the rights of individuals, it was expected that a “personal impact assessment” would be prepared on the matter. If so, it will answer the missing questions: among other things: what is the purpose of the process, whether it is necessary and proportional to the purpose, whether we are aware of the risks to the rights of individuals (privacy is only one of the rights), what actions we would like to take to reduce the risk, and whether they are sufficient. As we prepare this assessment, we are obligated to seek the opinion of the individual for the protection of personal data.
Evaluating the impact on the security of personal data This questionnaire, more precisely, a large-scale modified questionnaire, if actually revealed, helps to achieve the objective.
* Open Community Foundation
Links Published In the “Views” section Reflect Attitudes Author, Not always editorial Politics Sheet