As more doses of COVID-19 vaccines finally arrive in Croatia, problems continue when it comes to registration, especially through the national online platform, CijepiSe [Get vaccinated].
“I expected the CijepiSe platform to work because the pandemic has lasted such a long time,“ Mia Biberovic, executive editor at the Croatian tech website Netokracija, told BIRN.
“I assumed the preparations were done early enough,“ she said, concluding that alas, this was not the case. As a consequence, she noted, a small number of people who applied online for a jab are being invited to get vaccinated.
For days, media have reported on problems with the platform, which cost 4.4 million kuna, or about 572,000 euros. On Friday, media reported that the data of the first 4,000 people who applied for vaccination via the platform during its test phase in February had been deleted.
The health ministry then denied reports about the deletion, and said the data relevant for making vaccination appointments had not connected in the case of 200 citizens who booked vaccinations during the test trial.
“The problem is, first, that the test version came when it [the system] was not functional yet. Second, [in the test phase] there were no remarks about the protection of users’ data, i.e. how the user data left there would be used,” Biberovic, who was also among those who applied during the test trial, noted.
“As far as I understood, the data was not deleted but could not be seen anywhere because it was incomplete … So they are not deleted, but again, they are not usable, which is even more bizarre,“ Biberovic added. “This is certainly a risk because citizens do not know how their data is being used.”
Vaccination appointments in Croatia can be ordered through the CijepiSe online platform, a call centre or via general practitioners, and all those who apply should be put on a single list. However, direct contact with a doctor has turned out to be the best way to get a vaccination appointment.
The ministry on Saturday said 198,274 citizens have been registered via the CijepiSe platform, of whom 45,416 have been vaccinated. But around 40,000 of these were not invited through the platform but by direct invitation of general practitioners.
Zvonimir Sostar, head of the Zagreb-based Andrija Stampar Teaching Institute of Public Health, stated on Saturday that the platform was not functioning in the capital, and that they would change the vaccination registration system, advising citizens to register via general practitioners.
Shortly after, the ministry promised that “everyone registered in the CijepiSe system will receive their vaccination appointment”.
“Maybe the platform is not functioning the way we wanted, but it functions well enough to cope with the challenges of vaccination. I read in the papers that the system of vaccination has collapsed. That’s not true! We are increasing the daily number of vaccinations,” Health Minister Vili Beros said on Sunday.
However, the Conflict of Interest Commission, an independent state body tasked with preventing conflicts of interest between private and public interests in the public sector, confirmed on Tuesday that it has opened a case against Beros. It comes after the media reported that the minister has ties to the company that designed the CijepiSe platform. The minister denies any wrongdoing.
Albania’s Special Structure Against Corruption and Organized Crime has summoned Andi Bushati and Armand Shkullaku, owners and editors of Lapsi.al news website, for questioning about a database, purportedly created by the Socialist Party, which contains the names of 910,000 voters in the Tirana region, along with personal data, including employment and family background records in what critics call a massive tracking system.
Bushati said prosecutors asked him where the information came from, and said he had refused to reveal his source, calling the meeting “a short meeting without much substance” while suggesting that the prosecutors should instead investigate how the personal data of the citizens ended up in the hands of a political party.
The prosecutors have not inspected any party office or commented publicly on what they are investigating.
The news about the database revealed last Sunday sent waves across the political spectrum and the population.
Ruling Socialist Party officials acknowledge that the database exists, but insist the data was provided voluntarily by citizens. They have also claimed that the published excerpts are not theirs.
Socialist parliamentary Group Taulant Balla immediately called the news “Lies!”
“The Socialist Party has built its database over years in door-to-door communication with the people,” he added. Days later, he claimed that the database published was not the one belonging to the Socialist Party.
Edi Rama, the Prime Minister, has acknowledged that his party has a “system of patronage” of voters but said their database is more complex and that the one leaked is probably an old one. Other Socialists have denied that the leaked database is theirs at all.
The opposition Democratic Party claims the data included in the database was stolen by the Socialist Party via the government service website E-Albania, where people apply for different services.
Many citizens who have had access to the database claim the data there are those they supplied to state institutions, and say the database seems well updated.
This E-Albania website was used by the government of Prime Minister Rama to issue permission to go outside during the national lockdown in spring 2020. In their forms, citizens had to provide phone numbers and email addresses.
The database, which BIRN had seen, contains some 910,000 entries of names, addresses, birthday, personal ID cards, employment and other data.
For each voter, a party official known as “patronazhist” a word derived from French patronage, is assigned. If they want to know where somebody works, a search in the database can provide that information.
For each voter, there is data on how they voted in the past and what their likely preference is today. In a separate column titled “comments”, party officials write notes on voters.
In one, a party official notes that “the voter requested employment of his wife” while in another, “the voter didn’t thank [the party] for obtaining his house deeds].
Property issues are widespread in Albania and various governments have been criticized for handing over ownership titles as electoral campaign bribes. The issue of such deeds in elections is currently forbidden.
In several cases, officials noted that some voters do not participate in elections because they are “Jehovah Witnesses,” or “extremist Muslims who are not permitted by religion to vote”.
In one case, the comment indicates that voters’ social media pages are checked by officials: “By investigating his Facebook profile, we can conclude he votes for SP,” a note reads while in another case it reads: “This one has previously voted for PDIU party; should be kept under monitoring.”
A note for a voter identified as business owner reads: “We should contact him for his employees”. In another case: The mother of the voter is employed in the municipality”.
Even family conflicts do not escape the observing eye of the party: “Xxx is relative of xxx but they are not on speaking terms,” a note reads.
The Albanian Helsinki Committee, a rights group based in Tirana, underlined that systematic monitoring of voters by a political party may violate the secrecy of the ballot and is especially concerning if done without a voter’s consent.
On Friday, 12 rights organisations called on the authorities to investigate the matter after indicating that at least the law on the Protection of Personal Data had been violated.
“This case is the illegal collection, elaboration and distribution of personal data of some 1 million citizens without their consent,” the statement reads.
While scores of citizens are interested to know which Socialist Party official is tracking them, Big Brother Albanian style apparently does not lack a note of comedy.
In the database, Socialist Party head and PM Rama, is shown as a voter who works at the Councils of Ministers and is under the “patronage” of Elvis Husha, a party official. Husha is under patronage of another party official.
Journalist Andi Bushati, who first exposed the database, said chances are slim that the prosecutors will do their work. “I don’t really believe that the prosecutors will find the truth of this. When a crime appears, it remains without author,” he commented.
More than 300 citizens of Montenegro have filed lawsuits against the state for publishing their names on lists of people ordered to self-isolate. On Wednesday, a Podgorica-based lawyer, Dalibor Kavaric, who represents some of the citizens, said the government had violated their human rights.
“By publishing the names and personal data of persons in self-isolation, the government stigmatized them and unnecessarily exposed their privacy to the public … the government has unnecessarily caused material damage to the budget of Montenegro just because it didn’t respect the constitution,” Kavaric told BIRN.
The government published the names on March 21, despite warnings from opposition parties and civic society organisations that it risked violating constitutionally guaranteed human rights. They also warned that citizens whose names were published might sue the state before the courts.
The government said it had a right to publish the names because some citizens were not respecting self-isolation obligations. It also said it had approval for its actions from the Agency for Personal Data Protection. It stressed that the security forces could not control every citizen who should be in self-isolation, and that anyone who failed to self-isolate posed a threat to the entire community.
The Head of the EU Delegation to Montenegro, Aivo Orav, called on the authorities to find the right balance between protecting the health and respecting the confidentiality of health information and the right to privacy of citizens.
Danilo Papovic, from the Civic Alliance, said citizens had every right to to seek legal protection of their civil rights.
“The lawsuits are completely justified … This government action indicates the absence of responsibility both in the legal and financial sense, bearing in mind that the consequences of illegal actions are ultimately borne by the citizens, because any compensation is paid from the budget,” Papovic told BIRN.
On March 22, Prime Minister Dusko Markovic said no compromises would be made with those who violated preventative measures amid the COVID-19 pandemic. He also warned that the government would continue to publish the names of citizens who had been ordered to self-isolate.
“The lives of our citizens are the priority. We have estimated that the right to health and life is above the right to unconditional protection of personal data,” Markovic said.
But after the Civic Alliance submitted an appeal to the Constitutional court on March 23, on July 23, the court annulled the government decision to publish the names of citizens ordered to self-isolate – though it did not rule that the government had violated their human rights. The government then removed the list from its website.
A lawyer from Bijelo Polje, Milos Kojovic, said the Constitutional Court had confirmed that the government had violated basic human rights and freedoms by publishing the names of persons ordered to self-isolation. “The government didn’t respect their right to a private and family life,” Kojovic told the daily newspaper Dan.
“Persons on the list published on the official government website, then transmitted by all electronic and print media, are entitled to fair compensation for violation of their personal rights,” he added.
Personal data and the right of access to public information remain largely unprotected in Kosovo after parliament failed again to elect a Commissioner for the Information and Privacy Agency, IPA, leading critics to accuse lawmakers of playing politics with citizens’ rights.
The Information and Privacy Agency, IPA, had asked the parliament to give its director, Bujar Sadiku, the powers of the Commissioner of the Agency despite the failed recruitment process for the post.
The request was rejected by the parliamentary Committee on Security Affairs as illegal, however, and civil society groups on Thursday publicly asked the Presidency of the Assembly, especially the Speaker, Vjosa Osmani, to be vigilant and ignore such illegal requests.
On August 14, none of the three candidates for the post received the required 61 votes, the third time in two years that parliament failed to appoint a Commissioner, failure analysts attribute to narrow political interests. The British embassy, which has assisted in the recruitment process, said British experts had been withdrawn.
Flutura Kusari, a legal adviser at the European Centre for Press and Media Freedom, who voluntarily monitored the recruitment process, said the British decision was a good one, but was “bad news” for Kosovo.
“It is not logical financially or politically for an ally to invest this much in a clearly politicised process,” Kusari told BIRN.
In its five years of existence, “the agency has failed from the beginning to protect our personal data,” she said. “If the Commissioner will be politicised, s/he can become a censor of public information, pleasing politicians.”
Starting ‘from zero’
The meeting of the Kosovo Committee on Security and Defence, where the annual report of the Information and Privacy Agency, IPA, for 2019 was reviewed, presented by IPA director Bujar Sadiku, June 16, 2020. Photo: Official Website of Kosovo Assembly.
Without a Commissioner, Kosovo has no institutional mechanism to implement the Law on Access to Public Documents and the Law on the Protection of the Personal Data.
The first two attempts to appoint a Commissioner failed in May and July last year due to the fall of the then government and the dissolution of parliament after the prime minister at the time, Ramush Haradinaj, resigned on being summoned for questioning by war crimes prosecutors in The Hague.
Without a Commissioner, citizens of Kosovo have no institutional means to complain and seek justice if a public or private body violates their rights to protection of their personal data or access to information. Civil society groups say that without an independent overseer, the agency could become biased in fining particular institutions or officials.
British-approved candidates
Twelve people applied for the position, cut down to five after a review of the applications. Each of the five candidates went through a two-day interview process, after which a commission selected three to be submitted to parliament.
They were Bujar Sadiku, Krenare Sogojeva-Dermaku and Muharrem Mustafa. Sadiku and Sogojeva-Dermaku had received the approval of the British Embassy as the best candidates.
The IPA is unable to impose fines on bodies that violate the law due to the absence of certain internal acts that should be signed and submitted to the government by the Commissioner, Jeton Arifi, head of the Access to Public Documents Pillar at the agency, told BIRN.
If a bank, for example, accidentally or intentionally revealed the account details of a customer, that customer would have to take the bank to court, a lengthy and potentially expensive process during which the bank could continue violating the law.
“The persistent failure to select the head of our authority is continuing to cause consequences in the prolongation of internal processes, which should have been concluded within six months from the entry into force of the relevant law,” Arifi told BIRN. The Law on Personal Data Protection entered into force on March 11, 2019.
Politicians can ‘hijack’ process
Without a Commissioner, the IPA is also unable to hire new staff and has had to halt a twinning project with Germany and Latvia.
“Now everything will start again from zero,” said Fatmire Mulhaxha Kollcaku, who heads parliament’s Committee on Security and Defence and led the interview panel for the Commissioner’s job.
“As long as we don’t have an independent institution with a competent Commission, we have two unenforceable laws,” said Mulhaxha Kollcaku, and questioned how the recruitment process would continue without the British involvement.
The British embassy said on August 17 that it would not spend British taxpayers’ money on repeating a process that had been conducted properly but which failed to end in the appointment of a Commissioner. Under the agreement with the embassy, parliament is obliged to endorse an approved candidate.
“The non-appointment of any of them calls into question the stated commitment of political parties to implement the Memorandum of Understanding (MoU) with the British Embassy, but more importantly, it sends a negative signal to independent professionals in Kosovo and their hopes to contribute in Kosovo Institutions,” the embassy said.
“Any public appointment should take into account only the interests of the country and its citizens, and not the narrow party interest.”
Without the British involvement, politicians can “hijack the process and elect politically involved people with no actual skills for the position,” warned Kusari.
Taulant Hoxha, CEO of the NGO Kosovar Civil Society Foundation, which supports the development of civil society with a focus on EU integration, told BIRN:
“It is painful that the Kosovo Assembly has to sign security agreements with foreign embassies in order to be able to elect a Commissioner. It would make sense if only the human, technical, and methodological resources to be provided with funding from the British Embassy because the Assembly of Kosovo is a new institution.”
Montenegro’s Constitutional court had agreed to examine whether the government violated the human rights of citizens ordered to self-isolate during the coronavirus by publishing their names.
On Friday it said it would consider the appeal brought by the local NGO Civil Alliance against the decision to publish the names of people undergoing self-isolation, which the alliance said violated their constitutional right to privacy.
“The court will examine whether the decisions of National Coordination Body for Infectious Diseases violated constitutional rights,” the court said.
The government published the names on March 21, despite warnings from opposition parties and civic society organizations that it risked violating constitutionally guaranteed human rights.
The government said it had to publish the list because some citizen were not respecting self-isolation obligations. It also claimed it had the approval of the Agency for Personal Data Protection. It stressed that security forces could not control every citizen who should be in self-isolation, and anyone who failed to self-isolate posed a threat to the entire community.
Prime Minister Dusko Markovic said no compromises would be made with those who violated preventative measures amid the global COVID-19 pandemic. He also warned that the government would continue to publish the names of citizens who had been ordered to self-isolate.
“The lives of our citizens are the priority. We have estimated that the right to health and life is above the right to unconditional protection of personal data,” Markovic said.
Opposition parties and the civil society sector urged the government not to publish the lists, insisting it would violate the constitutional right to privacy. They also warned that citizens whose names were published might sue the state before the court.
The Head of the EU Delegation to Montenegro, Aivo Orav, called on the authorities to find the right balance between protecting the health and respecting the confidentiality of health information and the right to privacy of citizens.
On April 8, the Prosecutor’s Office filed criminal charges against a medical staffer in the Health Centre in the capital, Podgorica, after he published the list of names of infected people and their ID numbers on social networks.
It said that the man, known only by the initials M.R., was not unauthorized to collect and use personal information on COVID-19 patients through the IDO system and forward them via Viber to other persons.
A lack of detail on a new smartphone app designed to help authorities in Slovakia track people in home quarantine is raising doubts about its compliance with data privacy rules and fuelling conspiracy theories.
With 28 confirmed deaths to date, Slovakia tops the chart of European countries with the lowest number of COVID-19 victims per capita, a source of pride for politicians and healthcare workers.
But the country is also one of the last in Central and Eastern Europe to introduce any kind of digital technology to help tackle the pandemic.
Last week, parliament passed a bill introducing an app to keep tabs on those in quarantine at home, after the country’s Constitutional Court halted development of a contact-tracing app that had triggered concern over the need for the mass collection of data.
The quarantine app was due to go live on May 18, but authorities postponed the launch saying more testing was needed.
Created by the Slovak IT firm Sygic, the app avoids the need for any mass collection of data, but a lack of detailed information, particularly regarding how the data will be stored and who will have access to it, has many Slovaks worried.
Data rights activists say that, while the government must do what it can to save lives, it must also be transparent in order to earn the trust of the people.
“We understand that this difficult time calls for quick and maybe non-traditional solutions, but we can’t forget the [need for] clear communication, which would dispel concerns about a possible abuse of private data,” said Andrea Cox, director of Digital Intelligence, which works to promote the protection of digital rights in Slovakia.
Last week, Slovak parliament passed a bill introducing an app to keep tabs on those in quarantine at home, after the country’s Constitutional Court halted development of a contact-tracing app that had triggered concern over the need for the mass collection of data. Photo: EPA-EFE/JUSTIN LANE
Constitution vs. public health
For the past two months, Slovaks returning to the country have had to go into state-run quarantine facilities where they are tested for the novel coronavirus and, if negative, allowed home.
But Slovakia’s government, led by Igor Matovic and his anti-establishment OLANO party, has faced widespread criticism over conditions at the facilities.
The government now says the new, voluntary app – based on face biometrics and movement data – will allow people to self-isolate at home if they would rather not enter a state-run facility.
The data will be monitored by the Slovak Public Health authority, which, under the new law, must destroy a person’s data as soon as the required quarantine period is over.
It is still not known, however, where the data that is collected will be stored and who will have access to it.
Introduction of the app follows a Constitutional Court ruling last week that suspended telecommunications legislation adopted in April and that cleared the way for the mass collection of data from smartphones, effectively slamming the brakes on development of a contact-tracing app. Judges ruled that the Telecommunications Act was not specific enough and left unclear how private data would be handled.
It lacked, they said, “necessary guarantees against the misuse of the processed private information” and means of independent oversight.
Matovic said he was confident the new home-quarantine technology would pass muster.
“I think the constitutional court decision cannot prevent us from making the quarantine stay more comfortable for people,” he told a press conference on May 14.
But data privacy advocates are unconvinced.
“It is unacceptable for apps that could affect the everyday life of Slovak citizens to not be communicated properly,” said Eliska Pirkova, Europe Policy Analyst at Access Now, an international data rights advocacy group, during an online discussion on May 15 about the erosion of data rights during the COVID-19 crisis in Slovakia.
“We all know that technologies have the power to discriminate and breach not just the right to privacy, but other rights too. This is what I see as a problem in Slovakia.”
Technology and public trust
Poor communication has created a vacuum in Slovakia filled by misinformation and conspiracy theories about a potential COVID-19 vaccine, the origin of the coronavirus and the threats to privacy proposed by new technology.
Marian Kotleba, leader of the neo-fascist People’s Party Our Slovakia, LSNS, that won eight per cent of votes in Slovakia’s February general election, has shared conspiracies about microchips being implanted into people against their will, while former Prime Minister Robert Fico, leader of SMER-SD, has accused Matovic’s government of planning to spy on people via their phone data.
According to survey conducted by the Slovak Academy of Sciences, a large majority of voters for both parties believe the coronavirus was created in a lab and deliberately disseminated, while just 40 per cent of Slovaks say they would get vaccinated against COVID-19 once a vaccine becomes available.
“Insufficient communication creates space for those who shout the loudest, although they often talk rubbish, from the absurdities about microchips and manipulations to the 5G networks,” Cox told the May 15 online discussion, referring to a conspiracy theory that 5G mobile technology helps spread the virus.
“We want to believe,” she said, “that in designing the latest technological solutions, the officials have kept in mind questions like digital exclusion or discrimination caused by the lack of internet access, or social oversight.”
Need for vigilance
As countries emerge from lockdown, the development of smartphone apps to combat the spread of COVID-19 is being watched with mounting concern by human rights organisations concerned at their potential for abuse.
“Some restrictions on people’s rights may be justifiable during a public health emergency, but people are being asked to sacrifice their privacy and turn over personal data for use by untested technologies,” Deborah Brown, senior digital rights researcher at Human Rights Watch, said last week.
“Containing the pandemic and reopening society are essential goals, but we can do this without pervasive surveillance.”
Erik Lastic, head of the political science department at the Comenius University in Bratislava, said the pandemic had only further underlined the failure of the Slovak state to keep pace with technology. For years, corruption and incompetence have stymied efforts to create an effective digital public administration system.
“The last decade, at the least, has shown that the state is failing in the development of any information systems,” said Lastic, also taking part in the online discussion. “It would be very unrealistic to expect that the pandemic can suddenly change that.”
Lastic said it was “good” that legislation introduced to combat COVID-19 was limited to the end of 2020, but that the experience of some countries, particularly in sidestepping legal restraints in the fight against terrorism since the 9/11 attacks on the United States, showed the need for vigilance.
“It would be naïve to trust that the state would limit itself and that it wouldn’t use tools that had worked well for it once,” he said.
The Covid – 19 Information System is a centralized software for collecting, analyzing and storing data on all persons monitored for the purpose of controlling and suppressing the pandemic in Serbia.
A SHARE Foundation screen shot of instructions on how to enter the database, which includes how employees were told that they can log in their shifts in the COVID-19 infirmary. Password and user names were also made public.
How did we get this data?
Along with the state of
emergency, the Government of Serbia introduced numerous measures to tackle the
pandemic, which included collecting and processing personal data in the
unprecedent circumstances.
The Government also informed
citizens about these measures by rendering unclear and undetailed
conclusions, none of which specified who
was supposed to process the citizens’ data and how.
In an effort to understand
the data flow and implications on citizens’ rights, we explored the new normative
framework through publicly available sources. By searching keywords on Google,
we accidentally discovered the page containing access information for the
COVID-19 Information System. The data was published on the 9th of
April.
In addition, we also managed
to obtain manuals with instructions for navigating the centralised system
webpage.
Which data was at risk?
As per Government’s Conclusion on establishing the Covid-19
Information System, a significant number of health
institutions is required to use the mentioned software to keep records on
cured, deceased and tested persons (whether positive or negative), as well as
on persons currently being treated, in self-isolation or put in temporary
hospitals, including their location data. This system also contains data on
persons who are possible disease-carriers due to their contact with other
infected persons. The institutions are required to provide daily data updates,
as it’s the basis of the the diurnal 15 o’clock report read.
While attempting to clarify
how our data is being stored, we could not have imagined that we would discover
the access password and thus be able to enter the system – just as anyone else
who may have found this webpage. It was immediately clear to us that the most
sensitive citizens’ data were endangered and that the crucially important
integrity of the system cannot be guaranteed in the fight against the pandemic.
We did not log into the
system, which would anyway record such an attempt. Instead, we reported the
case to competent authorities: the
Commissioner for Information of Public Importance and Personal Data Protection,
the National CERT and the Ministry of Trade, Tourism and Telecommunications.
Being aware of the risk of misuse arising with the accessibility of citizens’ sensitive data, we have decided to notify the public of the incident only after making sure that the authorities had prevented unauthorized access to the system.
A SHARE Foundation screen shot of an email sent to competent authorities: the Commissioner for Information of Public Importance and Personal Data Protection, Ministry of Trade, Tourism and Telecommunications and National CERT. SHARE urged the authorities to act in accordance with their rules and to appropriately inform them on the action.
How did the competent bodies react?
Less than an hour following our report, we were informed that the initial steps were taken as a response to the incident, making sure that the web page containing the username and the password is no longer publicly available.
Given the scope of the case,
we may expect further action from the competent bodies. The Commissioner has
the authority to initiate monitoring in line with the Law on Personal Data
Protection, the competent ministry is in charge of the inspection monitoring in
line with the Law on Information Security, whereas the National CERT has
the obligation to provide advice and
recommendations in case of an incident.
Who’s to blame?
Aware of the pressure put on
health services at the peak of the pandemic, we agreed that, for now, it would
be appropriate not to publish the information on the specific health
institution in which the incident took place. On the other hand, there is no
doubt that the scale of this incident demands that the responsibility for its
occurrence is properly determined.
The national legislative framework
provides various mechanisms to prevent these kinds of situations, but the
occurrences in practice are often far from the prescribed standards. Although
they handle particularly sensitive data, health workers are often unaware of all
possible risks present in the digital era. Health institutions are required to
appoint a data protection officer, but due to limited resources, persons with
insufficient expertise and unrelated primary job concerns are usually appointed
to this position. In this specific case, the data protection officer may have
been a person who takes care of corona-infected persons on a daily basis.
As today’s data protection demands
the involvement of an IT expert, this requirement causes an additional burden
to the public health institutions’ budget. Sometimes this means that the same
person deals with all technical issues within an institution, while being paid
far less than their private sector counterparts and without the opportunity to
build further information security expertise.
Covid-19 Information System
established by the Government represents a key point in a complex architecture
for collecting and processing all defined data. Data collection occurs through
different channels, while a single health institution is only a one system
entrance point. In such a system, it is rather difficult to implement
protection measures at entrance point level, meaning they should be defined at
the central level as it would significantly lower the risk of incidents. Based
on this case, we have concluded that only one user account was created for each
of the health institutions, which does not enable determining individual
responsibility for the system misuse.
What should have been done?
Without doubt, this is an ICT
system of a special importance within which special categories of personal data
are being processed. As such, it implies the necessity to undertake all
measures stipulated by the Law on Information Security and the Law on Personal
Data Protection in phases of its development and implementation. SHARE
Foundation explored these measures to a great detail in its Guidebook on Personal Data Protection
and Guidebook on ICT Systems of Special Importance
.
By any means, it is necessary
to fully implement privacy by design
and security by design principles,
which entail the following regarding the access to a system:
Every system
user has their own access account
Every system
user has the authorisation to process only the data necessary for their line of
work
Access
passwords are not published via an open network
A standard on
password complexity is put in place
The number of
incorrect password entries is limited
Our accidental discovery on
Google revealed a breach of security and data protection standards within the
health system. The state of emergency instituted due to pandemic cannot serve
as an excuse for a job poorly done, nor can it serve as an obstacle for conducting
an immediate detailed analyses of compliance of Covid-19 Information system
with security standards.
Montenegro’s Prosecutor’s Office said the medical staffer in the Health Centre in the capital Podgorica, known only by the initials M.R., had been arrested by police for the crime of unauthorized collection and use of personal information.
“As an official, he is in charge of publishing information on COVID-19 patients through the IDO system, which he forwarded via Viber to other persons who, although his colleagues, are not authorized to dispose of this information,” the Prosecution said in a press release.
After the list of names of infected people and their ID numbers was published on Friday, the Montenegrin government demanded an investigation, which the Prosecutor’s Office led.
Civil society organizations and opposition parties also agreed that publishing the names of infected patients on social media violated their basic human rights and could lead to serious consequences. “We have to respect people’s privacy and stop the stigmatization of infected citizens,” the Civic Alliance, an NGO, said.
That was not the first time patients’ rights in Montenegro were violated in this way. On March 18, the identities of coronavirus patients were published by social media users and the photos of one patient and her family were also posted online.
The government said it had received the consent of the Agency for Personal Data Protection for this, and had decided that the lives and health of Montenegrin citizens came first. Despite concerns voiced by opposition parties and civil society groups, the government has continued to publish such lists.
There have been 248 confirmed novel coronavirus cases in the country of some 630,000 people so far, two of whom have died.
After Montenegrin Prime Minister Dusko Markovic announced on Tuesday evening that the country had its first two coronavirus cases, the patients’ identities were published by social media users.
Photos of one of the patients and her family were also posted online.
The ethnicities and religious beliefs of the patients were then targeted with hate-speech comments by some people on social networks.
The Montenegrin Association against AIDS, CAZAS, said that that every patient has the right to privacy and medical confidentiality.
“If you share photos of people who are infected on social networks and spread information about their health, you are directly violating [their] privacy and patient’s rights. There can be legal consequences for doing that,” CAZAS said in a press release.
President of the NGO Civic Alliance, Boris Raonic, warned about the danger of intolerance spreading in country as a result of the coronavirus.
“The stigmatisation of the infected and their families is a great danger in the coming period,” Raonic wrote on Twitter.
The first two coronavirus patients in the country had both recently returned to Montenegro, from Spain and from the US. One patient is from the city of Ulcinj and the other from the capital Podgorica.
Montenegro is a multi-ethnic state and is highly unusual in having no overwhelming community that makes up over half of its population.
About 45 per cent of the population identify as Montenegrins and about 29 per cent as Serbs. Albanians make up about 5 per cent of the population.
From the beginning of the year, data on all hotel guests staying in Hungary has gone into a central database, drawing concerns from the National Authority for Data Protection and human rights groups about its use and storage.
The Hungarian Tourism Agency, the MTU, insists that collection of the data is the responsibility of accommodation owners. But many say they are suffering as a result.
“Many of our guests are reluctant to hand over their passports with all their personal data. Despite my telling them that this is a legal obligation, they leave with a bad experience. So they give us bad ratings on booking sites, which depresses our turnover,” a man who runs a small accommodation centre in Budapest told the Magyar Narancs weekly.
The latest innovation of the government in tourism, the National Tourism Data Supply Centre, NTAK, was launched in mid-2019 and has been fully effective since January 1, 2020.
The basic idea is to help to develop a tourism strategy and reduce the number of accommodations centres that do not operate in a completely legal way. All those offering accommodation, from big hotels to small Airbnbs, have to report their data on a daily basis.
Data on income, rooms, reservations and all guests have to be submitted to NTAK. Hotels can use their own software to communicate with it. Smaller service providers use the web-based Az Én Vendégszobám (My Guestroom) system, offered by the MTU free of charge.
While the collection of financial data is widely welcomed in the sector due to the large number of illegal or half-legal guestroom lettings, the collection of personal data raises more questions.
The programme collects the names of guests, their citizenship, date and place of birth, sex, mother’s name, number of travel documents, zip code and country of residence. There is a possibility of storing emails and phone numbers as well. It is not clear, however, exactly what kind of data is stored and who can access it. While hotels and Airbnb in many countries gather personal data of their guests, it is unusual to have one central database run by the state.
The MTU says the personal data is stored and handled only by the accommodation providers, not by them. However, according to the description of the NTAK, the system stores personal data in encrypted form. In addition, the software offered by MTU is web-based and stores all the data in the central server.
The current law does not specify what data the tourism agency is allowed to collect and states that the MTU can store personal data but not access it.
New legislation will be effective only from September. That will settle many questions, like specifying what data the agency can collect, what has to be encrypted, and more. But the legislation that comes into force in September also allows the police to search the data stored in the data-centre. Also, the agency is sending the data on all third-country guests to the National Directorate General for Aliens Policing. If the personal data was really encrypted, this would be impossible. Magyar Narancs sent several questions to MTÜ before publication, but its reply was only a statement without concrete answers to the queries.
Ádám Ramport, from the Hungarian Civil Liberties Union, HCLU, a human rights NGO, argues this could be seen as a pooling data gathering, which is unconstitutional.
The National Authority for Data Protection also wrote in a statement that the need for this data collection is not well reasoned. It questioned why the Aliens Policing department is allowed to keep the submitted data for five years. The practice is “a further restriction of … the right to the protection of personal data”, the authority summarized.
BIRD Community
Are you a professional journalist or a media worker looking for an easily searchable and comprehensive database and interested in safely (re)connecting with more than thousands of colleagues from Southeastern and Central Europe?
We created BIRD Community, a place where you can have it all!
