“F” diagnosis case also illustrates intolerably bad attitude of the state to personal data protection - Commissioner for Information of Public Importance and Personal Data Protection

The Commissioner for Information of Public Importance and Personal Data Protection ended the procedure of written supervision over the implementation of the Law on Personal Data Protection (LPDP) at the Ministry of Interior (MoI) and conducted direct supervision of the Police Directorate launched after Kikinda Police Department requested from the hospital in this city to provide data on citizens who are treated on the basis of the “F” health code.

The statement requested and received by the Commissioner from the MoI, states that the commander of the police department in Kikinda, during control activities of updating dossiers of the sector, requested these data from Kikinda General Hospital, in accordance with the Instruction on the method of organizing and conducting the internal affairs on security sector, where he disregarded the provisions of the Law on Personal Data Protection, and failed to inform the immediate superiors about it, neither received approval from them. It also states that disciplinary proceedings against him will be initiated, and that the case is an exception, and there were no such activities in other police departments.

Direct supervision that was carried out by authorized personnel in the Police Directorate confirmed these allegations, but also pointed to a number of other problems.

Starting from the facts established in the procedure the Commissioner is of the opinion that this is a problem which cannot and must not be reduced to the question of the responsibility of one “over-zealous” police officer, even to the attitude and responsibility of the MoI as a whole to the problem of unauthorized processing of personal data.

This case in Kikinda is one of a series of increasingly frequent illustrations of totally inadequate attitude towards the issue of protection of citizens’ personal data at the national, global level. This attitude has for years been characterized by the lack of necessary activities (which inevitably include appropriate education) as well as the failure to pass adequate regulations. Employees of MoI also pointed out this during the supervision procedure, citing as an example the proposal of the Law on Internal Affairs Records, which was already prepared in 2005 in good cooperation with the Commissioner, but has not been passed yet.

Pursuant to Article 42 of the Serbian Constitution only provision of the law may constitute a valid legal basis for processing personal data, it cannot be any bylaw.

The Commissioner, however, requested from the MoI, was approved and reviewed the “strictly confidential” Instruction labelled as “legal basis” for the provision of personal data of persons with “F” diagnosis. This instruction was issued by the Minister of Interior Vlajko Stojiljkovic more than 20 years ago. The instruction, contrary to Article 196 now, and Article 120 of then valid Constitution, is not published anywhere, and regardless of it, it should cease to have effect with the adoption of the Police Law of 2005, as it is drastically contrary to it. The instruction sets forth that dossiers of the sector contains “Overview of mentally ill patients”, namely their “generalities, physical description, type of disease, the manner of expressing, where and how long have they been treated, image, etc.”

The fact that, under any circumstances, any national authority, directly contrary not only to LPDP, but also the Law on Patients’ Rights and the Law on Protection of Persons with Mental Disorders, engages in collecting personal data, especially particularly sensitive data referring to such “Instruction” should be alarming for any responsible.

Alarming, but in these particular circumstances, expected fact, since, for example, it is persistently “forgotten” even that:

- The Government is like 7 years late with the adoption of the Action Plan for implementing the Strategy for Personal Data Protection,

- Preparation of a new, necessary Law on Personal Data Protection lasts 5 years, with no effect, and that, though verbally accepted, the Model Law was completely ignored, which was prepared as help and offered by the Commissioner,

- The Ministry of Justice and the Government are like amazing 8 years late with the preparation and adoption of the Regulation on the manner of filing and safeguards for particularly sensitive data,

- Competent prosecution’s offices, despite frequent, sometimes in scope and consequences dramatic violations of the right to personal data protection, virtually never initiate criminal proceedings against those responsible.

It is incomprehensible and irresponsible that the authorities do not understand that repeated violations of the citizens’ right to personal data protection imperatively require a complete change of their attitude towards this important issue.