Personal data of over 1,000 individuals who received state-funded legal aid was public online on the Ministry of Justice's document registry for close to a month. The oversight may require the ministry to inform data protection authorities of a violation.
The information listed names and the reason the person had obtained legal aid, such as for divorce maintenance payments.
An example reported by ERR's online Estonian news stated that "Mari" [name changed], who works as a hairdresser in Tartu, has two small children, had a consultation with a lawyer in June. "Divorce" is listed as a term next to Mari's name.
Another case saw "Liina" [name changed], together with information on why Liina's father cannot be found online, followed by a tag of "descent and livelihood."
The document itself was drawn up by private sector legal advice firm Hugo. The firm submits an activity report to the ministry every month in return for payment; the legal advice itself is free to the individuals listed.
The firm's June report was made public, listing nearly 1,000 names and over 2,000 instances of legal advice it had given – some of the individuals consulted with a lawyer multiple times. Hugo has been providing its services for around four years.
Hugo board member: Human error to blame
Erki Pisuke, board member at Hugo OÜ, told ERR the Ministry of Justice monitors the service his company provides.
"I think when it comes to state support, it's understandable that there are some checks over public money. The documents you refer to have simply entered that [public] database due to human error, and have now been removed from it," he said.
Ministry of Justice: We apologize
The justice ministry said it regretted the incident and an investigation has been launched to determine the cause.
Kertu Laadoga, the ministry's public relations adviser, told ERR: "The Ministry of Justice regrets the reporting used to monitor the quality and relevance of the service provided [by Hugo], at the expense of state budget funds, has become public via our document register, together with personal data."
If a data protection violation is found, the ministry must notify the Data Protection Inspectorate (Andmekaitse Inspektsioon).
"If, in the course of further assessment of the incident, it turns out that the information publicly displayed also posed a threat to the rights and freedoms of natural persons, we are obliged to notify the Data Protection Inspectorate within 72 hours of becoming aware of the violation," Laadoga said.
The listing of names, dates that advice was given and the area of the law in question was a requirement for the service, ERR reports; while further documentation on the legal cases was not leaked, those with less common names could potentially have been identified from what had been posted online.
Questions of legality of the database
A separate question is whether such a database can be maintained at all, ERR reports.
The law states that a legal professional is required to maintain the confidentiality of information which has become known to him or her during the provision of or recourse to legal services, as well as the number of fees paid for legal services.
However, Erki Pisuke said these rules do not apply to the service Hugo provides since the firm's advisers are not full lawyers belonging to the Estonian Bar Association (Eesti Advokatuuur). Although best practices are still followed.
"These responsibilities are for lawyers. Hugo lawyers are not advocates, they are not members of the bar association, so this principle does not apply directly here. But of course, lawyers also fulfil this requirement in their reality. All information entrusted to them is stored according to the same requirements."
Kertu Laadoga confirmed the justice ministry required the name of an individual who received the legal advice, together with time spent, to ensure compliance with the state support limit set for each individual applying for legal aid.
It also ensures that legal aid is not being given on matters which it is not permitted to be used for, such as in criminal proceedings.
"Data in the field of advised law is obtained to check whether the requirements of the regulation have not been violated. For example, a contractor is not allowed to advise persons on imprisonment issues, self-employment tax disputes, advising suspects and accused persons in criminal proceedings, etc.".
Laadoga added that staff at the ministry have a confidentiality obligation with regard to personal data of those seeking legal aid.
Editor: Andrew Whyte