State systems illegally passing around personal data on massive scale
In March a service was added to the Eesti.ee online portal that allows users to see which government institutions have accessed their personal data. According to daily Eesti Päevaleht, there are plenty of illegal queries.
As the paper wrote on Tuesday, the Unemployment Insurance Fund, the E-Health System, notaries, and plenty of others regularly break the law by accessing people’s personal data without a legally valid reason.
What happens is that every time e.g. someone’s general practitioner accesses their data, the system automatically also displays their immediate relatives and their personal ID codes. This data represents a series of illegal queries by the system.
In practice, this means that anyone checking on the state systems’ use of their data may see a history of queries they have no explanation for, e.g. doctors accessing their personal data though they haven’t had an appointment in some time.
These automatic queries will have to be dealt with, as any similar passing-on of personal data done by a physical person would bring along with it a €1,200 fine by the Data Protection Inspectorate.
If a legal person, i.e. a company or a similar institution, hands on the same kind of information illegally, the fine is €32,000.
The situation is also problematic because hundreds of companies and institutions and thousands of state system accounts have this kind of access. “Thanks to the data tracker it has become clear that the information systems of plenty of institutions apply only the broader query also for their services that don’t require the data of connected persons. Those institutions where the problem has come up are already improving their systems,” the Data Protection Inspectorate’s press spokeswoman, Maire Iro, said.
According to Iro the inspectorate does not have a complete overview of all the institutions affected, but that local government, liquidators, and notaries had already begun to check their queries.
Editor: Dario Cavegn