Personal information is collected everywhere - in a hospital, is a shoe store or in a social network. We started signing agreements to processing of our personal data without thinking about possible consequences. In an interview with the chairman of the State Privacy Agency of Ukraine Oleksiy Mervinski, ForUm asked about how to protect information about oneself.
- What kind of information is covered by the notion "personal data"?
- "Personal data" means any information relating to an identified or identifiable natural person. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity - photo, video, fingerprint, iris of the eye, telephone number, bank account, IP address, etc.
If I say: a woman, a lawyer, 50 years old, these are three categories of personal data, but such data set can bring you to a concrete person only under certain circumstances. For example, if I speak at a meeting of the Agency, other members will understand whom I am talking about, but if I reveal this data in public or in private conversation, it is impossible to indentify a concrete person following only these three categories. None of the European countries has a fixed list of information, considered as personal data.
- Is information I publish in Internet and social network included into this category?
- Yes. Information in Internet is easy to find and associate with other data. Moreover, everything recorded by video surveillance is also our personal data. Sometimes we do not know where and when we appeared on cameras because we did not know that this or that place was video surveyed. For this, we need to work out a mechanism to solve this issue.
In Britain, for example, there is a separate document, regulating the rules and order of installation of video cameras in pub premises. The document forbids installing video cameras in front of public services, as analyzing the frequency a person visits this place it is possible to make indirect conclusions about his health, and this has everything to do with crediting or other financial matters. This category of personal data is considered "sensitive".
As for the global net, if any piece of information once gets in there, it is impossible to take it out.
- What is the State registry of personal data databases for?
- The law on protection of personal data guarantees the right for non-invasion of privacy. To observe this right we need a mechanism, which would monitor the existing databases. For this, the State Privacy Agency has created the State registry, and every person can visit its website to learn about a personal data database of interest, its owner and activity. A person can demand to remove his personal data from this or that database in case it has been collected with violations or is unreliable.
For the moment, the State registry contains more than 40 thousand records about registered databases of personal data
- Do commercial structures undergo registration in the State registry as well?
- All owners of personal data databases must undergo state registration. The new version of the law makes exceptions only for religious organizations, trade unions and public organizations. However, the problem is that the State Privacy Agency staff (six workers) physically cannot register in time more than two million applications for registration and update already registered databases.
The good thing is that the majority of personal data holders understands what they deal with and undertakes the obligation to protect the data.
- How can we protect our personal data to avoid the information leak?
- First of all, we should care about our personal data. Every time we are asked to give the phone number or any other personal information, we should not hesitate to ask what for they need it and whether it is provided by the legislation.
Take for example a situation, when a company calls you to offer its services. It is easy to jump on a caller and hang up on him. But they will keep calling. However, if you spend 2-3 minutes explaining the caller that he violates the law on protection of personal data and warning him about legal consequences in case of repeated calls, the reaction will be different. The experience proves that "unwelcomed" calls stop.
Every time you are offered to sign an agreement, take care to read carefully what you are going to sign and to check whether it meets the legislation on personal data protection.
- How can we defend our rights in case of misuse of our persona data?
- A person can demand to remove his personal data from this or that database in case it has been collected with violations or is unreliable. The only condition is that such demand must be grounded.
Violations in the sphere of personal data protection are stipulated by the law. On February 7, for example, the court imposed a 3400 hryvnias fine on an official who was found guilty in violating privacy rights.
- Do such norms cover Internet space?
- They do, but unfortunately, we do not have many examples of proving the violations. There was a case when a website published scanned copies of passports of citizens who poorly performed their duties. It was supposed to be a warning for others, but it also was a violation of the legislation on protection of personal data. When the State Privacy Agency studied the case and explained the wrongdoing, the passport photos were removed from the webpage.
However, the problem is that in the majority of cases it is impossible to find owners of such websites for various reasons. For this, the Agency has signed memorandums on cooperation with relevant authorities of other countries in case owners of websites of interest are non-residents. Moreover, the All-Ukrainian association on protection of personal data has conducted a public monitoring of Ukrainian web-resources to find out whether they comply with the European requirement on provision of transparent and open processing of personal data. The results show that three forth of domestic web-resources ignore both the requirement and the ratified Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data.
Every reader can learn the results of the monitoring, draw conclusions about the situation, and define further behavior in the Internet space.
- What are the advantages of the Law on protection of personal data?
- Unlike previous laws on personal data, the current law has the article 8, which provides and clearly defines the rights, including the right to withdraw previous consent on processing of personal data, as well as the right for protection from automated decision, which has legal consequences.
- Ukraine plans to introduce biometric passports. Does it also plan to protect this huge database of personal data?
- Obviously. Ukraine has a law, providing protection of information and personal data, processed by information and telecommunication systems. The matter is regulated by the legislation and belongs to the sphere of competence of the authorized state agency.
Note: In February of 2013, the All-Ukrainian association on protection of personal data conducted a public monitoring of Ukrainian web-resources to find out whether they comply with the European requirement on provision of transparent and open processing of personal data. The monitoring was conducted by three specialists, who studied news websites and service providing web-resources (sale of teapots, for example). The results show that three forth of domestic web-resources provide minimal information about owners, who also happen to own personal data databases. The matter concerns a legal entity, responsible for received information. According to the legislation, this legal entity must observe the user's right for non-invasion of privacy.
Tetyana Hryhoriyeva
