Personal data eng

P R O B L E M I S S U E SI N P E R S O N A LD ATA P R O T E C T I O NAT T H E N AT I O N A L L E V E L

P R E PA R E D BY T H E R H R PA " B E L A R U S I A N H E L S I N K I C O M M I T T E E "

Use and protection of personal data becomes more and more relevant issue because of development of informational technologies. Belarus is no exception.

Many people know that our personal data is collected, summarized, and retained by state bodies. But not many people know which data is col-lected, how it is protected, what it is used for, and whom it is transferred to.

This information will help you to fill this gap.

Population Register

Credit Register

Personal Record-Keeping

United State Delict Data Bank

Dactyloscopy RegistrationDatabank

Database of nationalswhose right to departurewas temporarily restricted

Mobile networks user database

retained by the Ministry of Internal Affairs



retained by the Social Protection Fund

retained by the National Bank

retained by mobile network operators

Automated InformationData System "Raschet"retained by the National Bank


D ATA B A S E S U N D E R R E V I E W

Main criteria for comparison of personal data databases

Whether the registerof users who enter the data is kept

Whether the datausers are registered

Whether the purpose for retaining the data is provided

Whether the closedregister of the collecteddata is provided

Whether the personis enabled to learn whogot access to his data

Whether the responsibilityfor leaks is stipulated

Whether reasonableretention periodis provided for the data

Whether the data can be deleted

C R I T E R I A F O R C O M PA R I S O N

Population Register

Credit Register



Dactyloscopic RegistrationDatabase

Database of nationals whose rightto departure is temporarily restricted

Mobile network users database

Automated InformationData System "Raschet"

Whether the registerof users who enter

the data is kept

legislation regulates this issue

no legislation regulatesthis issue or is too general

legislation does not protectpersonal data

Whether the closedregister of the collected

data is provided

Whether reasonableretention period is

provided for the dataWhether the data

users are registeredWhether the person

is enabled to learn whogot access to his data

Whether the datacan be deleted

Whether the purposefor retaining the data

is provided

Whetherthe responsibility

for leaks is stipulated

A S C E R TA I N E D F E AT U R E S

The data user is registered automatically or manually

The purposes for collecting and retaining data are too general and unspecific

Authorized employees are responsible for illegal provision or distribution of personal data which they learned because of their official (work) duties, even after they ceased to perform them

The data is retained permanently. When a person dies, his data is filed

Population Register



The insured who make payments, are registered when they access data; but the remote data access by the Ministry of Internal Affairs is not registered

It can be enlarged with "other data which is needed to grant or pay a pension or an allowance"

Responsibility for the leak is stipulated by the Administrative and Criminal Codes

The data is retained for life, but it answers its purpose: granting and paying pensions


Credit Register


The data user is registered when the interested party files an application and with the individual's consent. No such consent is needed if the data is requested by courts, law enforcement bodies, notaries (see the list of bodies in the Bank Code)

The special law stipulates no responsibility for the leak. It stipulates administrative responsibility for divulgation of trade (or other) secret (clause 22.13 of the Administrative Code)

The data is retained for 15 years after the credit agreement is terminated and the debt is discharged


The data is retained for 25 years after it is excluded (due to falsity) or filed(due to death or restrictions being lifted)

Database of nationals whose right to departure was temporarily restricted

Mobile networks user database


The data is retained for not less than 5 years

Data cannot be deleted

Automated Information Data System "Raschet"


Data is retained for 3 years

Data cannot be deleted

United State Delict Database


The data user is registered by way of registration of the inquiry of an interested body or an official

Retention period for crime data is 100 years; for delict data, it is 10 years. These periods are unreasonably long.

For example, a person is not considered being held administratively liable in a year after he was called to account; there is no need to retain such data for more than 1 year.


The data user is registered by way of registration of the inquiry of an interested body or an official

The purposes for collecting and retaining data are too general and unspecific

Dactyloscopic information is retained not less than until the person is 80 years old, or dead, or has retired or resigned

Data can be deleted when the retention period is over, or when a written application is filed in case the registration was voluntary, or if the suspicions have not been confirmed

Dactyloscopic Registration Database

Databases which retain it*full name & patronimycidentification numbersexdate of birthbirthplacedigital portrait photocitizenshipplace of residencedeath informationdisability, legal incapacitynearest relationsmarriagewardship, guardianshipstatus of being working, unemployed, inactivetax liabilitiesmilitary dutyeducationacademic degree (rank)labor activitypensions, supportcompulsory insurancecreditselectric communication serviceAIDS "Raschet" datadeparture restrictioncrimes and delicts datadactyloscopic information

Population Register

Credit Register


Dactyloscopic RegistrationDatabase

Database of nationals whose right to departureis temporarily restricted

Mobile networks usersdatabase

Automated Information Data System "Raschet"


P E R S O N A L D ATA

*main databases are listed

Entities which enter it to these databasesfull name & patronimycidentification numbersexdate of birthbirthplacedigital portrait photocitizenshipplace of residencedeath informationdisability, legal incapacitynearest relationsmarriagewardship, guardianshipstatus of being working, unemployed, inactivetax liabilitiesmilitary dutyeducationacademic degree (rank)labor activitypensions, supportcompulsory insurancecreditselectric communication serviceAIDS "Raschet" datadeparture restrictioncrimes and delicts datadactyloscopic information

Ministry of Internal Affairs

Social Protection FundState Security Committee

Ministry for Emergency Situations

Military registrationand enlistment offices

Ministry of taxation

Ministry of Education

Belgosstrakh

Executive committeesCourts

Civil Registry OfficesNational Bank

Operations and Analysis Centerunder the President

of the Republic of BelarusPresidential Security Service

Service providers

Ministry of Defense

Higher Attestation Commission

P E R S O N A L D ATA

There is no clear understandingwhat personal data is

Personal data is retainedin several databases

Total registrationof personal data accessesis not implemented

Information about national’sdata users is inaccessible

There is no real responsibility for illegal access and divulgenceof personal data

There is no uniform approachto retention periods

It is impossible to deletepersonal data by request

M A I N C O N C L U S I O N S

Definitions stipulated by the laws on population register and on information, informatization and information security, differ in scope. The law on register contains an exhaustive definition; the law on information attributes any data that can help identify the person to it. Such non-coordination of the key definition makes uniform approach to legal regulation of this sphere impossible.


There is no clear understanding what personal data is

Personal data is retained in different databases

Though the law on population register stipulates that the Ministry of Internal Affairs is the body responsible for the personal data databases, other bodies have their own databases with such information (National Bank retains credit histories, Social Protection Fund retains state social insurance data).


Total registration of personal data accessesis not implemented

National legislation contains no uniform approach to registration of the access to the personal data. The law on population register stipulates that each fact of access to the population register data should be registered online. Legislation contains no such requirement to personal data retained in other databases.


Information about national’s data usersis inaccessible

National legislation does not regulate the right of a national to be informed about who, when and why has got access to his personal data.


There is no real responsibility for illegal access and divulgence of personal data

Though the legislation stipulates responsibility for the leak and illegal access to personal data, it would be extremely difficult to prove guilt of any specific official in practice as the legislation does not oblige to register each fact of access to it.


There is no uniform approach to retention periods

National legislation does not contain uniform approach to the period of retention of personal data. International legal regulations of the personal data protection provide necessity to limit such periods to the duration needed to achieve the purpose of the data retention; Belarusian legislation stipulates that such periods can last until the national dies.

О С Н О В Н Ы Е В Ы В О Д Ы

It is impossible to delete personal data by request

The "to be forgotten" principle which has been formulated in international standards, is not implemented in various personal data databases. Databases which somehow have such option have unreasonably long retention periods for personal data.

О С Н О В Н Ы Е В Ы В О Д Ы

RHRPA “Belarusian Helsinki Committee”

220036, Republic of BelarusMinsk, Karl Liebknecht Street 68Office 1201

Phone: +375 17 222-48-00Fax: +375 17 222-48-01Email: [email protected]

BELHELCOM.ORG FACEBOOK.COM/BELHELCOM

Personal data eng

Technology

Transcript of Personal data eng