Different institutions have many different ways of making part of their services electronically available to citizens. That is the reason why it is inevitable to look for different models of establishing a system for the protection and security of personal data when using those services. When it comes to different models of protection and security of personal data, the first matter that comes to mind is the technical aspect because some of the services are available through e-portals where citizens need to create their own profile to be able to use the service (uslugi.gov.mk). Some of the services are available through mobile applications whose use in some cases is conditioned by connection to another database (“Moj DDV”), or by turning on Bluetooth (StopKorona). Other services are included in the provided electronic services although the citizens cannot use them on their own. Their use requires mediation from authorized persons (“Moj Termin”, e-recept).

What most e-services currently have in common is the absence of a transparent and easily accessible Privacy Policy.

“Moj DDV”

The mobile application “Moj DDV” is available on Google Play Store and App Store, and before the installation, citizens can inform themselves about the technical specifications, the way of scanning the receipts and also, they can find the answers to frequently asked questions. What is missing is a Privacy Policy that easily explains the measures taken by the Public Revenue Office for the security and protection of personal data of citizens that are processed by using the application.

An additional confusion for the citizens who want to be informed about their right to privacy is the presentation of the Usage Policy of UJP.GOV.MK from 2017 as a document that also regulates the protection of personal data of the users of “Moj DDV”. This Policy cannot be treated as a Privacy Policy for the users of the mobile application because the purpose for which the data is processed during the use of the application and the volume of data processed do not correspond to the purposes and the volume of data when using UJP.GOV .MK.

StopKorona

The StopKorona! mobile application is intended for detecting close contact with potentially infected persons through a procedure for detection of proximity to mobile devices/applications via Bluetooth technology, and its use is based on the consent of the personal data subject, i.e. voluntary download by citizens.

While analyzing the Privacy Policy, available at stop.koronavirus.gov.mk, it can be noticed that this Policy contains most of the information needed to inform citizens and at the same time it respects the principle of transparency in the personal data processing.

The recommendation for improvement of the Privacy Policy is aimed at providing additional information regarding several issues: contact information from the Ministry of Health and/or the Personal Data Protection Officer, how citizens can request correction or deletion of personal data, whether and in which cases will the Ministry of Health share the data collected through the mobile application with other institutions, and information on whether the Ministry of Health intends, at some point, to transfer personal data to a third country or international organization.

Additionally, the Privacy Policy should contain information and contacts from law enforcement agencies in the field of personal data protection.

Electronic Registry – E-portal

The Office for Management of Registers of Births, Marriages and Deaths under the Ministry of Justice has created an Electronic Registry through which citizens can apply for services under the jurisdiction of this institution. Each user needs to create their own username and password to continue using the services. The nature of the services, i.e. the documents for which one can apply through this portal inevitably requires the entry of a large amount of personal data (some of which are sensitive). Additionally, the portal provides the possibility for electronic payment, so that in addition to the legally established personal data, the citizen must also enter their bank account information, card number, etc.

The Electronic Registry does not have a Privacy Policy. Instead, there is only one sentence related to security: “As identity theft is on the rise, we are committed to the security and protection of your online identity. The issue of certificates requires certain (specific) personal information; however, we actively protect your information by adhering to strict security measures throughout our process, including full encryption and firewall protection for your complete online transaction."

The lack of a Privacy Policy for services that use large amounts of data as well as sensitive personal data is unacceptable.

No matter of the way in which e-services are available to the citizens, the legislation on personal data protection sets the standards for their legal functioning. According to the Law on Personal Data Protection and the General Data Protection Regulation (GDPR), every institution when defining the conditions for the functioning of e-services should start from the legality of personal data processing and the principle of transparency in such processing. When the personal data is collected from citizens, the controller, in this case the institutions in charge of providing the services, at the moment of collecting the personal data, provide the following information: categories of personal data collected during the use of the e-service, legal basis for collecting personal data, identity and contact data of the controller as well as the Personal Data Protection Officer, the purposes of the processing for which the personal data are intended, information on whether the controller intends to transfer personal data to a third country or international organization, the time period for which the personal data will be stored, the way in which the citizens can exercise their rights of access, correct or delete their personal data, the right to withdraw consent at any time, the right to submit a request to the Agency for Personal Data Protection, and information on whether the controller intends to continue processing personal data for a purpose other than that for which personal data are collected in the first place.

Author: Metamorphosis Foundation