Report on selected privacy problems in Czech Republic

24. 8. 2010 | 08:34

The report was prepared under the international project "Personal data rights? Informing and senziting The Young European Citizens "in which participated five oranizations: French League of Human Rights (LDH)European Association for the Defense of Human Rights (AEDH), Iuridicum Remedium and Spanish organization Comunicació per a la Cooperació (Pangea). The study focuses on five main topics - Mobility and transportation, Biological Identity, Interpersonal communications and Social networks as new gate keepers of communications Databases of the data of the youth.

 

Summary and Findings

Mobility and transportation
Biological Identity
Interpersonal communications
Social networks as new gate keepers of communications
Databases of the data of the youth

Recommendations

Mobility and transportation
Biological Identity
Interpersonal communications
Social networks as new gate keepers of communications
Databases of the data of the youth
 

The complete study:

Methodology and summary Czech republic
Central repository of of electronic prescriptions
Data Retention
DNA Database
Facebook
Genomac
Health Register
In-karta
Libimseti.cz
Lide.cz
Opencard
PNR
School Registers – primary, secondary and high schools (RgS)
Students' Registers - Sdružené informace matrik studentů (SIMS)

 


Mobility and transportation
Two of the selected examples (IN-card of the Czech railways and Pragues´Opencard) shows the extend and risks of a newly introduced RFID chip technology in cards, which is used as a season discount cards in public transportation. Both projects were rolled out without a proper assessment of the privacy risks and these risks have not been properly analyzed even two years after the start of the project. Projects also sneakingly broadens its scale (introduction of other services and other groups of users). They do not provide user with the possibility of choice for anonymous service for an adequate costs. Users are not properly informed of the extend to which their personal data are being processed neither about their rights regarding the retained data. As DPA Annual report 2008 states on the results of its inspections of RFID related projects: “It can also be inferred from the course of the controls that, neither in decision-making on introduction of the new technology nor in the preparation of the relevant projects are the duties following from the Personal Data Protection Act taken into account.” In this respect arises a question whether adoption of a new legislation specifically dealing with RFID chips could improve the situation.
Third example of a technology in this chapter - PNR data transfers - shows the persisting practice of personal data transfers contravening European legislation and trends towards enlarging of controversial practice worldwide including attempts to include EU PNR scheme.

Biological identity
There are two cases represented in this study. One state institution (National DNA database) and one private company (Genomac) dealing with a new technology of DNA analysis and related databases of profiles and DNA samples. In both cases there were serious misconducts confirmed recently by the inspection of the Czech DPA. Both cases also demonstrate the need for a new legislation regulating specifically the DNA databases, and also the necessity of broader public awareness campaign on privacy risks related to compromising of sensitive information contained in DNA profiles.
Another example in this chapter show an increasing trend in creating databases of state health policy institutions containing sensitive information on health status of the patients. Fourteen eHealth registers were created in recent years without a clarification of their purpose and respect to free consent of the patient with the procession of data. The terms of data retention of those registers also seems to be defined rather randomly. A new register which is have been built since early 2009 till the end of summer 2009 – The Central repository of electronic prescriptions – even lacked legislative basis and there were indications that due to the outsourcing of the sensitive data processing, those may have ended up in the hands of private health insurance companies.

Interpersonal communications
The example of the greatest scale of data gathering and retention is that of the providers of telecommunication and electronic communication. The necessity of an assessment of the legislation and practice by the Constitutional court, as well as broader public discussion on a practice of retention of data on electronic communication is demonstrated here.

Social networks as new gate keepers of communications
For this chapter the team has selected four cases of most popular social networking services in the Czech republic. Despite series of awareness campaigns by service providers, DPA, state institutions and NGOs targeted on young users of the services and protection of the privacy on the Internet, companies providing service of social networks have not adopted transparent information policy on the way they process or share the data of their users. Some of the security arrangements introduced by the providers of the services were found insufficient. Despite the fact there has been recently some public discussions on the risks related to the misuse of posted data on the internet (for instance for profiling candidates for employment by companies), many of the users are still ignoring possible risks.

Databases of the data of the youth
Apart from the four defined areas of research the Iuridicum Remedium team has also decided to add two more cases to the report. This decision has been supported by previously declared ambition of the report to reflect on the practice of data protection and data protection risks with special emphasis on protection of the data of the youth. In the last decade, state authorities responsible for education policy started to create centralized databases of personal data of general population of students and pupils. However, the whole concept of these registers is unclear, sometimes lacking a proper legislation. Free consent of the students with the procession of the data is not respected, assessment of the privacy risks was not properly completed. Information on measures on right to access and edit the data, auditing of access to the data are not publicly available.

 

Recommendations

 

Mobility and transportation
Rule of obligatory introducing of anonymous cards instead of non-anonymous cards when possible should be clearly established by new legislation or “softer” transport company code of conducts. Regular privacy assessment procedure (Privacy Impact Assesment) for any RFID related project with possible bigger impact on the citizens rights should be established. This procedure might be done by independent auditing organisation, published and submitted to the DPA.

Biological identity
Any newly established or already existing databases of biological data needs to greatest possible extend respect the principles of free and informed consent of the patient with the procession of the data, clearly define data retention periods and clearly define purpose of procession of the data. Legislation change especially in the area of DNA processing would be probably necessary. Any newly prepared legislation (on e-health and similiar databases) must adhere to the principles of data protection. Campaign raising awareness of risks related with procession of sensitive information for health specialists as well as for broader public would be useful in this context.

Interpersonal communication
Constitutionality of the provisions and practice of the data retention should be assessed by the Czech Constitutional Court.
Awareness campaign on fundamental right to confidential communications guaranteed to the individuals by Article 8 of the European Convention on Human Rights, awareness campaign on actual practice and extend of a traffic and location data stored by ISP and telecommunication providers and transfered to the Police should be organized.

Social networks
Special focus need to be given to the practice of retaining of a data even from cancelled profiles and rules of transfer and procession of a data by a third parties (government bodies, other service providers, marketing and advertising companies). Companies providing service of social networks has also to adopt transparent information policy on the way they process or share data of the users.
Awareness campaign needs to be organized on rights of the users of the social networks and implementation of better privacy protection practices by individual companies and better informing on the way how they processes personal data.

Databases of the data of the youth
Reasons for collecting of the data and the same concept of centralised students and youth registers should be clarified. Clear legal bases of the registers must in greatest possible extend respect the principles of free consent of the students/parents with the procession of the data. System of identification of the students by their birth number must be replaced with source identifier. Clear and strict measures on right to access and edit the data, auditing of access to the data should be imposed.
Awareness campaign on extend of data currently processed and importance of free consent with data protection need to be organized.
 

Ke stažení

 Jak funguje internet

 Ochrana OÚ

 CC příručka obálka

 CC samospráva

 

 CC manuál pro města a obce

Kdo jsme

  • Tento web provozuje iure, neziskovka zabývající se ochranou občanských svobod.
     

Logo IuRe


 

Support us