Category Archives: Personal Data

Health data forwarded to cancer screening register despite user’s will


In the second half of June, she had discovered in the health portal that National Institute for Health Development (TAI) had made 16 inquiries regarding her during this year. Looking into it, turned out the queries came from the cancer screening register launched at the beginning of the year.

«I do not agree with the cancer screening register at TAI, or any other register, systematically collecting my health data. Health data are delicate and cannot be collected without permission by the individual. I request that my health data be immediately closed for TAI,» said Mr Sassian’s application to social ministry. However, as pursuant to Public Health Act data is forwarded to cancer screening register even when an individual has closed her data in the system.

Maarja Kirss, adviser, Data Protection Inspectorate:

Meanwhile, Public Health Act lays down rights of TAI to obtain data from health information system to perform tasks prescribed by law. Thus, an individual can only restrict access to health data when a health service provider is concerned, but not from other data processers who the law obligates to process certain data.

Katrin Merike Nyman-Metcalf, technological law professor at Tallinn University of Technology:

There is no basis to think that the ministry is misinterpreting the law; rather, this is a much broader issue: what’s the worth of an option to lock data if these can still be used? Isn’t the option then just an illusion? Simply put: they do provide the option of privacy of data but in reality they use them anyway.


Estonian Police to start collecting personal data of air passengers


On January 1, 2016, Estonian Police and Border Guard Board (PPA) will start collecting booking information for all flights to and from Estonia.

“The main reason for collecting PNR data is to fight cross-border crime, because drug and human traffickers, smugglers and the rest all make use of the broadened opportunities for free movement,” PNR project leader Kristi Laul said. “The PNR system will have a direct effect on public safety and have a positive effect on state’s internal security and its ability to counter serious crimes.” The data will only be used to investigate terror threats and other serious crime. The database serves as a tool to find people who could pose a risk to public safety.

PNR, or Passenger Name Records, are, in essence, data about your flight details. Every time we travel by plane, either the airline or the travel agent needs a series of data to proceed with our reservation, including itinerary, contact details, forms of payment, accompanying guests, and sometimes food preferences.

Meanwhile, civil society groups, the European Parliament and the EU data protection watchdog, the European Data Protection Supervisor, have repeatedly highlighted the lack of evidence regarding the necessity and proportionality of this “massive and routine processing of data of non-suspicious passengers for law enforcement purposes.”


US Embassy collects personal data about people in Tallinn


Postimees possesses a document proving that a secret unit at US Embassy has for years been surveying people on streets of Tallinn, collecting personal data citing security, and entering those whose behaviour causes suspicion into global terror database. All this is approved by Estonian interior ministry and happens with help by police.

The rules regarding reporting suspicious behaviour are so strict that it seemingly takes trivialities to get reported. As an example of that, there is this Tallinn housewife included who often waits long for her child at the Südalinna School. Or take the old lady walking her dog in Lembitu Park. Need some more? A report has also been filed on a man who attends Alcoholics Anonymous close by.

The activity of the unit is okayed by Estonian government. Its information reaches the police, as agreed between the two countries. Automatic inquiry reaches Central Criminal Police which, as requested by the embassy, discloses personal data – such as background of the owner of a car, the person on the picture and his/her background. These data are added to the SIMAS report. Depending on the behaviour of the people concerned, entries may remain active for 5 to 20 years – or permanently. Getting entered may affect decision by USA whether or not to grant visa for entry.

Erkki Koort of the Ministry of the Interior comments:

Why and on what basis does Estonian police hand personal data of our citizens to US Embassy as soon as they apply for it?
State agencies share data with third parties strictly pursuant to law. Suspected attack against a diplomatic representation or danger towards human lives or health is reason enough, doubtless, to exchange data. The question leaves one with the impression like Estonian state agencies would submit data upon initial request. This definitely is not the case.