The first issue concerns state systems querying more personal data from X-Road than required:
In March a service was added to the Eesti.ee online portal that allows users to see which government institutions have accessed their personal data. According to daily Eesti Päevaleht, there are plenty of illegal queries. As the paper wrote on Tuesday, the Unemployment Insurance Fund, the E-Health System, notaries, and plenty of others regularly break the law by accessing people’s personal data without a legally valid reason.
What happens is that every time e.g. someone’s general practitioner accesses their data, the system automatically also displays their immediate relatives and their personal ID codes. This data represents a series of illegal queries by the system. “Thanks to the data tracker it has become clear that the information systems of plenty of institutions apply only the broader query also for their services that don’t require the data of connected persons. Those institutions where the problem has come up are already improving their systems,” the Data Protection Inspectorate’s press spokeswoman, Maire Iro, said. According to Iro the inspectorate does not have a complete overview of all the institutions affected, but that local government, liquidators, and notaries had already begun to check their queries.
The second issue is about recent law amendments and interest of state institutions to perform mass data processing on wide range of personal data:
Director General of the Estonian Data Protection Inspectorate (AKI) Viljar Peep sent a letter to Minister of Jutice Urmas Reinsalu this week expressing concern about extensive data processing by state agencies, first and foremost by the Estonian Tax and Customs Board (MTA). An amendment to the Taxation Act entered into force on April 1 which granted the MTA access to a large number of databases for risk assessment, i.e. tax intelligence, purposes, reported daily Eesti Päevaleht (link in Estonian). The tax authority primarily requests information from transaction databases of the Central Commercial Register, the Traffic Register and the Land Register. The Police and Border Guard (PPA) and the Estonian Road Administration have expressed interest in similar access to databases.
“In the initial bill, data processing was in no way hindered, meaning that the MTA could have even looked at a person’s e-health data,” Peep recalled. “Thankfully this was limited somewhat during proceedings.” According to the director general, the issue is that Estonia lacks legislation that would regulate mass data requests. “Yes, it is specified in the Law Enforcement Act and the misdemeanor procedure how to conduct inquiries regarding specific violations, however mass data processing cannot be conducted by the same rules,” he stressed. “It is important that every authority not begin making up it own rules.”