Georgian Ministry Violates Law on Personal Data Protection
On April 5, the Personal Data Protection Service announced its findings on the legality of one of the ministry’s processing of its employees’ computer activities. The Service initiated an investigation following an anonymous tip-off and carried out an unscheduled inspection at the Ministry finding it violated the Law on Personal Data Protection.
It was found that a technical support program had been activated on approximately 3,000 computers at the Ministry and for employees of over 10 legal entities in its system. The program collected information on employees’ computer activity, such as the names of programs used, the duration of use and the contents of active windows. In addition, the Ministry developed keywords to monitor employees’ computer use, including website visits and content.
According to the Service, some departments used data from the program to monitor employees’ activities, including during business trips, while the Ministry stated that the program was used as means for employee self-monitoring and information security.
Nevertheless, Personal Data Protection Service found that the Ministry’s technical support program may have processed personal/private information about individuals that was not work-related. As the objectives of official monitoring could be achieved by less intrusive means, the collection and processing of personal data in this manner was considered disproportionate to the objective of monitoring employees.
Furthermore, the employees did not voluntarily consent to the processing of data collected by the technical support program for self-monitoring purposes, nor were they fully informed or actively involved in the process. The Service determined that the organization of working time through the use of computer data depends solely on the initiative of employees and cannot be enforced, even with proper information. Therefore, the collection and processing of computer activity data for self-monitoring purposes should be based solely on the employees’ desire and initiative.
Finally, the Ministry was identified as a first-rate critical infrastructure entity, using various types of licensed modern equipment and software. As a result, the data obtained from a questionable program would rarely contribute to the achievement of information security objectives. Therefore, data collected from employees’ computer activity should be kept to a minimum, and access to the recorded information should be restricted as much as possible.
The Personal Data Protection Service ruled that the Ministry’s processing of data without the consent or knowledge of employees for self-monitoring purposes was unjustified and created a risk of unlawful collection of personal data, in violation of Article 17 (Data Security) of the Law of Georgia on the “Protection of Personal Data”. As a result, the Ministry was found to have violated Article 46 of the same law and was ordered to cease processing and delete the data collected.
Also Read:
This post is also available in: ქართული (Georgian) Русский (Russian)
