The global crisis, which arose as a consequence of the COVID-19 pandemic, brought light, among other things, to the weaknesses of the Serbian public health care system. The daily mass collection of a person’s data on health – which, according to the Serbian Data Protection Act, is considered particularly sensitive data – became a regular occurrence during the pandemic.
This data was processed according to Serbian Government decisions and instructions – where the suppression of the pandemic represented the primary goal. Such conduct further gave way to public interest being posed above the rights of an individual, where in itself, the COVID-19 pandemic became a special test for the application of the Data Protection Act and to the work of the Commissioner for Information of Public Importance and Personal Data Protection (Commissioner).
During the state of emergency, the Commissioner pointed out that, from the point of view of the application of the Data Protection Act, there are no obstacles to the processing of a person’s health data when it is based on applicable regulations, including state of emergency acts; also, the processing of the person’s health data can be performed within the limits of authorization and in compliance with all principles of processing from Article 5 of the Data Protection Act.
This allowed the Serbian Government to create the COVID-19 Information System (IS COVID-19) during mid-April 2020, as a centralized software for entering, analysing and storing data on all persons monitored to control and combat the COVID-19 pandemic.
The system contains data of all persons who were tested for COVID-19 within the prescribed epidemiological procedures and enables tracking their further status (positive, negative, hospitalized, in self-isolation, on a respirator, cured, deceased, phone numbers, addresses etc.) and a whole range of health and other personal data, as well as data on close contacts of the tested individuals, so that their epidemiological status can be monitored. Data is entered into the system by employees of public health institutions who are in charge of taking swabs and performing PCR tests (health centres, hospitals, public health institutes, laboratories). Access to this data was given to various state bodies.
A short while after it was created, the IS COVID-19 suffered a serious security incident – where the usernames and passwords to access the system were made publicly available for eight days on the website of a Belgrade municipality. That was more than enough time for such particularly sensitive data to be widely available to anybody able enough to do a simple google search.
As a result of the supervision procedure, the Commissioner only issued a warning to the system operator – here the Institute of Public Health “Dr. Milan Jovanović Batut”, due to omissions in the system management that led to violations of obligations prescribed by the Data Protection Act.
The Commissioner found that the omissions were as follows:
- no contract was concluded with the processors, primarily the Republic Health Insurance Fund (RHIF), which is in charge of providing technical support to users;
- appropriate system protection measures were not taken;
- no data protection impact assessment was performed (which in this case according to the Data Protection Act was mandatory before the system was even put out).
Such conduct shows a worrisome lack of awareness of not only the persons entering such data, but also the state bodies that were initially obliged to act in entirety according to the Data Protection Act. Unfortunately, the mentioned omission from IS COVID-19 is another indicator of the attitude of the public authorities towards the privacy of citizens. During those eight days, when the system was publicly available, we cannot know who could have entered the system or if such a mass of data was possibly stolen and brokered further on.
Having in mind the above stated, it is unclear what will happen with the collected data after the COVID-19 pandemic. There is still an open issue of deleting the data collected, as the data which was collected by a various number of state bodies will remain somewhere in their systems and as such will lose its purpose, but not its value.
The public, as such, needs to be informed of the necessary procedures which will be undertaken either by their own request or by the state bodies ex officio, to delete said data. Although it is certain that some data will have to be stored and archived at some point for research and statistical purposes – we can only hope that the personal data collected will be anonymised.
This text is for informational purposes only and should not be considered legal advice. Should you require any additional information, feel free to contact us.
By Katarina Zivkovic, Senior Associate, and Katarina Zivulovic, Associate, Samardzic, Oreski & Grbovic