Personal data protection in Belarus
The attitude to the protection of personal data has recently been increasingly discussed in the media, at the level of private and state companies. Against the background of general informatization, ordinary Belarusians are also thinking about the protection of personal information. For many, it becomes important how well their "first name, patronymic" and home address are protected after getting into online forms on websites or in the database of medical institutions. However, in general, citizens do not treat this topic with due attention.
Abroad, they care more about the protection of information, which is primarily noticeable in the frequency of changes in legislation. For example, since May 25, 2018, the General Data Protection Regulation (GDPR) has been in effect in the European Union. The document replaces the Data Protection Directive, which was adopted back in 1995. Moreover, the requirements of the GDPR apply to all operators who deal with the personal information of subjects with EU citizenship.
Periodically, changes regarding personal data (PD) occur in the legal field of Russia. There, by the way, the law on the collection, processing and storage of personal data was adopted back in 2006.
A similar document - the draft law on personal data - is still being developed by the state bodies of Belarus. And this indicates that putting things in order in this matter for the government is not yet a primary task.
The current laws of the Republic of Belarus more or less specifically answer only the following questions:
- What is PD?
- Do I need to obtain consent for the collection, processing, storage and use of PD?
- Should PD operators inform the subjects about what data about their private life is collected and to what extent?
- Is there a need to organize PD protection?
What data is considered personal?
Since there is no “thematic” normative act in the country yet, this issue is regulated in several documents adjoining the topic.
For example, Law No. 455-З "On Information, Informatization and Protection of Information" refers to personal data the basic and additional data of an individual that are entered in the population register, as well as other data that allow the identification of such a person. At the same time, PD is information, the provision and distribution of which is limited.
It is noteworthy that in the law on information there is an extended wording “and other data allowing the identification of such a person”. This means that Belarusian legislation applies to any information that can be used to identify a person. At the same time, it is not specified whether direct or indirect identification is meant. Meanwhile, this point is clearly spelled out in Western regulations. There, both direct and indirect personality characteristics are often protected. For example, IP addresses.
Law No. 418-З "On the Population Register" clarifies the concept. So, PD includes:
- surname, proper name, patronymic;
- personal number;
- date and place of birth, information on registration at the place of residence and (or) place of stay;
- digital photo portrait;
- data on citizenship (nationality);
- data on death or declaration of an individual as deceased, recognition as missing, incapacitated, partially incapacitated.
The Population Register Law introduces one more concept - “additional personal data”. This is information about the parents of an individual, as well as about guardians, trustees, marital status, spouse, child (children), education, academic degree / title, occupation, tax obligations.
How to obtain the right to collect and process data?
The Law on Information informs that in the case of collection, processing, storage of personal data, the written consent of the individual to whom they belong is required. Although the legislative acts of the republic do not regulate what the "consent in writing" should be. A small clarification of this concept is given in the Civil Code, where, among other things, an exchange of signatures (facsimiles and analogs) is called a transaction in writing.
This approach can also be applied to consent to the collection, processing, storage and use of personal data. As a result, due to the vague legislation of the Republic of Belarus in this part, many PD operators collect signatures of individuals “manually”. For example, visa centers do this using a printed consent form, in which the applicant needs to sign in ink.
Legal entities that operate on the Internet prescribe a clause on consent to the collection of PD in public contracts. Many online stores do this. In this case, it is considered that the consent of the individual was obtained upon the fact of making a purchase. Although one click "accept the agreement / agree" on the web page of the information resource may not formally be enough.
In addition to the collection, the PD processing process is subject to the regulations. Including, familiarization with personal information and its transfer to third parties. The procedure for the legal registration of these operations is similar to the request for written consent to collect personal information from the subject.
Familiarization means the right of the subject who owns the collected data to know which of his personality characteristics the operator collects and to what extent they are contained in information systems or from certain persons.
As for the transfer of personal data, this operation must be agreed with the subject in advance, and also in writing. As a rule, this clause includes most public agreements and contracts. However, again there is a question with the form of obtaining consent. After all, most of the personal data is collected in electronic form today.
How to protect data about Belarusians?
The law on information states that any person who collects PD must take measures to properly protect the information received. Moreover, the operator must guarantee protection in clear time intervals:
- until the moment when the PD subject permits their disclosure;
- until the moment of anonymization of personal data.
If everything is more or less clear with these introductory statements, then difficulties arise with the interpretation of protection measures. Legislative acts of the Republic of Belarus do not define exactly how full-fledged data protection should look like. In practice, based on by-laws, PD operators should consider two types of protective measures:
- organizational (development and adoption of internal documents governing work with PD);
- technical (protection of information systems from leaks of personal information using software solutions).
Referring to the text of the draft law on personal data, you can learn more about the planned protection measures. So, the operational measure will be the inclusion in the staffing of a new position - responsible for the protection of personal data. If we take this task seriously, then we are talking about an information security specialist. Moreover, large companies that operate with a large amount of information are likely to have to create a whole department of such specialists.
The technical aspect of the protection is that it will be possible to store information about Belarusians only on domestic hosting.
The bill also assigns the protection of the rights of PD subjects to the regulator. Its functions will be performed by a separate state body. The regulator will also be given the following powers:
- consideration of applications from citizens on PD issues;
- monitoring how operators comply with legal requirements.
What is the threat of violation of the legislation in the field of personal data?
Since the “thematic” law has not yet been adopted in the country, there is no clearly defined responsibility for violation of legal norms. It is assumed that amendments will soon be made to the Administrative Code of the Republic of Belarus, according to which violators in the field of personal data will be punished with a fine of up to 20 base units.
Article 179 of the Criminal Code of the Republic of Belarus, which spells out the punishment for illegal collection or dissemination of information about private life, is not applied in practice to situations with the disclosure of personal data.
If we take into account the text of the draft law on personal data, then it also does not yet contain specific proposals for sanctions. It is assumed that after signing it, new articles will appear in the administrative and criminal codes.
However, already now the bill regulates the actions of the PD operator in the event of their leakage (going into public space or falling into third hands). First of all, within three days after the discovery of the leak, the operator must inform law enforcement officers about it. Information about the incident should also be sent to the body for the protection of the rights of PD subjects (the regulator). It is noteworthy that if the leak is insignificant and will not have negative consequences for the subject, it will not be necessary to notify the law enforcement agencies about it.
However, following the results of public discussion of the draft law, which ended in August 2018, experts agreed that it requires improvements. Including in matters of data security. Thus, the experts considered that the text contains a contradiction in the paragraph on the organization of data protection. In particular, paragraph 3 of article 17 assigns this function to the Operational-Analytical Center under the President of the Republic of Belarus, and paragraph 5 of the same article gives this competence to another state body.
Be that as it may, it is assumed that the law on the protection of personal data in Belarus will be adopted in the first half of 2019. Moreover, it should come into force one month after its official publication. Until this happens, it is difficult to talk about the existence of full-fledged protection of personal data, as well as about the presence of strict liability for violators.