Four areas are challenging in Serbia in regard to data protection: the use of video surveillance equipment, access to registries containing citizens’ data, available data on arrests and access to interrogation records.
By Uros Misljenovic (Partners for Democratic Change Serbia) / Photo: QONEX
In 2015 and 2016, Partners for Democratic Change Serbia examined if the Ministry of Interior (MoI) had undertaken adequate personal data protection measures, with special emphasis on the prevention of data leakage to the media. The research has shown that the MoI is making an effort to harmonize the activities of its employees with the data protection legal framework. However, some areas of the MoI work are still vulnerable to the unlawful access to citizens’ personal data (some of which may be very sensitive) and their use for different interests. The MoI should, therefore, improve its data protection measures in order to prevent violations of citizens’ privacy and the presumption of innocence.
The MoI represents one of the biggest personal data controllers (legal entity collecting and later using personal data) in Serbia, according to at least five criteria:
- Number of citizens whose data are processed,
- Variety of processed data,
- Number of data sets or records,
- Number of organizational units, and
- A number of employees whose job is to process citizens’ data.
The Serbian Personal Data Protection Law (PDP Law) requires from all controllers to protect personal data in their possession from abuse, destruction, loss, unauthorized alteration or access. Obviously, this obligation also refers to the MoI. Four areas of the MoI work and jurisdiction have particularly drawn our attention: the use of video surveillance equipment, access to registries containing citizens’ data, available data on arrests and other police activities, and access to interrogation records.
Inefficient control over the MoI video surveillance system
In early 2011, a recording of a sexual intercourse between two young people near the Belgrade Arena was published. The Commissioner for Information of Public Importance and Personal Data Protection found out that the recording had been made by MoI equipment, and that the MoI had not established the rules of access to stored video materials or to the premises housing the video surveillance equipment. Shortly afterward, the Commissioner filed a criminal report against an unidentified MoI employee for making the police recording available to the public.
Meanwhile, the MoI enacted the Mandatory Instructions on the Conditions for the Use and Maintenance of the Video Surveillance System in the Republic of Serbia. This document imposes clear obligations on several organizational units, envisions training for employees who handle the video surveillance system, envisions technical measures of protection through access codes, determines who and how can view the recorded material and specifies the procedure for the handover of the material to other persons. The document demonstrates the efforts of the MoI to regulate the way in which video surveillance equipment is used.
Nevertheless, an illustrative case occurred in Novi Sad in 2014, when the recording of a fatal traffic accident was published, together with the personal data of all of its participants. On this occasion, the Commissioner once again warned the MoI for not taking the technical and organizational measures aimed at protecting personal data taken from the video surveillance system of the Police Administration of Novi Sad. It seems that the MoI has not succeeded in achieving a uniform level of implementation of this internal act. Moreover, the Commissioner’s criminal report has not resulted in the criminal conviction of those responsible for misuse of the video material, which certainly gives rise to concern.
Nobody takes responsibility for data leakage from the police to the media
In January 2015, over a period of seven days, the Blic daily published a total of six texts on the bringing of a TV presenter to a police station, including information on her health and previous traffic violations. The presenter asked the Commissioner to protect her rights, believing that the published personal data had been contained in the official registers of the MoI and that they had been handed over unlawfully to the newspaper which later published this information.
At the Commissioner’s initiative, the MoI conducted an internal investigation and established that out of the 25 police officers who had accessed the official MoI files containing data on the TV presenter, only one did this for justifiable purposes. Other officers had done so in order to determine if she was married or divorced, to check her year of birth, out of curiosity, to check whether her actual birthplace was Pozarevac.
Several officers viewed the presenter’s data using the names and passwords of their colleagues, authorized for access to datasets. One of them stated that each police employee in this station can log in the system because the last used password remains saved on the workstation since the computer is thus programmed. The MoI stated that police employees who, according to the inspection, had conducted the unauthorized data search had had to report to their superiors and were told that they had to implement consistently the PDP Law, Law on Police and Mandatory Instructions on the Rules and Procedures in the Use of the MoI Information System.
However, it was impossible to determine whether the MoI has since undertaken measures aimed at determining the individual responsibility for data leakage to the media. The Commissioner filed a criminal report against an unidentified MoI employee for making a police recording available to the media. The case remains unsolved hitherto.
Police still lack internal procedures for communication with the public
The Statements section of the MoI website regularly features information on arrests and other MoI activities. The MoI usually publishes suspects’ or defendants’ initials, ages, and sometimes places (municipality or city) of residence. The MoI seems to be even more restrictive regarding the publication of victims’ and juveniles’ personal information. It is also evident that the MoI is trying to provide concise information about incidents, without presuming that the relevant persons are guilty.
Such practice is a result of years of MoI engagement on the harmonization of procedures for the disclosure of information on policing with personal data protection regulations. One of the most important MoI activities of that kind was a 2012 decision under which the MoI was to stop publishing recordings of arrests, photographs, and other data on the arrested. This decision was preceded by a series of Commissioner’s monitoring activities in 2011, prompted by a complaint of an arrested woman. Her name and family name, year of birth, and photograph identical to the photograph in her ID card were published at the MoI website. The information from the website was soon taken over by the media and published in printed and online editions.
The Commissioner found that the MoI procedures and practices violated citizens’ privacy and the presumption of innocence. The MoI promptly responded, stating that all suggestions regarding the observed irregularities had been upheld and that in this respect, the MoI has started amending the Law on Police and drafting by-laws regulating the activities of the Bureau for Cooperation with the Media.
Our researchers attempted to find out if the MoI has enacted such by-laws in the meantime. In the MoI response to the free access to information request, researchers were informed that the Ministry implemented the Law on Police directly, that it had not regulated the relevant area by internal acts, nor that the MoI had a document containing the requested information. It remains unclear why the MoI has not adopted such internal documents in the meantime, or why the competent organizational units have not drafted a written document that would regulate the procedures of publication of statements and personal data, despite the fact that they have started the procedure of adoption of such document in 2012. The Law on Police of 2016 stipulated that the MoI need to adopt a by-law on communication with the public until the February 2017.
Arbitrary use of results of polygraph testing and interrogation records
Media reports often contain details obtained during polygraph testing and interrogation. The media utilize such information for commercial interests – sensationalism increases circulation. Sometimes political ends are achieved by “feeding” loyal media with information from institutions, in order to insinuate that somebody is guilty without due process or to denounce a political opponent. We examined if the MoI had established measures against the misuse of such information.
In its response to our free access to information request, the MoI has not included details regarding the undertaken data protection measures in connection with the results of polygraph testing or interrogation records. We can, therefore, conclude that these areas are not regulated by the internal documents of the Ministry, which makes it more likely that someone might access such content without authorization, multiply documents unlawfully, take documents out of the institution, and disclose data to the media.
Conclusion and recommendations
There is a growing concern with regards to violations of the right to privacy in media reporting, as well as to the issue of information leakage from the police to the media. In view of the new business model of the media which is based on the violations of citizens’ privacy and the presumption of innocence, and arrangements involving political and media elites, the protection of citizens’ data becomes potentially more important than ever. Victims of such practice may include journalists, celebrities, civil society activists, and “ordinary” citizens, including ourselves.
Therefore, the Ministry of Interior should:
- Establish rules of cooperation with the media and rules for publishing information about its work, in order to reduce the amount of media violation of citizens’ privacy in line with the obligation from the 2016 Law on Police, and
- Develop and implement measures of protection against unauthorized use of citizens’ personal data, to align its policies and practice with personal data protection legal framework.
The author is a Project Manager at Partners for Democratic Change Serbia, responsible for the implementation of activities in the field of good governance and privacy protection. This article has been compiled using the findings of the latest Partners Serbia research Protection of Privacy and Presumption of Innocence in the Media.