Author: ketevan kukava

E-governance is related to the introduction of technology and innovations in government institutions. E-governance is the public sector's use of information and communication technologies with the aim of improving service and information delivery, encouraging citizen participation in the decision-making process, and making government more accountable, transparent and effective.[1] Consequently, e-governance serves to improve public services and democratic aspects of governance.

With the development of e-governance, the issue of personal data protection has become especially important. Given the modern technological progress, the widespread use of information and communication technologies poses new risks and threats to citizens.

The most extensive registers of personal data are gathered in state institutions. Their creation serves a variety of purposes, including access to public services, administration of the education system, efficiency of health and social care systems, safety of citizens, administration of revenues and taxes, holding of democratic elections, etc. The security of information contained in databases, protection against accidental or illegal disclosure, and use of data is the responsibility of any data processor, including public institutions.

In Georgia issues related to the processing and protection of personal data are regulated by the Law of Georgia on Personal Data Protection.[2] This Law is intended to ensure the protection of human rights and freedoms, including the right to privacy, in the course of personal data processing.

Personal data is any information connected to an identified or identifiable natural person. A person shall be identifiable when he/she may be identified directly or indirectly, in particular by an identification number or by any physical, physiological, psychological, economic, cultural, or social features specific to this person.[3]

The Law separates a special category of datathat is connected to a person's racial or ethnic origin, political views, religious or philosophical beliefs, membership of professional organizations, state of health, sexual life, criminal history, administrative detention, putting a person under restraint, plea bargains, abatement, recognition as a victim of a crime or as a person affected, also biometric and genetic data that allow identifying a natural person by the above-mentioned features.^[4]

The Law on Personal Data Protection defines the principles and grounds for data processing, establishes administrative liability for violating the requirements of the law, and determines the amount of fines.The State Inspector's Service controls the lawfulness of personal data processing and responds to violations.  

The legislation defines the measures to be taken by the data controller to protect data security: A data controller shall be obliged to take appropriate organizational and technical measures to ensure the protection of data against accidental or unlawful destruction, alteration, disclosure, collection, or any other form of unlawful use, and accidental or unlawful loss. A data controller is also obliged to ensure the registration of all operations performed in relation to electronic data. Any employee of a data controller and of a data processor, who is involved in the processing of data, shall be obliged to stay within the scope of powers granted to him/her.[5]

The State Inspector’s Service reviews cases of personal data processing in various electronic databases based on citizen’s applications, as well as on its own initiative. The examination of the data processing in electronic programs of the public entities revealed several shortcomings.  According to the report on the activities of the State Inspector's Service, in certain cases, relevant organizational and technical measures for ensuring data security had not been applied, namely: the programs did not register facts of accessing and viewing of data; there was no record of information searched by a user in the system.[6]  The remaining challenges are: ensuring data security, establishing clear timelines for data storage, as well as awareness-raising of employees.[7]

Ensuring solid guarantees for the protection of individuals' data is a crucial task for the state.The protection of information stored in electronic systems and databases significantly determines public confidence in state agencies. To protect the interests of each citizen, the public institution is obliged to take appropriate organizational and technical measures to reduce the risk of illegal data processing. Measures taken to ensure data security must be adequate to the risks related to the processing of data. Likewise, it is important to provide software protection mechanisms against unauthorized access to databases and to register all operations performed in relation to electronic data.

The introduction of information and communication technologies in public agencies facilitates citizens' relations with state institutions, case administration, and access to public services. At the same time, it is of particular importance to ensure the lawful processing of data in electronic systems and databases, for which it is necessary to have adequate data protection guarantees and to strictly comply with the requirements of the legislation in practice.

The article is prepared within the scope of the project "Promoting Personal Data Protection in Georgia“

The Project is funded by the Embassy of the Netherlands in Georgia. The views expressed in this article may not necessarily reflect the views of the Embassy of the Netherlands.

___

[1]IDFI, “E-governance and E-transparency - International Tendencies and Georgia”, available at: https://bit.ly/3prrBL7

[2] Available at: https://bit.ly/3pr0gbW

[3] Law of Georgia on Personal Data Protection, art. 2(a).

[4] Law of Georgia on Personal Data Protection, art. 2(b).

[5]Law of Georgia on Personal Data Protection, art. 17.

[6]Report on the activities of the State Inspector's Service – 2019, P. 44, available at: https://bit.ly/3puDv6M

[7]Id, p. 47.