VILNIUS - The National Audit Office conducted an audit in state institutions and has determined that there are flaws in the protection of personal data, reports ELTA. The Office aimed to assess whether personal data processed by automatic means is effectively protected and overseen.
The audit concluded that individual rights to personal privacy are insufficiently ensured in Lithuania. Not all legislation or personal data protection requirements are implemented in the public sector. And the regulation in this area is falling behind progress in information and communications technologies.
Even though the Law on Legal Protection of Personal Data and its implementing legislation was amended several times from 2008-2012, rapid progress in information and communications technologies raises new issues which are not addressed by today’s legal acts.
The audit showed that insufficient attention was devoted towards reducing administrative loads on data managers - they have to fill in a very complicated notification form when processing an individual’s personal data. It is also proposed to improve data sharing in the electronic space, as a personal code is still the sole most widely used item of data to identify a person. In addition, only a natural person is punished for violations in this area, while the sanctions compared to other Baltic countries are very small - a fine in Lithuania is up to 2,000 litas (580 euros); meanwhile, in Latvia it is up to 1,450 euros and in Estonia up to 31,800 euros.
The National Audit Office also found that 84 percent of the audited institutions did not comply with all personal data protection requirements. Furthermore, only half of the audited institutions adequately implemented the rights to privacy of data subjects. The rest had not established implementation methods for the rights of the data subjects, with limited possibilities for the data subjects to check on how their rights were being protected.
In some institutions personal data processing was more excessive than indicated by the State Register of Personal Data Controllers. Therefore, a person might not have known what information was collected about him or her, and if they had requested information from the State Data Protection Inspectorate (VDAI) the answer would have contradicted the extent of the personal data processed.