The research had two separate stages of data collection – the first stage was conducting semi-structured interviews with experts, while the second phase consisted of a legal analysis of the identified laws that have the potential to violate the right of privacy of citizens.
In the first stage, participants in the interviews were selected on several criteria – their formal education, their experience in the issues that hinder the right to privacy and protection of personal data and daily exposure to a number of personal data of citizens. Although a number of official invitations were sent, at the outset, to state institutions (ministries) to nominate a representative who would participate, we found a low turnout for cooperation – one of eight state institutions agreed to participate in the survey, with the nomination of a representative which satisfy the above criteria.
The interviews began in the second half of December, 2014. Below are the qualitative analysis of the responses of the experts and attached questionnaire which the interviewed all filled out before the start of the interviews.
How important is storage, processing and transfer of personal data of citizens for the daily operations of the institution / organization to which you belong?
On the first question, all interviewed experts shared the view that the personal data of citizens are essential to the daily functioning of institutions, that is, without the processing and storage of personal data – companies or institutions could not function.
How familiar your institution / organization is with the legislation and regulations for the protection of personal data?
For this question, almost all experts said that their institutions are well familiar with the legislation and regulations. Some experts positively evaluated the work of the Directorate for the Protection of Personal Data in terms of regular training and recommendations that come from them, and assisting in educating their employees about the importance of the protection of personal data and the right to privacy. Also, almost all experts agreed that there is room for improvement in this area, especially among employees, or sectors, which, firstly, have direct contact with customers / clients (and have insight into their personal data) and, secondly, are not part of legal or IT sector in their institution / company (for these two sectors, experts believe that there is great familiarity with the legislation and regulations).
In your opinion, is there a risk of disclosure of content in the daily operations of the institution / organization that would violate the privacy of citizens? If such risk exists, what you think could be done to remove or reduce it?
On this issue, the experts were unanimous: risks always exist, but they are small and insignificant, and continuing work is being done on their rehabilitation. This is achieved through continuous staff training, setting high standards for technical security of the servers and databases where the personal data is stored, as well as monitoring the development of technology and constant replenishment of the rules of procedure. Experts split the risks in two areas – technical risks and risks arising from the employees themselves. They gave the technical risks an insignificant role, ie, they were satisfied by the use of sophisticated tools and security protocols by their IT departments for which they are responsible, while they consider that the biggest room for improvement is in the part of education of employees, especially new employees. The personal opinion and attitude of the employees (and citizens) to the right to privacy, and the importance of protecting someone else’s personal data is at a very low level. In other words, citizens’ awareness of this issue is very low and unrepresented in wide circles, and that entails the greatest risk of violation of privacy.
How would you rate the overall climate in your institution / organization in terms of the need for privacy and protection of personal data?
Experts were unanimous on this matter, in the view that all institutions and companies are keeping an eye on citizens’ personal data and the protection of their privacy. Some of them have said that in some state institutions, however, this issue is not sufficiently treated, particularly in institutions related to public health, and not much care is being taken into others’ privacy, but generally there is a climate among employees in all sectors that personal data is important, and that the right to privacy of citizens should be respected.
How would you rate the awareness of the general public in terms of the right to privacy?
– How important is the need for raising awareness among the general population of their basic human right to privacy?
– Where do you think there is most room for improvement?
Almost all interviewed experts on the issue agreed that awareness among the general public is very low. The average citizen has little familiarity with his or hers rights in respect of the right to privacy and the use of their personal data, as well as possible damage and consequences thereof. Some experts expressed the opinion that citizens are aware of their rights, but simply do not appreciate their significance and knowingly allow their privacy to be breached.
All experts agreed that the need for raising awareness of the wider population of these basic concepts is a very important one, and some of them thought that through continuous education, especially early, school-age, and with solid family upbringing, future generations can become informed and careful in their decisions, when they come in situations where the right to privacy is potentially threatened. One participant in the interview cited the example how you can act systematically and planned on the employed workforce (whether in public or private companies) – through systematic and planned continuous education on-the-job, for which the financially responsible will be the institution / company itself, the effect of which will not stop in the working environment, but will trickle down in the home environment, the family, because “… as they behave at work, they will pass that same culture at home.” After that, it’s a short step from the family environment, to the social environment and culture.
On the last sub-point, almost all experts were unanimous that the most room for improvement exists in young people, teenagers and students in primary and secondary schools. With the rapid development of technology and mobile devices, and the multitude of applications for them, as well as social networks, young people are constantly exposed to risk that their personal information be displayed, used, transferred and stored in places and ways that they are not sufficiently informed about ( although he or she may have given prior consent). By agreeing to the terms of use of applications and social networks, experts believe that they do not know enough to decide to what extent to “trade” their privacy and personal data.
Have you personally been in a situation where your the right to privacy has been denied? If yes, how did you act?
Interviewed experts were divided on this issue – almost half of them said they never felt that they were denied the right to privacy, while the other half confirmed that, almost on a daily basis, their right to privacy is being violated. However, the group that responded with confirmation, attributed the cases of violation of their privacy to negligence of employees in certain institutions / companies, i.e., more random than with the intention of causing harm. Because of this, none of the experts who said that their right to privacy was violated decided to act in those situations. Besides random errors and embarrassment, several experts said they were victims of “spam” by certain private companies, through SMS, email, phone calls, etc., even though they did not give consent. They reacted accordingly to these procedures, and further communication was interrupted.
Which institutions / agencies / organizations that have, use, and process your personal data are you aware of?
The above question we used to paint a picture of, what is the level of awareness among the expert public, which on a daily basis deal with this issue, for the use and storage of their personal data in relation to the public. In that context, the experts, with the exception of one participant, confirmed our assumption that they will be very well aware which institutions / companies possess their personal data. With the exception of one participant in the interviews, which only managed to enumerate three institutions that he/she is familiar that have and use his/hers personal data, other experts enumerated more than 10 private companies and institutions that currently have and use their personal data.
How do you evaluate the role of new technologies in terms of the right to privacy of citizens?
The experts were agreed on several points of this issue:
They shared the view that new technologies carry a large potential for invasion of privacy on their users;
Technology very quickly penetrates in the everyday life of the citizens, more quickly than he /she is ready to learn, in the short time given, on the risks associated with their use;
Hence, the need for continuous education and information when making decisions about the techniques and technology used in everyday life becomes a particularly important issue, and
Technology is only a tool that can be used to protect one’s privacy and personal data, as much as it can be used to violating it – the intentions of the person who uses the technology remain as one of the most important factors in determining whether new technologies are positive or negative relative to the citizens’ privacy.
How do you evaluate the role of the Internet, specifically social networks, in terms of the right to privacy?
The experts were unanimous in the view that social networks and the Internet play an irreplaceable role in today’s society and social functioning. These satisfy the appetites of many people for socializing and expanding contacts and a wealth of information.
However, experts also said that most of the cases in private life, from contacts with friends and acquaintances, where there was violation of one’s right to privacy and/or misuse of personal data – came from social networks. Therefore, they agree that the use of social networks is a doubled-edged sword – there is a big risk for violation of privacy, but they also carry great benefits. As to the reasons for this daily invasion of the privacy on social networks, the experts attributed:
Insufficiently informed users accepted terms of use and their contents;
Too complicated instructions for setting “level of privacy” of information that users share, and
Lack of information about potential risks and possible consequences of careless use of social networks and their contents thereof.
For the last item, one of the experts expressed particular concern about the lack of awareness among the young population, i.e. students in primary and secondary schools. Because many of these students actively use social networks and the Internet on a daily basis, the risks of violation of their, and other’s privacy is big.
Where do you think there should be exceptions to this basic right, i.e., when it is better to allow invasion of privacy and use of personal data without explicit consent? Which institutions would have this right?
Experts agreed that there should be exceptions where the privacy of citizens, or a group of citizens could be compromised, however:
Each of these exceptions should be provided by law;
Only certain institutions would have that right, and in addition, certain sectors inside these institutions;
Each case of violation of someone’s privacy to be evaluated separately, i.e., to assess whether it is really necessary, and
The most important prerequisite to even think about monitoring one’s activities, phone calls, bank accounts, etc., is when there are serious indications that the person or group is involved in acts against national security. If there are criminal charges already in place, and proven criminal acts, also, the right to privacy of the culprit(s) would be violated, or rather, temporarily suspended, so as the judicial authorities and the public prosecutor could carry out their legal obligations. Experts also agreed that institutions such as – the police, courts, prosecutors, IRS and emergency centers, would have this right.
How do you evaluate the situation with the privacy and protection of personal data in Macedonia? How do you evaluate it world-wide? (Trends)
Most experts say that the situation with the privacy and protection of personal data is at a positive trend in our country, and in the world. They think we cannot compare with the more developed western European countries, but that in our country, efforts are being made, and the awareness of this issue among the general public is slowly being raised. In that context, they noted the work of the Directorate for the Protection of Personal Data as a very positive trend, which is already producing results. All experts, including those who do not agree that there are positive trends in our country and the world, consider that in the developed democratic societies, there are very different conceptions of what privacy is, and the need of the right to privacy (including its protection) – and they split those in two “main” blocks – Western European countries, where the right to privacy is very respected and huge strides are being taken to protect the privacy and protect personal data, and the United States and Canada, where, there is virtually no right of privacy, i.e., where this right is being violated on a daily basis, and huge amounts of personal data, without the consent of citizens and consumers, is being exchanged, stored and processed.
Experts set our country – “in the middle”, i.e., there is much room for improvement, especially on the awareness of the general population for this issue, but that in our country there are very positive examples as well, such as the adoption of the Law on Protection of Personal Data, the creation of the Directorate for the Protection of Personal Data, continuous revisions of internal rules for the operation of most state institutions to retain the proposed measures from the Directorate etc.