Two years have passed since Data State Inspectorate has started its activities.
The present is a report on activities of Data State Inspectorate in the previous year of 2002, which gives an overview of the accomplishments, the major changes, experiences and future plans. Since 2001, the role of personal data protection has increased in Latvia, as a result, the public understanding of the necessity for privacy – personal data protection – has grown. It should be noted that both Latvia and countries worldwide are undergoing rapid development of information technologies, and because of this, there is a greater possibility of personal privacy, including confidentiality of personal data processing, becoming vulnerable. The basic functions of Data State Inspectorate – supervision of compliance with personal data protection – within scope of implementation, activities towards greater efficiency of legislation and practical measures in the field of supervision and control of personal data processing have been carried out. One of the major events is the perfection of personal data protection legislation in order to make it fully compliant with the European Union requirements – Directive No. 95/46/EC of 24 October 1995 “On the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data”.

On 24 October 2002, Saeima (Parliament) passed a law “Amendments to Personal Data Protection Law”. It stipulates that henceforth the provisions of Personal Data Protection Law will be applicable also to processing of personal data in the field of criminal law and domestic security, as well as protection of the personal data declared to be objects of state secret. Likewise, the law has been supplemented with regulations regarding processing of personal identification codes (identity numbers). Derogations have been made for individual systems in respect to obligatory registration of the personal data processing systems, the registration fee on personal data processing systems has been fixed, and also the system registration deadline has been extended until 1 March 2003.
On 13 March 2003, the Saeima passed a law “Amendments to Code of Administrative Violations of Republic of Latvia” adding regulations laying down administrative responsibility for offences in the field of protection of personal data as well as regulations authorizing the Data State Inspectorate to impose administrative penalties for these offences.
In the light of future operation of Data State Inspectorate and legislation, it is worth mentioning the Electronic Document Law passed by the Saeima on 31 October 2002, which stipulates that Data State Inspectorate is a supervisory institution of reliable certification service providers, and also that the Inspectorate shall perform accreditation of the reliable certification service providers.
A certain progress has been achieved in raising the capacity of Data State Inspectorate and in improving the organizational structure. In 2002, in conformity with the funding granted, the number of employees was increased, thus enabling Data State Inspectorate to create its Control and Information System Security Division and Registration Division.
The international cooperation and international activities play an important role in functioning of a personal data protection supervision institution, because the flow of personal data in the age of information technologies is a dynamic process encompassing the whole world. In 2002, representatives of Data State Inspectorate had an opportunity to participate in Working Party for Article 29 of Directive 95/46/EC, in the annual global meeting of directors of personal data supervision institutions, meeting of the directors of Eastern and Central European personal data supervision institutions. Employees of the Inspectorate went on experience exchange visit to Personal Data Supervision Institution in Berlin.
In the foreseeable future, the PHARE-funded project “Data State Inspectorate” endorsed in 2002 will play an important role in raising the working capacity of Data State Inspectorate.
In the time when Latvia prepares for its accession to the EU, it is important to proceed with augmenting the role of Data State Inspectorate, and also putting in practice the regulations of the Personal Data Protection Law and fundamental principles of human rights in respect to inviolability of personal life.

Ms Signe Plumina

One of the major events is the perfection of personal data protection legislation in order to make it fully compliant with the European Union requirements – Directive No. 95/46/EC of 24 October 1995 “On the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data”.
On 24 October 2002, Saeima (Parliament) passed a law “Amendments to Personal Data Protection Law”. It stipulates that henceforth the provisions of Personal Data Protection Law will be applicable also to processing of personal data in the field of criminal law and domestic security, as well as protection of the personal data declared to be objects of state secret. Likewise, the law has been supplemented with regulations regarding processing of personal identification codes (identity numbers). Derogations have been made for individual systems in respect to obligatory registration of the personal data processing systems, the registration fee on personal data processing systems has been fixed, and also the system registration deadline has been extended until 1 March 2003.
On 13 March 2003, the Saeima passed a law “Amendments to Code of Administrative Violations of Republic of Latvia” adding regulations laying down administrative responsibility for offences in the field of protection of personal data as well as regulations authorizing the Data State Inspectorate to impose administrative penalties for these offences.
In the light of future operation of Data State Inspectorate and legislation, it is worth mentioning the Electronic Document Law passed by the Saeima on 31 October 2002, which stipulates that Data State Inspectorate is a supervisory institution of reliable certification service providers, and also that the Inspectorate shall perform accreditation of the reliable certification service providers.
A certain progress has been achieved in raising the capacity of Data State Inspectorate and in improving the organizational structure. In 2002, in conformity with the funding granted, the number of employees was increased, thus enabling Data State Inspectorate to create its Control and Information System Security Division and Registration Division.
The international cooperation and international activities play an important role in functioning of a personal data protection supervision institution, because the flow of personal data in the age of information technologies is a dynamic process encompassing the whole world. In 2002, representatives of Data State Inspectorate had an opportunity to participate in Working Party for Article 29 of Directive 95/46/EC, in the annual global meeting of directors of personal data supervision institutions, meeting of the directors of Eastern and Central European personal data supervision institutions. Employees of the Inspectorate went on experience exchange visit to Personal Data Supervision Institution in Berlin.
In the foreseeable future, the PHARE-funded project “Data State Inspectorate” endorsed in 2002 will play an important role in raising the working capacity of Data State Inspectorate.
In the time when Latvia prepares for its accession to the EU, it is important to proceed with augmenting the role of Data State Inspectorate, and also putting in practice the regulations of the Personal Data Protection Law and fundamental principles of human rights in respect to inviolability of personal life.

Ms Signe Plumina
Director of Data State Inspectorate

Contents:

1.  Basic Functions and Responsibilities of Data State Inspectorate
2.  Registration of Personal Data Processing Systems with Data State Inspectorate
3.  Complaints and Applications on Violations in Personal Data Processing
4.  Public Awareness Raising
5.  Drafting of Legal Acts
6.  International Activities of the Data State Inspectorate
7.  Information on Utilization of State Budget Funds
8.  Structure of Data State Inspectorate
9.  Staff and Training
10. Internal Audit
11. Major Tasks and Activities Planned to be Performed in 2003

Basic Functions and Responsibilities of Data State Inspectorate

Data State Inspectorate (hereafter – DSI) is a public administration institution operating under the Ministry of Justice pursuant to the Cabinet’s Regulation No. 408 of 28 November 2000 “Statute of Data State Inspectorate”.
The DSI commenced its work in 2001 and is operating in accordance with the Personal Data Protection Law, which in Article 29 (3) lays down the responsibilities of DSI.

The responsibilities of DSI in the field of personal data protection are:
1) to ensure the compliance of personal data processing with requirements of this law in the state;
2) to pass decisions and review complaints related to personal data protection;
3) to register systems of personal data processing;
4) to initiate and perform activities directed towards more effective protection of personal data and to give opinions on the compliance of personal data processing systems to be developed by the state or municipal institutions with requirements of legal acts;
5) jointly with the Public Records General Office of Latvia, to decide on personal data processing systems to be handed over for storage at public records offices;
6) to grant accreditation to persons (entities) wishing to perform system audits of state and municipal personal data processing systems according to procedures provided for by the Cabinet of Ministers.

Registration (notification) of Personal Data Processing Systems

Until 2 May 2003, the DSI Registration Division had received 10 373 applications to register personal data processing systems. 9552 personal data processing systems have been registered.
Nearly 400 data controllers – public institutions – have registered their personal data processing systems. Also approximately 1000 personal data processing systems of data controllers – municipal institutions – have been registered. Registration procedures have been completed also by 26 non-governmental organizations, among them – two political parties.

The publicly available part of information on personal data processing systems registered with the DSI is available on the Internet website www.dvi.gov.lv. There, one can see forms for the Personal Data Processing System Registration Applications and the techniques of their filling, as well as legal acts concerning the area of personal data protection. In order to streamline and facilitate the registration process, the forms of the personal data processing system registration applications have been re-made and made simpler and clearer, as a result, the confusion and the number of questions regarding items in form has diminished, the range of questions regarding the essence has increased. Employees of the DSI Registration Division provide up to 30 consultations regarding the process of registration face-to-face on Kr. Barona Str. 5 – 4, by telephone, and also electronically by e-mail on a daily basis. The DSI Registration Division regularly provides opinion, statements and information to various state and municipal, as well as private organizations concerning registration of personal data processing systems.

Although often a lack of understanding is encountered in respect to significance and necessity of the process, based on an active dialogue and explanation process the understanding of personal data protection and the human rights, their relevance to registration of personal data processing systems and the DSI’s role and connection with it is achieved on an individual basis.

In order to facilitate the process of registration of personal data processing systems, various internal legal acts were developed and improved (decree “On Holders of Information Resources and Holders of Technical Resources”, amendments to decree “On Procedures of Registering personal Data Processing Systems”, etc.). The circulation and coordination of registration documents has been upgraded. The time-limits for examining registration applications have been curtailed, thus improving the operation of Registration Division, and also its capacity has been increased. Also in future the organizational part of the registration process requires certain streamlining, as well as the human resources need to be expanded.
It is essential to cooperate with municipal offices, because these offices hold a considerable number of personal data processing systems, from which many are parts of comprehensive public records that require advanced arrangement of legal, technical and organizational measures concerning personal data processing systems. Creditable is the understanding of the municipal governments and their offices about the necessity to provide improvements to quality and security of personal data processing in substance and not merely formally, and that leads to dialogue.
Although personal data processing system controllers refer to their financial inability to provide adequate protection for personal data, still the primary imperfections that may cause harm to individuals when their personal data is processed in violation of legal acts, are those related to organizational offences. Often, data controllers have even not provided documented circulation of data in the company or institution. However, consultations regarding these issues clarify matters and identify the scope of issues requiring involvement of the DSI to help with the solution, already during the process of registration. The abovementioned applies not only to municipal and public institutions, but also health-care establishments, private companies, organizations etc.

Complaints and Claims on Violations in Personal Data Processing

The DSI continues its work in dealing with complaints from individuals and legal entities and explaining the legal aspects of personal data protection.
During the period covered by this report, the DSI has received 86 complaints and claims on the potential violations of personal data protection regulations, apart from cases when a data subject, after consultation on the potential violation of provisions of the Personal Data Protection Law, has not appealed to the DSI with a complaint or claim. Apparently, in these cases the data subject, upon receiving consultation from a DSI employee, has exercised its rights in relations with the data processing system controller and the object of offence has been eliminated. The DSI Control and Information System Security Division provides a daily average of 5 consultations on data subject’s rights in cases of potential violations of Personal Data Protection Law, as well as personal data processing systems’ controllers responsibilities towards data subject etc.
On the basis of claims, complaints, as well as information published in mass media, 71 inspections have been carried out. 15 claims on offences and problems beyond the scope of DSI have been forwarded to the responsible institutions.
The received complaints highlight the most current problems in personal data processing and concern the public, municipal, and private sector. Similarly to the last year, these complaints represent the typical offences of personal data protection:
processing of personal data without the legal basis
and also processing of personal data incompliant with the principle on accordance between the goal and the extent of data processing;
violation of data subject’s rights.
At the same time, the conclusion is that the amount of work for the Inspectorate has increased not only due to the increase in the number of complaints but also because increasingly often problematic situations are identified in fields related to precise interpretation of Personal Data Protection Law in the context of implementing legal regulations and practice of the European Union, and also due to improvements in industry-related legislation of Latvia.
The DSI Control and Information System Security Division, based on the basic principles of personal data protection, has developed classification of these complaints according to their character. Complaints and claims on the potential offences may to a point be divided in the following five groups:  

1. Processing of personal data without a legal basis;
Articles 7 and 11 of the Personal Data Protection Law

(unlawful transferring of data to a third party, processing of data after achieving the purpose of data processing system, making data publicly available)

2. Violation of the principles of proportionality of personal data processing;
Article 10 of Personal Data Protection Law

(the extent of personal data that the employer is authorized to require from the employee, contents of administrative offence protocol)

3. Violation of the principles of reliable and fair processing of personal data;
Articles 10 and 26 of Personal Data Protection Law

(open delivery of notifications and bill containing personal data, documents lost in the process of delivery)

4. Failure to notify the data subject;
Articles 8, 9 and 15 of Personal Data Protection Law

(a medical establishment refuses to comply with data subject’s request to get acquainted with all records on him/her at the disposal of the particular medical establishment)

5. Failure to ensure quality of personal data;
Article 10 of the Personal Data Protection Law

(as a result of changing personal identification documents, inaccurate entries have been made in passport and the differences from data contained in databases forbids crossing the border; due to out-of-date information, collection of already paid debt is made).

The following is information provided by the DSI regarding the complaints received and inspections performed. The cases below should be regarded as the typical breaches of the Personal Data Protection Law and the typical fallacies with regard to application of provisions of the law.

1. Processing of personal data without a legal basis

The general conclusion drawn regarding violations of personal data protection is that the processing of personal data without a legal basis is the area where proportionally the highest number of complaints has been received, and it concerns a whole spectrum of situations in personal data processing. Typically, these violations are related to transfer of data to persons not considered to be authorized to receive the information as well as processing of personal data for inappropriate purposes. The DSI has received complaints about employees with public establishments who have unlawfully disclosed information to persons interested therein, about businesses that exploit every method (including unlawful) to attract clients or advertise their product or service ignoring the principle inviolability of personal life, and also about doctors who have failed to ensure confidentiality of patients’ data.
Lately, there have been many offences in the area of making the blacklist or the list of debtor’s public, and it applies to both activities of municipal enterprises, and databases created by private enterprises. Comparatively often people have complained about actions taken by house management office – exposing on the front door of a block of flats a list of personal data of people who are in debt for public utility services (name, surname, number of the flat and amount of debt) this way identifying a specific person. Thus, in an inspection case it was found that a municipal enterprise managing rural municipality houses was making public debt liabilities of house tenants in the manner described above. Additionally, the DSI verified complainant’s information on the fact that the enterprise, for the purpose of assessing the particular debtor’s paying capacity, has made inquiries about the amount of salary of the complainant’s close relative in a company where this relative works. Although the latter fact was not verified during the inspection, the DSI, as part of ensuring the provisions of Article 29 (3), Paragraph 1 of the Personal Data Protection Law to ensure compliance of personal data processing in the State with the requirements of this Law, has ordered the municipal enterprise to discontinue the unlawful processing of personal data by exposing the lists mentioned on building doors, and henceforth strictly comply with requirements of the Personal Data Protection Law.
However, another person filed a complaint about a house-manager’s office due to the fact that it had handed over personal data of debtors of the house-manager’s office to a debt administration company for it to collect the overdue payments without the person’s consent to place this data on credit history database. This fact was verified during inspection resulting into the DSI demanding the house-manager’s office to ensure that henceforth the data of people who have not fulfilled their debt liabilities towards the house-manager’s office and whose debts are assigned for collection by the debt administration company mentioned, is not included in this company’s credit history data base, unless the person has granted its consent. Moreover, the DSI laid the house-manager’s office under the obligation to ensure that the data of those data subjects, who have not granted their consent to inclusion of their personal data in such database, are removed from the debt administration company’s credit history database on private individuals.
The passing of personal data to debt administration company pursuant to Article 7, Paragraph 3 has a legal basis since such obligation and right is provided for by Article 2289 of the Civil Law on the legal aspects of contract of authorization.
Although both of the examples above concern unlawful activities of house-manager’s offices in the field of personal data processing, offences committed by these institutions are only part of violations in the field of personal data processing that are identified in operation of other type of enterprises. Some of such offences are related to the fact that companies unlawfully acquire personal information and pass it to other companies that subsequently are used to accomplish their commercial interests.
For instance, there have been cases established when companies exchange information between themselves about transactions performed by the potential or existing clients in other enterprises or other information concerning client’s paying capacity. Such processing of personal data requires a legal basis to do so.
An insurance company offers insurance services by presenting transactions concluded by a person with other insurance companies; a LLC obtains personal data from another LLC and sends a notification to a person on winning a lottery; shortly after purchasing car from one company a personally addressed offer to use car maintenance services from another company engaged in merchandising spare parts and car repair (the services of this company have never been used before) – these are just few examples that indicate potential violations in the area of personal data processing. However, among leasing and other financial intermediation companies it is quite a widespread practice to refuse to render a service or sell a product which points out to the fact that the company has in its disposal data on other transactions performed by the person (in these cases, it raises a question as to how such data can be obtained about a person). Essentially, the examples below are similar to those described above and should be included in the “group” of personal data processing violations that could be regarded as personal data processing without a legal basis: after settling a debt liability, personal data is saved in corporate database which causes problems to purchase goods using leasing services; personal data, in presence of the client, is checked on telephone by making inquiries to “local” databases known only to the company itself (currently, similar situations have caused well-grounded suspicions, but during inspection the facts have not been verified); when making a deal with a LLC, processing of personal data was performed, and despite the fact that the person eventually refused to conclude the deal, subsequently it was found that the personal data processing system already contains data about the specific person (the person contacted the LLC again, regarding conclusion of a different deal), etc.
To expand the topic on potential unlawful activities of leasing and other financial intermediation companies in processing of personal data, it must be admitted that the DSI has not managed to prove any of the above-mentioned cases, because, as opposed to other offenders who often break the Personal Data Protection Law due to a lack of understanding or ignorance, this group is well aware of the fact that these are unauthorized, administratively penal deeds and attempt to conceal the state of affairs. Moreover, indirect evidence shows that the majority of leasing and other financial intermediation companies obtain part of the data under the unlawful processing from public institution registers, including law enforcement body registers and registration systems.

It should be noted however, that an exception to the above-mentioned unlawful making public of the debtor’s list is currently related to “Debtors’ Register Regulations” (issued pursuant to Article 106 (4) of the Credit Institutions Law) approved by the Decree No. 99/4 of the Bank of Latvia Council on 16 January 2003, which legitimates debtors’ register in the status of information system of the Bank of Latvia that, in its turn, provides for collection of information about debtors and the credits issued to them, its centralized accumulation and permanent storage for the purpose of providing to banks, Financial and Capital Market Commission and debtors themselves as stipulated in legal acts of the Republic of Latvia (Clause 1.1 of the regulations). In this event, the participants of the register are all banks, and these regulations stipulate that banks have to provide information to the register on the borrower and the credit issued, if the borrower allows the cases referred to under Clause 2.1 happen (has been failing to make payment under the credit agreement for a period of time exceeding 60 days, if the amount of payments is not less than 100 lats or the equivalent in foreign currencies; has failed to meet requirements of Article 73 of the Credit Institutions Law regarding provision of information to bank on its financial standing or property, including encumbrances on property; has committed other substantial, in bank’s judgement, violations of credit agreement).

Another example to demonstrate processing of personal data without a legal basis concerns marketing activities and processing of personal data carried out by a company after the contractual relations between the data subject and seller (or service provider) have been terminated. Thus, the DSI received a private individual’s application containing claims against processing of personal data performed by a LLC – in a personalized letter, promotional materials holding offer on particularly beneficial credit terms at this financial intermediation company were sent to the data subject. Taking into account the complainant’s confusion as to whether there was a legal basis to acquire the personal data, the DSI carried out an inspection. As a result of the inspection, it was found that the LLC obtained the personal data about the particular person on the basis of contract concluded between the person and the LLC. Within duration of the contract, it did not provide for express rights on the part of the LLC to process personal data after fulfilment of the contractual liabilities. The DSI demanded the LLC to stop processing any personal data, including sending of notices and similar promotional materials to the data subject.

Breaches in the medical field should be mentioned separately, where one of the most characteristic examples of personal data use is the placing of list of patients on the door of doctor’s consulting room. The DSI received a complaint about a certain healthcare centre where two types of lists concerning sequence of doctor’s consulting hours are created: a list that is placed on door of the doctor’s room and contains such types of personal data as patient’s name, surname; a list where among personal data mentioned are patient’s name, surname, address, date of birth, patient’s consulting hour (handed over to the doctor who consults people covered by the list). In addition to that, the complainant was dissatisfied with the procedures of personal data processing in this healthcare centre, when registering for doctor’s consultation by telephone or paying for services provided by the healthcare centre. As for the first one – the patient’s name, surname, identity number, address was used, but the electronic cash register’s receipt issued by the healthcare centre for the services received comprised patient’s name, surname and identity number.
To establish the presence of violation of personal data processing in such case, it is necessary, in accordance with the Personal Data Protection Law, to correctly assess the circumstances of personal data processing, taking into account the goal and scope of data processing pursuant to Article 10, Paragraph 2 of the Personal Data Protection Law. In the event of personal data processing by phone, no offence was established, taking into consideration the fact that the goal of processing the said person’s data was to precisely identify the person, which is required for receipt and administration of a healthcare service and it corresponds to the legal basis provided for in Article 11, Paragraph 5 of the Personal Data Protection Law.
However, the legality of making patients’ lists public should be evaluated based on the extent to which, in processing of the personal data, the possibility of identifying the person is admitted. Considering the fact that placing a list of patients registered for visit on door of the doctor’s room, indirectly points out to the person’s health condition, and also in compliance with provisions of Article 50 (1) of the Medical Law regarding guaranteeing confidentiality of personal data, the DSI, pursuant to Article 29 (4), Paragraph 3 requested the particular medical establishment to stop placing such lists on the doctors’ consulting room door.
As to inclusion of personal data (patient’s name, surname, identity number) in the electronic cash register’s receipt on services received, Data State Inspectorate, having assessed the relevance of the said data processing to the special legal acts and found out the opinion of the State Revenue Service, has concluded that legal acts governing use of cash registers do not provide for a mandatory requirement to record the name, surname and identity number of the recipient of service in the electronic cash register’s receipt. Hence, the healthcare centre was instructed that the inclusion of personal data in a receipt is legitimate only if this is performed in behalf of data subject’s (patient’s) interests and to ensure his legitimate rights, as well as if an express consent from the data subject has been received.

The fact that information concerning personal data draws increasingly large attention is illustrated also by the recent events regarding marketing activities of pharmaceutical companies. Several Latvian newspapers had acquired information that pharmaceutical companies assisted by doctors carry out shady studies on the effect of particular medications on patients. According to doctor of a large clinic, a physician with 20 years of experience, her attention was attracted by a peculiar inquiry form in her colleague’s room, on which among many other surnames she recognized also the name, surname and identity number of a certain well-known individual; later on the doctor encountered also another inquiry form by the means of which company “B.G.” collects information about its patients. As it turned out later on, in the first case the colleague used the form to record personal data (including diagnoses) of his/her patients - users of medication “G…….” , and both the inquiry forms filled out by the doctor were meant for the needs of agencies of foreign drug manufacturers. When asked for explanations, one of representatives involved in the study the director of company “R.B.” admitted to reporters that the company does receive patients’ data, however, the data submitted by doctors is further summarized and used without surnames of patients, leaving the ‘real’ forms at the agency’s office. Initially, reportedly they could not dispense with surnames in the records to ensure that doctors do not provide false data, and also in order to be able to find out the reasons in cases when medication has turned out to be ineffective for a patient. In the course of investigation, the DSI specialists had pointed out to the potential breach of the Medical Law and Personal Data Protection Law, and also cooperation with the Ministry of Welfare was commenced indicating the requisite measures in respect to the clinic research and usage observation of drugs and pharmaceutical products in accordance with requirements laid down in the Personal Data Protection Law and other legal acts. Pursuant to Article 21 of Personal Data Protection Law, all public and municipal institutions, other private individuals and legal entities that perform or wish to commence processing of personal data and create personal data processing systems must register them with Data State Inspectorate. Hence, the abovementioned applies also to personal data processing systems that have been created in the process of clinic research and usage observation of drugs and pharmaceutical products, and, as a result, the Data State Inspectorate continues the work on registration of the corresponding personal data processing systems with the DSI and implementation of the necessary amendments to legal acts governing these fields.

2. Violation of the principles of proportionality of personal data processing – the accordance between the goal of data processing and the extent of personal data.

Article 10 (1), Paragraph 2 of Personal Data Protection Law stipulates that data controller has to ensure that the personal data processing takes place only according to the intended purpose and to the extent necessary for it. The DSI has found an inconsistency with statements of the article in a private individual’s complaint on institution authorized to impose administrative penalty whose employee’s administrative offence report requires data to be indicated only regarding the essence of offence and information identifying the offender (name, surname, identity number and place of residence) but also regarding the offender’s registered address, marital status, number of children in family and age of children.
In this regard DSI had started an investigation in order to determine whether the data contained in the said administrative report conforms to the Personal Data Protection Law and the Code of Administrative Violations of Republic of Latvia. As a result of the investigation, the DSI got acquainted with the contents of report form issued by the administrative penalty imposition institution, and established that the particular subject was authorized to perform processing of personal data on the basis of Article 7, Article 3 of the Personal Data Protection Law. However, in performing processing of personal data, this institution, as a controller of personal data processing system, pursuant to Article 10 (1), Paragraph 2 of the Personal Data Protection Law, has to ensure that the personal data processing takes place only according to the intended purpose in compliance with the goals of personal data processing provided for in the Code of Administrative Violations of Republic of Latvia, and to the extent necessary for it. The DSI, having assessed contents of the report, has found that the extent of data required in the report is not proportional to the goal of personal data processing. Thus, in respect to the required registered address of the person it is established that it does not have a legal basis pursuant to Article 248 (2) of the Code of Administrative Violations of Republic of Latvia, which stipulates that the report on the offender has to contain the following data: name, surname, year and place of birth, place of employment, occupation or post, residence, but it does not require that in addition to the person’s address of residence the person’s registered address should be indicated.

But in respect to data requested in the report on the person – marital status, children and their age – the wording “other information” mentioned in Article 248 (2) of the Code of Administrative Violations of Republic of Latvia was analysed – “in the report, the following shall be indicated about the offender: his name, surname, year and place of birth, place of employment, occupation or position, residence and other information that may bear significance in examining the administrative offence case.”. In this case this notion should be construed as compliant with the goal of personal data processing. Thus, with regard also to provisions of Article 32 (2) of Code of Administrative Violations of Republic of Latvia on circumstances, the DSI concluded that furnishing of the personal data, which does not need to be provided according to the goal of personal data processing and under the provisions of Code of Administrative Violations of Republic of Latvia, but which may, however, affect the type and extent of the administrative penalty to be imposed, is the person’s right not obligation, i.e., in order for the person to fulfil the rights provided for by the Code of Administrative Violations of Republic of Latvia. 

Bearing in mind the abovementioned and in order to ensure that the personal data processing takes place according to the intended purpose, DSI requested the responsible institution to remove from the report certain types of information requested – “registered address”, and also “marital status, children”, and to include information type “other information” indicating that this Article may be used to indicate necessary information that may bear significance in examining the administrative offence case and that corresponds to the goal of personal data processing (also information furnished by the person having committed the administrative offence him/herself, this way exercising the right granted by the Code of Administrative Violations of Republic of Latvia).

Concerning the proportionality of personal data processing, the DSI had under its inspection also a case where actions of company – owner of a well-known large grocery chain-store – demonstrated that this LLC as an employer intervenes in employees’ personal life. Namely, the job application form developed by the LLC requires information about the personal life of prospective employees, including marital status, relatives, possession of movable property or real estate, as well as criminal record and other issues, which pursuant to provisions of Article 33 of the Labour Law (“Job Interview”) are considered as discriminatory, may not be a part of a job interview, unless it may play an essential role in the job.
Reportedly, the said form was intended for job applicants and it makes a reservation that the LLC is authorized to verify the validity of information furnished with the corresponding institutions. In addition, although it is indicated that the form is filled out by an employee already hired it contains several standards suggesting that the form is intended for applicants. The form is offered to be filled out on a voluntary basis, however, as rightly pointed out by representatives from the State Human Rights Office involved in inspecting the case, the very request to fill out the form holds a legal significance since by the essence it is discriminatory. The LLC representatives justified the use of information furnished in the security interests of the company.
The role of DSI in resolving the abovementioned matter was connected with participation of its representative in a round-table discussion at the State Human Rights Office on the employer’s rights to intervene in the personal life of employees. There, the opinion of the DSI coincided with the position of the State Human Rights Office specialists regarding the employer’s rights to request from employee only such information, which is necessary to assess the employee’s professional adequacy for the particular job.
In the end of discussion, the LLC’s representative admitted that the form contains, according to her – “inaccuracies”. Following DSI’s request, by order of the company’s director the use of this form was revoked.

3. Violation of the principles of reliable and fair processing of personal data

A typical example of violation of the principle of reliable and fair processing of personal data is the sending of pay-books (for electricity, tax payment notifications) that contain person’s name, surname, identity code, address without an envelope or sending of information containing personal data by an unregistered letter.
In 2002, the DSI received the greatest number of complaints about sending the mentioned pay-books without an envelope by state and municipal institutions, including several rural municipality councils. Namely, notification to pay real estate tax, which pursuant to Article 6 of the Law on Real Estate Tax, has to be sent by the rural municipality council to the payers of real estate tax, contains personal data – name, surname, identity number, taxpayer’s residence address of location, address of the real estate and other information about the real estate. Sending notifications to tax-payers without envelope falls short of the requirement to provide protection to information contained therein, which gives an opportunity to people not considered authorized to obtain such information under the law, to freely access personal data. Thus, individual’s right to inviolability of personal life is not ensured.
An analogical situation exists also concerning sending of pay-books, but in this case they contain data about electric power consumption, name, surname, identity number and address of an individual (consumer). The DSI, based on the already mentioned Article 29 of the Personal Data Protection Law, has always notified the particular data controller of the necessity to send the respective pay-books in a way as to ensure confidentiality of personal data.
It should be noted that lately a similar problem has been observed also in connection with making orders from certain goods catalogues that are accompanies by order forms with request, in addition to product name, to indicate also person’s name, surname, identity number, client number (if registered as company’s client), address, telephone number. The filled order forms are offered to be sent without an envelope because the form contains a note that the postal expenses are covered by the company with whom contractual relations will be established.
However, unreliable processing of personal data may turn out to be particularly harmful in cases when sensitive personal data is involved just like at the end of the year it happened with ambulatory patient’s card registered with a certain healthcare centre. In the course of criminal case investigation, police officers, having requested the ambulatory card from the healthcare centre and received it in a registered letter, were unable to provide for proper returning of the document, as a result, the medical history was found scattered on the street in Riga. Evidently, the police office, as an attempt to economize funds, had not sent the ambulatory card by a registered letter or by courier, but instead just dropping it in one of post office boxes in the city.
After examining the facts of the case regarding this event described in the press, the DSI notified the respective police office of the necessity to take steps towards ensuring safe processing of personal data, which resulted into receiving confirmation about changes executed in the document circulation procedures that prescribe further delivery of sensitive personal data only as a registered consignment.

4. Failure to notify the data subject – in violation of individual’s right to receive information in cases provided for by the PDPL.

A striking example characterizing the mentioned group of personal data processing violations is case, which conditionally could be referred to as “S. versus healthcare centres A, B, and C”. A certain individual S. exercising data subject’s rights provided by Article 20 of the Personal Data Protection Law, had lodged a complaint to the Data State Inspectorate on personal data processing performed by several healthcare centres and in particular the claim arouse due to refusal of healthcare centres A and B to issue copies of patient’s medical record and information given by healthcare centre C on the fact that the patient’s ambulatory card, after the individual’s request to issue it, was not found at the medical centre. S. in its complaint rightly pointed out to the fact that the first two cases are violation of Article 15 of the Personal Data Protection Law, which provides for the data subject’s right to obtain all information that is collected in any personal data processing system, however, concerning acts of the healthcare centre C, incompliance of data controller’s actions with Article 10, Paragraph 3 and Article 25 of the Personal Data Protection Law, which, respectively, specifies the data controller’s duty to ensure that “the personal data are stored so that the data subject is identifiable during a relevant period of time ()” and “an obligation to apply the necessary technical and organisational measures to protect personal data and prevent their illegal processing (..)”, may be considered.

Interestingly enough, both of the mentioned healthcare centres A and B based their refusal to furnish information about the person’s health condition (copies of medical record) on Article 50 of the Medical Law, which stipulates that data on patient’s treatment, illness diagnosis and prognosis, as well as information that medical staff, in the course of person’s treatment, has obtained regarding patient’s and his close relative’s personal life, is confidential (Article’s part one), but additionally healthcare centre A indicates that information on patient’s health may be provided only to persons mentioned under Article 50 of the Medical Law (other medical staff for treatment purposes, Health and Labour Capacity Expertise Doctors’ Commission, Quality Control Inspection for Medical Care and Labour Capacity Expertise; law-enforcement bodies) upon their request in writing. It is important to note that Article 50 of Medical Law indeed comprises a stipulation regarding the confidential status of patient’s health data, however, the article may not be viewed in isolation from other articles of the Medical Law, among them – Article 20 and 21, which in their turn, stipulate that patients are entitled to obtain information about the treatment process from doctor and other medical staff according to scope of their competence. The law’s Article 41 specifies that doctor has to receive patient’s consent to treatment, thus it is doctor’s duty to provide information about illness diagnosis, examination and treatment plan, other treatment methods and prognosis in a way that is understood by the patient. The doctor may not provide full information about illness diagnosis and prognosis only in the event if there are grounds to believe that such information may aggravate the patient’s health condition (Article 41).
Further, healthcare centre B had pointed out to S. that in respect to Article 15 of the Personal Data Protection Law on application of data subject’s rights, the rights and procedures of disclosing information are governed by the Medical Law, since Article 15 of Personal Data Protection Law provides that “(..) a data subject has the right to obtain all information that has been collected concerning himself or herself in any system for personal data processing, unless the disclosure of such information is prohibited by law (..)”; while pursuant to Article 20 of Medical Law the individual was entitled to obtain information about diagnosis of his/her illness, examination and treatment plan only during the period of time when the person underwent treatment at the healthcare centre and it was in status of a patient. At the moment of inquiry S. was neither any more patient of the healthcare centre, nor among persons referred to under Article 50 to whom information about patient’s treatment process could be provided. Thus representative of healthcare centre B, on the basis of Article 15 of the Personal Data Protection Law and Articles 20, 21 and 50 of the Medical Law, was of position that the administration of healthcare centre is neither authorized, nor obliged to provide copies of documents requested by S.
In this case, Data State Inspectorate, after assessing all the case materials and considering that at the moment of addressing the request to the medical institutions the individual S. was not in status of a patient due to termination of treatment at the mentioned institutions, however established that the refusal of healthcare centres A and B to provide information about patient’s treatment process may not be based on Article 20 and 50 of Medical Law due to the fact that Article 15 of the Personal Data Protection Law provides for data subject’s right “to obtain all information that has been collected concerning himself or herself in any system for personal data processing (..)” and this results into a situation where stipulations of one law narrows the provisions of another law’s stipulations. Specifically, here we can speak of the range of persons included in and narrowed by the Medical Law, who are authorized to see information about diagnosis of their illness, examination and treatment plan –according to this law they are only those persons that are in status of a patient, but according to Article 1, Paragraph 11 a patient is a person who is treated or who is registered with any medical staff members and, if necessary, treated. Since the aforementioned indicates that a contradiction arises between two legal acts of equal legal force, Article 8 (2) of the Law “On procedures of promulgation, issue and enactment, and validity of laws and other acts passed by Saeima, President of the State and the Cabinet” is applicable, which stipulates that in the event of establishing contradiction between legal acts of equal legal force, the latest legal acts shall prevail, which in the context of case under question is the Personal Data Protection Law.
Taking into account the above mentioned and being of the opinion that the refusal of the said medical institutions to comply with patient’s request to provide him/her with a copy of medical record should be considered as violation of Personal Data Protection Law, Data State Inspectorate, on the basis of Article 29 (4), Paragraph 1 of the Personal Data Protection Law, instructed healthcare centres A and B to notify the person S. of the date and time when S. will be able to obtain copy of his/her medical record, but the healthcare centre C was instructed to restore S’s medical record and notify of the date and time when S. could in written form receive the information referred to in this document in writing.

5. Failure to ensure quality of personal data processing

In this area, complaints are related to inaccurate or distorted data processed by a personal data processing system controller, and concern incorrect representation of person’s name or surname in documents (passport, birth certificate) and the writing of name of a real estate owned by a person, as well as there have been cases when other personal data has been distorted (for instance, incorrect passport validity date has been put on the passport that results into problems caused to person when crossing border). The Inspectorate received a complaint from a student who expressed his discontent with the number of student identity card given by higher education establishment due to the fact that the initial part of its symbol combination contained a sequence of letters representing the study programme where the person was first registered and which are determined by the director of study information centre. In this case, the essence of the claim was that a particular student after enrolment according to his wish was registered in another study programme, but the number of the already mentioned student identity card remained the same. Feeling a certain discomfort in this respect, the student turned with an application to the director of study information centre that objected to the modification of the student identity card number according to the string of letters that represents the faculty where the person currently studies, and rejected the corresponding request. The director of study information centre justified the refusal by the fact that the number of student identity card in the system of characters identifying the student links him to all information accumulated in the study register, and also allows identifying person if that is necessary in relations with other institutions.
Having considered materials of the case and assessed the compliance of the said data processing with the Personal Data Protection Law, the DSI concluded that in the particular case the legal basis for assigning numbers of student identification cards is the corresponding decree of the educational establishment’s dean, where the established criteria of forming numbers of student identification cards was compliant with the personal data processing performed, thus, the Inspectorate acknowledged the study information centre director’s proceedings legitimate and compliant with the Personal Data Protection Law.

Regarding the quality of data, another case is worth mentioning that demonstrated that the notion of data accuracy referred to under Article 10, Paragraph 4 of the Personal Data Protection Law may be interpreted in its broadest sense. A certain individual’s complaint contained a claim against actions of well-known Latvian debt administration company acting in behalf of a cable television company.
The essence of the matter: a person had concluded contract with a LLC (hereafter – TV service company) on provision of services in cable television network, and one clause of the contract contained also a reservation that the company shall be entitled to furnish information about the subscriber and his debt to third parties. In course of the contract, the person’s flat was robbed, and, as a result, also TV decoder was stolen and this was reported both to police and TV service company. The LLC demanded to pay the value of the stolen decoder in double, but the person refused to do so. The dispute was being resolved by corresponding with management of TV services providing company. 
After a considerable period of time the person received notification from debt administration company acting in behalf of TV services company warning that in case the debt is not paid to the TV services company its personal data will be entered into database created by the debt administration company that may substantially aggravate the person’s credit history and in future debar from obtaining goods on credit or leasing, receiving bank credits and other services.
Hence, taking into account the abovementioned and considering the fact that settlement process is taking place between the TV services company and the subscriber and the amount of debt is being agreed upon in mutual negotiations of the parties, the complainant was of the opinion that the debt administration company has no legal basis to act in the aforementioned manner until the moment when settlement is reached.

Due to the conditions described, the DSI carried out investigation during which it was found that there is an agreement concluded between the said TV services company and debt administration company on collection of overdue payments and non-returned hardware (decoders and remote controls) from debtors to TV company, according to which the debt administration company may use information obtained within scope of the agreement for creating database of recorded payments and collections made and for credit assessment.

Based on the agreement concluded, the TV service company submitted an application to debt administration company, who for its part commenced a collection case on ensuring fulfilment of private individual’s (subscriber’s) liabilities towards TV service company.

After evaluating the legal basis of personal data processing performed by the said two companies, the procedures of personal data processing and its compliance with the Personal Data Protection Law, considering the fact that due to challenge of the debt liabilities the TV services company did not have the right to submit application to debt administration company pursuant to the abovementioned agreement concluded between the companies, the DSI has established that TV services company has violated Article 10 (1) Paragraph 4 of the Personal Data Protection Law. Thus, the TV service company, by submitting data of the individual (subscriber) as a debtor to debt administration company, has failed to ensure accuracy of personal data in accordance with provisions of this paragraph, which has been pointed out to the company and the company has been instructed to henceforth comply with the legal provisions on personal data protection.

Lately, also potential offences related to the work of mass media have gained certain currency. It may be a subject to dispute as to how ethically justified was action of a well-known Latvian newspaper to publish image of car owned by a high-ranking official with the vehicle registration place clearly visible and information identifying the vehicle’s owner. Considering the newspaper’s action intervention in personal life without consent of data subject, the official submitted a complaint to DSI requesting to assess the state of affairs in line with the legal aspects of personal data protection. Taking into account the fact that the general conditions of personal data processing are provided under Article 7 of the Personal Data Protection Law (in case of sensitive personal data – also Article 11), and derogation from the general personal data processing principles is prescribed by the law’s Article 5, the DSI furnished the following information to the person: pursuant to the mentioned Article 5, the newspaper was authorized to process personal data for journalistic purposes, moreover, pursuant to Article 22 of the Law on Press and Other Mass Media, the newspaper has the right not to disclose the source of information, unless demanded by court in order to protect the individual’s or essential public interests. Considering also the fact that during the investigation carried out the fact of illegal transfer of data from the public register of vehicles was not verified, the DSI has established no violation of the Personal Data Protection Law. However, the ethical question remains open as to what the extent of risk the mentioned publication caused regarding illegal application of information contained there, taking into account the excessive scope of data published (name, surname, post, brand of car, type, vehicle identification number, colour and the approximate price), in relation to what it should be underlined that also Article 5 (2) of the Personal Data Protection Law contains reservation that provisions of first part of the Article about personal data processing for journalistic, artistic and literary purposes are applied taking into account person’s rights to inviolability of personal life and freedom of speech. 
However, the so-called principle of “reduced privacy” should be mentioned, which means that an official as a representative of public sector has to reckon with certain “portion of publicity” in his/her work. For instance, Article 5 of the Law on State Secret provides for information that may not be state secret, and this includes the salary rates, privileges, allowances and guaranties for state and municipal institution officials and employees. The same applies also to declaration of property status of state officials according to Law on Prevention of Conflict of Interests in Activity of State Officials” where Article 26 stipulates that the publicly available part of the declaration is all information comprised in the declaration except for place of residence and identity number of the state official indicated in the declaration, their relatives and other people referred to in the declaration, and also partners in transactions, including debtors and creditors (part two and four of the Article). The third part of the same Article stipulates that, for the purpose of this law, the public availability means the right of mass media employees as well as other individuals to get acquainted with declarations of any state official, and also to publish the information contained there.
 

 
 Public Awareness

In 2002, the DSI has ensured public awareness raising activities regarding the functions, goals and tasks of DSI. There have been publications in all the major Latvian newspapers. As part of cooperation between mass media and the DSI, consultations have been rendered, interviews and advice have been given on many aspects of personal data protection, the current problems, potential offences and proceedings of examination. The DSI employees have appeared on television and radio, informing the society about activities of the DSI, specific matters on personal data protection, as well as various aspects of legal acts governing personal data protection. Mass media receives information about the DSI topicalities on a regular basis.
Particularly, attention was focused on specialized publications. In cooperation with several newspapers’ and magazines’ supplements for accountants and lawyers, explanations and information regarding problems in personal data protection, registration of personal data processing systems and other current topics have been published.
In 2002, the DSI representatives have delivered more than 20 lectures on security issues of personal data processing systems, legal aspects of personal data processing and processing of personal data in state and municipal institutions and enterprises.
The DSI website (www.dvi.gov.lv) has been developed and is updated regularly. In contains information in Latvian, English and Russian on functioning of the DSI, legal acts governing field of personal data protection, and current issues at the Inspectorate. Pursuant to requirements of the Personal Data Protection Law, the DSI website can be used to obtain information on the registered personal data processing systems.
To communicate with those interested, information e-mail address (info@dvi.gov.lv) has been created, which gives an opportunity to efficiently get in touch the DSI and to obtain the necessary information or consultations electronically. In 2002, more than several thousand persons interested used this e-mail address. The questions that do not require any further analysis are answered within one day.

 
Drafting of Legal Acts

During the reporting period, the DSI has drafted ten legal acts; among them, two draft laws and draft amendments to laws, seven draft regulations of the Cabinet of Ministers and one draft decree of the Cabinet of Ministers.

According to the delegated functions, the legal acts drafted can be divided in three groups:
with regard to area of Law on Electronic Document;
with regard to area of Personal Data Protection Law;
with regard to area of Freedom of Information Law.

Draft legal acts with regard to the Law on Electronic Document

Pursuant to Article 19 of the law “Law on Electronic Documents” adopted on 20 November 2002, the DSI has been established supervisory institution of reliable certification services providers, the duties of which include accreditation of the reliable certification services providers.
To ensure that accreditation of reliable certification providers is in conformity with requirements of the Law on Electronic Documents, the DSI has drafted a number of legal acts that will govern acquisition of status of a reliable certification services provider, procedures of accreditation, the minimum insurance, and will fix the state fee on accreditation etc.

„Regulations on the minimum insurance and procedures of calculating insurance indemnity for reliable certification services providers”
The draft regulation of the Cabinet of Ministers has been developed on the basis of Article 14 (5) of the Law on Electronic Documents adopted at Saeima on 31 October 2002.
This draft regulation of the Cabinet of Ministers determines the reliable certification services provider’s minimum insurance and prescribes procedures according to which insurance indemnity is to be calculated for damages incurred as a result of action or inaction of a reliable certification services provider.

„Information to be indicated in security description about information systems, equipment and procedures of certification services provision”.
The draft regulation of the Cabinet of Ministers has been developed on the basis of Article 12 (1) of the Law on Electronic Documents adopted at the Saeima on 31 October 2002.
This draft regulation of the Cabinet of Ministers stipulates the data to be indicated in security description about information systems, equipment and procedures of certification services provision.
Based on the data indicated, the DSI, prior to accreditation, will be able to assess the security of information systems, equipment and procedures of a reliable certification services provider.
“Procedures and timescale of security check on information systems, equipment and procedures of certification services provision”.
The draft regulation of the Cabinet of Ministers has been developed on the basis of Article 13 (3) of the Law on Electronic Documents adopted at Saeima on 31 October 2002.
This draft regulation of the Cabinet of Ministers lays down procedures according to which an expert included in list approved by the DSI shall check the security of information systems, equipment and procedures of certification services provision, and also the timescale within which the checks are to be performed.
Based on conclusion of the check and information provided by the expert, the DSI shall adopt an appropriate decision on accreditation of the reliable certification services provider or refusal of accreditation.

“Regulations on state fee for accreditation and renewal of accreditation of a certification services provider”.
On 9 October 2002, Saeima adopted a law “Amendments to law “On Taxes and Duties”” and supplemented the law with Paragraph 53 of Article 11 (2), which stipulates that the object of state fee is accreditation and renewal of accreditation of a certification services provider. Thus, regulations of the Cabinet of Ministers were drafted, which lay down procedures of paying the state fee, its rates and relief for accreditation and renewal of accreditation of certification services providers with the DSI.

Draft legal acts with regard to the Personal Data Protection Law

In order to eliminate imperfections in legislation, and also to continue alignment of legislation with requirements of the European Union, a number of legal acts have been drafted in the field of personal data protection.

“Regulations on state fee for registration of personal data processing systems and changes to be registered pursuant to the Personal Data Protection Law.”
The law “Amendments to Law “On Taxes and Duties”” adopted by Saeima on 9 October 2002 and the law adopted on 24 October 2002 “On Amendments to Personal Data Protection Law” stipulates that the object of state fee is registration of personal data processing systems and execution of changes required to be registered under the Personal Data Protection Law.
The amount of state fee for registration of personal data processing systems and registration of changes is moderate, and also a reduced rate of the fee has been fixed for small enterprises as defined by Article 17 (1) of the law “On Corporate Income Tax”. All those enterprises are subject to payment of the fee (thus also registration with DSI) that process or wish to process personal data. The Personal Data Protection Law provides for exemption from registration for the most characteristic corporate systems – human resource and accounting systems where personal data is processed manually, thus, enterprises will not have the obligation to pay this fee. Also state and municipal institutions are exempted from paying the state fee.

“Amendment to Law “On Convention of the Council of Europe on Personal Protection in Respect to Automatic Processing of Personal Data””.
The Republic of Latvia, in its international relations, has expressed a wish to conclude an agreement with organization Europol this way ensuring conformity with requirements of the Europol Convention, however, this requires harmonization of the current requirements of legal acts in respect to application of legislation on personal data protection to processing of information in the police sector.
On 24 October 2002, a law “On Amendments to Personal Data Protection Law” was adopted at Saeima whereby the application scope of the said law was extended also to personal data, which is recognized as state secret, insofar as the law “On State Secret” stipulates otherwise. Thus, the main requirement has been met in ensuring conformity of personal data protection with the European legal principles.
The legal regime of personal data protection is determined also by the Council of Europe Convention of 28 January 1981 on personal protection in respect to automatic processing of personal data that Latvia joined on 5 April 2001 by adopting law “On Council of Europe Convention on Personal Protection in Respect to Automatic Processing of Personal Data” (hereinafter – Convention). The law by which the Convention became operative, provided for derogations in its applicability scope, including also the police sector (field of criminal law). The draft law “Amendment to Law “On Council of Europe Convention on Personal Protection in Respect to Automatic Processing of Personal Data”” provides for modifications to restrictions established in the law on application of the Convention, by excluding derogations for personal data processing performed by public institutions in the field of national security and criminal law.
The wording of the draft law is undergoing harmonization with analogous amendments to Personal Data Protection Law not providing for derogations in applicability of the Convention and establishing its scope also to personal data that has been acknowledged to be state secret, insofar as the law “On State Secret” stipulates otherwise.
Pursuant to requirements of Article 14 of the Europol Convention, the Member States have to ensure that personal data protection requirements specified in the Europol Convention is complied with.
The said Article also extends to application of principles contained in the Council of Europe Convention on Personal Protection in Respect to Automatic Processing of Personal Data of 28 January 1981, in accumulation and usage of personal data. The revocation of derogations comprised in this draft law is a precondition to Latvia being able to conclude agreement with organization Europol ensuring compliance with requirements of Europol Convention. An individual, pursuant to Article 20 of the Personal Data Protection Law, has the right to refer to the DSI to appeal against unlawful actions of data controller or to verify its lawfulness.

The draft decree of the Cabinet of Ministers “On amendments of 15 June 1999 to the Council of Europe Convention on Personal Protection in Respect to Automatic Processing of Personal Data of 28 January 1981 (ETS No. 108), allowing the European Communities to join” and the draft resolution of the Cabinet “On amendments of 15 June 1999 to the Council of Europe Convention on Personal Protection in Respect to Automatic Processing of Personal Data of 28 January 1981 (ETS No. 108), allowing the European Communities to join”.
The said legal acts have been drafted in order to ensure joining amendments of 15 June 1999 made to the Convention on Personal Protection in Respect to Automatic Processing of Personal Data of 28 January 1981 (ETS No. 108), allowing the European Communities to join”.

“Regulations on accreditation procedures for entities wishing to perform system audits in personal data processing systems of state and municipal institutions”.
The regulations of the Cabinet of Ministers were drafted on the basis of Paragraph 6, Article 29 (3), of the Personal Data Protection Law, which establishes the necessity to accredit entities wishing to perform system audits in personal data processing systems of state and municipal institutions according to procedures specified by the Cabinet of Ministers.
Paragraph 6 of the regulations of the Cabinet of Ministers No. 40 “Mandatory technical and organizational requirements in protection of personal data processing systems” of 30 January 2001 stipulates that internal system audit conclusions have to been submitted to the DSI every year. The DSI has already developed new regulations of the Cabinet of Ministers that will replace the aforementioned regulations and contains provisions that will define performance of audit of personal data processing systems in a greater detail. Article 26 (2) of the Personal Data Protection Law stipulates that state and municipal institutions shall submit the internal system audit opinion on personal data processing systems to the DSI every year.
The draft regulations of the Cabinet of Ministers stipulate procedures according to which entities wishing to perform personal data processing system audits in personal data processing systems of state and municipal institutions, receive accreditation with the DSI.
The said accredited system auditors shall draw up audit opinion on personal data processing systems that state and municipal institutions need to submit to the DSI every year pursuant to Article 26 (2) of the Personal Data Protection Law and Paragraph 6 of the regulations of the Cabinet of Ministers No. 40 “Mandatory technical and organizational requirements in protection of personal data processing systems” of 30 January 2001. Presently, draft regulations of the Cabinet of Ministers have been prepared that will replace the aforementioned  regulations of the Cabinet of Ministers No. 40 and will set the procedures of performing system audit. The said regulations of the Cabinet of Ministers have been drafted in close cooperation with field specialists, Latvian Information Technologies and Telecommunications Association and Information Systems Audit and Control Association (ISACA) Latvia Chapter.

“Obligatory technical and organizational requirements in protection of personal data processing systems”.
On 22 May 2002, the Saeima adopted State Information Systems Law. Transitional Provision’s Sub-Paragraph 4 of Paragraph 3 stipulate that on 5 December 2002 the Cabinet’s Regulation No. 106 “Information Systems Security Regulations” of 21 March 2000 laying down information system security requirements also for personal data processing systems (sub-paragraph 3.4), become invalid.
Currently, pursuant to Article 26 of the Personal Data Protection Law, the regulations of the Cabinet of Ministers No. 40 of 30 January 2001 “Mandatory technical and organizational requirements in protection of personal data processing systems” are in effect, but these regulations define only the basic principles of personal data protection.
The said regulations of the Cabinet of Ministers were drafted by the working party created by the DSI comprising representatives from the DSI, the Ministry of Transport and Communications, Ministry of Justice, Constitution Protection Bureau, Security Police, Lursoft, SIA.
The draft regulation of Cabinet of Ministers governs the mandatory technical and organizational requirements in protection of personal data processing systems and divides them into levels: highest, average, lowest. Depending on the type of personal data being processing in the system, requirements of the appropriate security level are to be applied.

Draft legal acts with regard to Freedom of Information Law

Draft law “Amendments to Freedom of Information Law”.
The amendments are to establish a Freedom of Information Law supervision institution – the DSI, wherewith the DSI would supervise two aspects of human rights – inviolability of personal life and the right to receive and distribute information – in balance.
One of the World Bank’s requirements for further cooperation with the Republic of Latvia is practical implementation of freedom of information provisions. Up to now in Latvia, there was no statutory public institution that would perform supervision in the field of freedom of information. Project ‘For Instituting Administrative Procedure and Freedom Of Information’, funded by the World Bank, within the framework of which funding has been granted for strengthening the DSI Information Division that, in future, would perform supervision of Freedom of Information Law. The objective of the project is, based on Freedom of Information Law and according to the Council of Europe Ministers Committee’s recommendation to member states Rec. (2002) 2 access to official documents, to facilitate implementation, functioning and supervision of freedom of information principles in state and municipal institutions.
The DSI was chosen to be Freedom of Information Law supervision institution taking into account expert recommendations and foreign experience in the field of freedom of information.
As shown by examples of many EU countries, merger of supervision of personal data protection and freedom of information fields performed by one institution has proven to be successful.

International Activities of Data State Inspectorate

As the flow of personal data increases and the Internet develops, the DSI cannot perform its supervisory functions in isolation from the European Union Member States, as well as other countries of the world. This requires continuous and permanent cooperation between personal data protection supervisory institutions and acquisition of the latest information in order to be able to ensure that personal data protection level in Latvia is adequate to that established by the European Union and Directive 95/46/EC.
In 2002, European Union applicant countries were given an opportunity to participate in various EU level meetings in the field of personal data protection as observer country representatives. It was necessary for Latvia, upon accession to the European Union, to be able to wholly participate in the aforementioned meetings.
Hence, in 2002 the DSI experienced an increase in international cooperation activities: accordingly, the DSI representatives participated in: Working Party for Article 29 of Directive 95/46/EC; Meetings of Personal Data Protection Supervision Heads of Central European and East European Countries; Council of Europe Project Group on Data Protection (CJ-PD) Meeting No. 40 (Strasbourg, France); 18th Plenary Session of Consultative Committee of Convention of the Council of Europe on Personal Protection in Respect to Automatic Processing of Personal Data in Strasbourg, France; the Annual International Personal Data Protection Supervision Institutions Conference (Cardiff, United Kingdom).

Working Party for Article 29 of Directive 95/46/EC
The most significant issues discussed in 2002:
On request of the United States of America to access passenger flight lists and other data of airline companies landing on the US soil;
On personal data protection in respect to video surveillance;
On harmonization of consumer right protection laws with principles of personal data protection;
On “black-lists” to ensure personal data protection;
On electronic monitoring at work places;
On recognition of adequate level of personal data protection in other countries (Argentina);
On the new Directive “Personal Data Protection In Telecommunications”;
On biometrics,
On examination of the principal rules in personal data protection for corporate companies, etc.

Meetings of Personal Data Protection Supervision Heads of Central European and East European Countries.
These meetings were instituted in 2001 when the first meetings of this kind took place in Warsaw, Poland.
In 2002, the meetings took place in Prague, Czech Republic (12 – 13 April 2002) and Vilnius, Lithuania (20 – 22 October 2002).
These meetings dealt with the following issues:
country reports on implementation of personal data protection legislation;
report on smart cards and principles of personal data protection;
on Internet website for personal data protection supervisory institutions of Central European and East European countries;
on direct marketing;
on debtor registers;
on monitoring at work places;
on processing of personal data in the process of elections, etc.

 Council of Europe Project Group on Data Protection (CJ-PD) Meeting No. 40 (Strasbourg, France)

In October 2002, at the Council of Europe Project Group on Data Protection (CJ-PD) 40th meeting for the second time the Republic of Latvia was represented by the DSI (the first time was in Meeting 39 that took place 10.10 – 12.10.2001).
CJ-PD is an institution consisting of representatives – experts of all Council of Europe Member States. It convenes once a year to confirm new positions, recommendations, reports and gives recommendations to other expert groups with the Council of Europe.
In between the CJ-PD meetings, the Council of Europe Co-ordination group of the Project Group on Data Protection CJ-PD-GC (hereafter - CJ-PD-GC) is in place. CJ-PD-GC is a small working party formed by CJ-PD. The Latvian representative is not a part CJ-PD-GC, but the country has the right to participate in this working party as an observer.
In 40th Meeting of CJ-PD, the Guiding principles for the protection of individuals with regard to the collection and processing of data by means of video surveillance were approved.
CJ-PD approved Report “Data protection and police and judicial data in criminal matters” prepared by Working party on data protection and police and judicial data in criminal matters - CJ-PD/GT-PJ. The document defines problems that may emerge when processing personal data in the police sector and in framework of criminal matters. The report is an essential document particularly to Latvia with regard to amendments made in October 2002 to Personal Data Protection Law, pursuant to which the provisions of this law will apply also to police sector. The said document extends understanding to what may be the problematic issues in this field.
CJ-PD approved draft agenda containing action objectives for 2003:
a) to finish Report with Guidelines on personal data protection in respect to use of smart cards (draft version has been prepared);
b) to prepare draft report on application and effect of personal data protection principles in respect to biometrical data (fingerprints, eye-pupil, recognition of face, hand geometry, etc) in various fields;
c) to ensure that the Council of Europe international instruments are implemented in the field of data protection and to provide legal and technical assistance, consultations to countries regarding these issues;
d) to cooperate with committees of the Council of Europe:
i. to prepare opinions in the areas on state security services, issues of availability of information, use of genetic databases for purposes of identification, etc.;
ii. to participate in work of other committees in bioethics issues on processing of genetics data, and also in committee on matters of freedom of information.
These issues will be dealt with by CJ-PD-GC, but the prepared draft versions will be reviewed in 41st meeting of CJ-PD in 2003 that will planned to take place in the end of November 2003.

18th Plenary Session of Consultative Committee of Convention of the Council of Europe on Personal Protection in Respect to Automatic Processing of Personal Data in Strasbourg, France.
Latvia, pursuant to the law of 5 April 2001 “On Convention of the Council of Europe on Personal Protection in Respect to Automatic Processing of Personal Data”, has ratified this Council of Europe Convention No. 108 of 28 January 1981. Pursuant to Article 18 of the Convention, after the convention enters into force, Consultative Committee shall be created (abbreviated as T-PD) representing all countries mentioned as member countries to the Convention. The Convention came into force on 1 October 1985 and starting from this date plenary sessions of the Consultative Committee have taken place on a regular basis. In between the sessions, this committee’s working parties’ sessions have been in place (T-PD-GR). This year from 09.10 to 11.10.2002, the second time after ratification of the Convention, Latvia was represented by the DSI in the annual T-PD meeting No. 18.
According to the agenda of 18th plenary session of T-PD, the institution’s main work task was completed i.e. T-PD approved guide to the preparation of contractual clauses governing data protection during the transfer of personal data to third parties not bound by an adequate level of data protection prepared by T-PD-GR.
In preparation of the said document, which is not legally binding, the existing European Union platform (European Commission resolutions) was taken into account regarding the possibility to comply with the requirement to ensure adequate level of personal data protection by means of civil contract. It should be noted, that in this case third parties are countries that are not member states of to the Convention.
Taking into account the above-mentioned, the T-PD set the following priorities as its work task for 2002:
1) do principles of Convention properly regulate the use of modern technologies in data processing?
2) data subject’s rights (are there any new ones?)
3) trans-national companies – transfer of data to other countries?
4) Convention’s Article 9 and derogations from the Convention’s clauses – what should they be taking into account the global position on terrorism issues?
It means that evaluation of these issues will be performed by T-PD-GR and will present results of the work during the next T-PD meeting.

The Annual International Personal Data Protection Supervision Institutions Conference (Cardiff, United Kingdom).
The 24th Annual International Personal Data Protection Supervision Institutions Conference took place in Cardiff, United Kingdom in September 2002.
The range of matters discussed in the conference was very wide: starting with perfection of technical solutions to ensure personal data protection, to development of individual policies to facilitate the compliance with personal data protection legislation, and also other issues. Some of the essential issues:
identification cards;
development of self-adjusting regulations;
role of technologies in personal data protection;
freedom of information and personal data protection, etc.
Among active participants in this conference were corporate representatives both from small-size and multinational companies, which gave an opportunity to consider the issues not only from the point of view of public sector, but also from the practical point of view of private companies. As a result of dialogue, it was found that the public and private sector could achieve balance in fields of inviolability of personal life regarding personal data processing and processing of legal personal data in accordance with international and national legal acts.

Experience exchange visit of Data State Inspectorate representatives to personal data supervision institution in Berlin, Germany.
The goal of TAIEX-funded experience visit to personal data supervision institution in Berlin was establishment of mandatory technical and organizational requirements for personal data processing systems in order to get acquainted with security requirements for information system that are set on personal data processing systems in Germany.

Phare 2002 project “Data State Inspectorate”.
The work on implementation of Phare 2002 project and fulfilment of preconditions continues in order to successfully launch cooperation project (the chosen and confirmed partnership country is Austria).
The project covers organization of seminars and conferences (the goal being to explain personal data protection matters to various groups of society); creation of informative materials, generation of organizational and functional models (the goal being to improve functioning of the DSI, this way raising its operational effectiveness to achieve the set goals).

Expenditures of State Budget Funds