Is your data protection being breached?
Rebecca Iversen The notion of clientelism in Malta – be it by government Ministries or organisations – has been rife and endemic to the country’s culture for decades. However, recent reports that have reached The Malta Independent on Sunday say that members of the public have received calls from certain government ministries inquiring about their ‘general well-being’.
One member of the public, a student, told this newspaper how last week he had received a call from Michael Farrugia’s Ministry of Home Affairs, asking whether they could be of service, if he needed any help with anything or had any suggestions.
The student, who confirmed that Farrugia represents his electoral district, asked the caller from where he had obtained his telephone number. The response – after some mumbling from the woman on the phone – was that his number had been retrieved from the e-ID database.
Partit Demokratiku Deputy Leader Timothy Alden recently raised concerns over such clientelism with the Permanent Commission against Corruption, saying that he had also received a telephone call from the Ministry of Home Affairs and had submitted an official police report on the matter.
Speaking of the incident that the student experienced, he also added that it had come to his attention that even Data Protection laws may have been breached through the attainment of contact information.
Environment Minister Hose Herrera, in an interview with The Malta Independent on Sunday, admitted that, like every other Minister on the island, he had a customer care team. Emails revealed how former Nationalist ministers, MPs, civil servants, party candidates and representatives of WasteServ, between 2009 and 2013 – under a Nationalist administration, would offer jobs to specific voters. Herrera stated that “it was hypocritical to criticise a government because it has a customer care structure to cater for constituents when this has been the system for the past 100 years”, adding that a small population meant people expected door-to-door treatment from politicians and that he would be a hypocrite not to admit that that was how the system worked.
“I’m used to the fact that the Ministry would call people up for such a reason because clientelism reigns in Malta, but I was truly annoyed when she admitted that my telephone number was obtained from the e-ID database,” the student complained to this newspaper.
“What has changed now is that members of the public are starting to question where this contact information is coming from,” he observed. It is not certain if the e-ID database is being used by Ministries to contact members of the public for such questions as this student expe- rienced, but if what he was told was correct then this should raise more than a few eyebrows.”
In order to understand the scenario, let us assume that the woman representing a Ministry speaking to a student made a mistake. Let’s assume that the e-ID database was not used for contacting the student. Using the case of the student who resides in Farrugia’s district, information on him can legitimately be obtained from the Electoral Registry in which names, addresses and ID numbers can be obtained, but not telephone numbers. However, a name is sufficient for looking someone up on, for example in the GO online directory or any other public directory. If this is the case, and a phone number/mobile number is available from a public directory, then anyone that looks you up can call you. However in this case, this student does not have any of his phone/mobile numbers in any directory.
According to Subscriber Agreement for the e-ID account, under the section of ‘Data Protection’, it clearly establishes that the “Service Providers make use of such data for the purpose of providing the subscriber with the eService”. The full transcript in the Agreement on Data protection for an e-ID account is as follows:
“According to the Subscriber Agreement for (a) the e-ID Account and (b) the Certificates within the National Electronic Identity Card, under Data Protection this is specified:
Data Protection: All personal data shall be processed according to the Data Protection Act, as well as any other applicable law or guidelines published from time to time. The Registration Authority shall transfer personal data to:
(a) A Service Provider from whom the subscriber has requested an eService; and/or
(b) A Service Provider providing any one or more of the eServices listed under “What Services are available from the Service Providers” in the “Frequently Asked Questions” section of the mygov website.
The Subscriber hereby authorises such service providers to use such data for the purpose of providing the Subscriber with the eService. For all intents and purposes such Service Providers shall be considered Data Controllers as defined in the Data Protection Act. The RA shall not transfer any personal data to any other third party unless with the Subscriber’s consent or in cases where the Registration Authority is required to disclose such data by law. The Subscriber’s rights as a data subject under the Data Protection Act shall apply.”
For further clarification, the eServices include all the services provided by the Government online, with no mention of ‘customer care calls’ from government entities. Therefore such ‘customer care questions’ by Ministries do not appear to fall under the umbrella of what the e-ID data is supposed to be used for.
Reports have also reached this newspaper of members of the public being called up to attend last week’s OccupyJustice and L-Awturi’s ‘Action for ‘Justice and Truth’ protest in Valletta. Questions were raised as to from where these telephone numbers were actually obtained, calling into question data protection and privacy.
The question of a breach in data protection needs to be addressed. It is clear that, according to Article 7 of the Data Protection Act, personal data is only collected for specific, explicitly stated and legitimate pur- poses. The Data Protection Act and – with effect from 25 May, the General Data Protection Regulation – applies to all processing of personal data, which therefore also covers the processing for e-id purposes. As a data subject, we all have the right to ask what data is held about us, how it is being used and for what purpose.
If a data subject feels that his/her data protection rights might have been violated, a complaint may be filed with the Office of Information and Data Protection Commissioner.
Have you experienced this too? Let The Malta Independent know if you have experienced similar calls as the ones reported in this article. email@example.com