All Personal Data you provide may be taken and used against you
The Law on Personal Data Protection came into force on 1 January 2011. The law is supposed to provide maximum protection for personal information, yet what do we have in practice?
Businesses and organizations understood after reading the law that all the information that they have about their staff constitutes those people’s personal data. In order to legally use this data, they needed to quickly get the staff’s consent to its use.
Very many businesses decided to get consent to use information excluding data about health, financial status, etc. Without basically explaining anything, the commercial structures demand that their staff sign this agreement, and also commit themselves to notify them of any changes in their personal data. Specific instructions are issued on forcing section heads to collect these documents.
The following can serve as an example, In one of the biggest Kyiv enterprises – Kyivenergo – an instruction was issued for the directorates and section heads to make up lists of employees with their signature giving consent to having their personal data added to a database.
This states: “In accordance with the Law on Personal Data Protection, I give consent for personal data to be gathered and input into a database, to be processed (including information concerning my state of health), to be held indefinitely, to be passed in accordance with current legislation to third parties (those running the database, the law enforcement agencies, etc) and I agree to provide documents should there be changes to my personal data”.
Why people agree to provide their personal information
People are giving their consent - some from fear of the management, others because they are scared they’ll lose their job, or because they’re not informed what the agreement entails, or for other reasons. This results in businesses and organizations effectively receiving unlimited access to personal information about their employees, including the most sensitive of information. The law is thus, instead of protecting personal information, having quite the opposite effect.
How your own company can hurt you if you give them your personal data
Nobody can provide any guarantee after giving such consent that the company will not pass information about the state of health of its employees to insurance companies providing them with medical cover with this resulting in the person’s insurance premium being increased. Or that information about a person’s financial position will be passed to debt collectors who will use the information to retrieve debts. This will have a very immediate effect on a person’s life and property. This is just a small percentage of the risks which could arise through the signing of an agreement to pass on all personal data.
There are far more dangers.
Obviously a person can refuse to give consent to have all his or her personal data input into a database, held or passed on, however the level of legal awareness in Ukraine is unfortunately not high and this makes it more likely that a person’s data will become unprotected.
You have your partners’ business cards? You’re breaking the law!
The situation is exacerbated by problems in the Law on Personal Data Protection which specialists warned of for a very long time to no avail. Throughout the world the most sensitive information about a person, that is, their financial position, religious beliefs, political views, biometric data, ID number, are particularly protected. The law passed, however, defines even such information as name, telephone number, date of birth, which should be generally available, as personal data. This means that any client database, list of phone numbers of business partners or simply a stack of business cards fall under the category of a personal database and require registration. Nor does the law envisage any transitional period for businesses to gradually implement the requirements on personal data protection.
These and other problems basically render meaningless the fundamental task of a law on personal data protection, and demonstrate that the law does not comply with international standards on protecting personal data.