After an inspection conducted in connection with the disclosure by the media of personal data contained in the official tax documentation of citizen T.R., the Commissioner for Information of Public Importance and Personal Data Protection filed a criminal report with the Higher Public Prosecutor's Office in Belgrade against an unidentified individual at the Tax Administration within the Ministry of Finance for the criminal offence referred to in Article 146 paragraph 3 of the Criminal Code.
The Commissioner initiated and conducted the inspection procedure ex officio, acting pursuant to a petition he received. The inspection procedure was conducted at the Tax Administration of the Ministry of Finance (TA) and the Public Revenue Administration within the Secretariat for Finance, Local Tax Administration for the City of Belgrade (LTA).
The inspection found that these were definitely data contained in the official tax records controlled by the Local Tax Administration, but which could also be accessed by the Tax Administration as a recipient. The facts and circumstances found during the inspection raise suspicion that an unidentified individual at the TA abused his/her access privileges for the computer application "Local Tax Administration" to retrieve, print out and make available personal data of citizen T.R. to a media outlet, which subsequently published those data. As the tax returns and tax debt in question dated several years back, finding exactly who and when made these data available to third parties without authorisation will require the use of crime investigation methods and resources and an investigation will have to be conducted, which is the responsibility of the Prosecutor's Office.
Managers and staff at both inspected institutions were cooperative. The Commissioner welcomes the fact that the Director of the Tax Administration ordered to immediately, even as the inspection was in progress, replace the passwords used by TA staff to access local tax administration data and to form a new Register of staff authorised to access those data; furthermore, she suspended all access to such data until the Register is formed, which meant she effectively undertook all measures that would have been included in a formal Warning the Commissioner would issue to the Tax Administration. Furthermore, she also issued a special order concerning the handling of personal data in accordance with the Law on Tax Procedure and Tax Administration and the Law on Personal Data Protection.
The Commissioner notes this particular case is just the latest of many cases that demonstrated the huge harm that is caused by the lack of a well-designed, strategic approach of the government in addressing the issues. It is necessary to put in place effective personal data safeguards and, crucially, a mechanism of accountability for all those who abuse such data in violation of the applicable laws. In this context, the Commissioner recalls a similar case less than two years ago, when he also filed a criminal report with the competent prosecutor's office against the TA. In that case, the TA issued a "reply" of sorts to the citizen concerned, who had raised the issue with the Commissioner and the general public, in which reply it alleged there had been large-scale security breaches involving TA's data files and informed the public it had also filed a criminal report. However, there has been no information to date to confirm that the Prosecutor's Office has taken any action and that the perpetrators of the offences are yet to face any consequences.
