The Commissioner for Information of Public Importance and Personal Data Protection has completed an inspection of compliance with the Law on Personal Data Protection (LPDP) at the National Health Insurance Fund (NHIF) in connection with the online posting of data of an underage health insurance beneficiary from the Fund’s records by member of NHIF’s Management Board Marjan Rističević. In connection with this, the Commissioner has issued a relevant Letter of Warning.
The inspection found irregularities in the actions undertaken by the NHIF when processing the insurance beneficiary’s personal data, both in terms of making personal data from the central records available to a member of the Management Board without proper legal grounds and in terms of failure to put in place the required technical, human resources and organizational measures to protect personal data, in compliance with the duty provided for in Article 47 of the LPDP.
During the inspection, it was found that, although “personal data of individual insurance beneficiaries are not available to the members of the Managing Board”, as is alleged in the statement provided by the NHIF, the said member of the Managing Board had in fact obtained by phone the personal data which he later posted online. The NHIF claims in its statement that he had not received any other data apart from those he had posted; however, given the utterly and unacceptably informal way in which the personal data in question had been obtained, it is impossible to verify this.
Regarding the request to quote the legal basis and purpose of personal data disclosure by the member of the Managing Board, i.e. the posting of this data in a debate with his political adversaries, and regarding the question whether this may have been done on behalf of the Fund, the NHIF stated that “only Mr. Rističević can answer that question.”
Given that the Managing Board itself, much less its individual members, has no authority to process the personal data concerned, this is a case of inadmissible and punishable data processing, not only under the Law on Personal Data Protection, but also under the Law on Health Insurance.
The Commissioner will file a petition for infringement charges against the Fund and the responsible member of the Managing Board.
Believing that the facts of the case point to the existence of reasonable grounds for suspicion that the criminal offence punishable under Article 146 of the Criminal Code of Serbia has been committed, the Commissioner will forward the case file to the Republic Public Prosecutor’s Office to decide whether to prosecute this criminal offence ex officio, as this criminal offence is subject to either private prosecution, in the cases referred to in paragraphs 1 and 2 of Article 146, or prosecution ex officio, in the cases referred to in paragraph 3 of the same Article. The Republic Public Prosecutor’s Office will also be asked to determine which prosecutor’s office would have jurisdiction over the case if prosecuted ex officio.
Article 146 of the Criminal Code of Serbia
(1) Whoever, without authorization, obtains, communicates to another or otherwise uses information that is collected, processed and used in accordance with law, for purposes other than those for which they are intended, shall be punished with a fine or imprisonment up to one year.
(2) The penalty specified in paragraph 1 of this Article shall also be imposed on whomever contrary to law collects personal data on citizens and uses data so collected.
(3) If the offence specified in paragraph 1 of this Article is committed by an official in the discharge of duty, such person shall be punished with imprisonment up to three years.
