The document discusses issues with personal data protection in Belarusian national databases. It finds that there is no clear definition of personal data, data is retained in several different databases without unified access registration, and individuals have no way of knowing who accesses their data or holding them accountable. It also notes the lack of set retention periods and an inability to delete data on request.

1. PROBLEM ISSUES
IN PERSONAL
DATA PROTECTION
AT T H E N AT I O N A L L E V E L

2. PREPARED BY THE RHRPA "BELARUSIAN HELSINKI COMMITTEE"

3. Use and protection of personal data becomes more and more relevant
issue because of development of informational technologies.
Belarus is no exception.
Many people know that our personal data is collected, summarized,
and retained by state bodies. But not many people know which data is col-
lected, how it is protected, what it is used for, and whom it is transferred to.
This information will help you to fill this gap.

4. Population Register
Credit Register
Personal Record-Keeping
United State Delict Data Bank
Dactyloscopy Registration
Databank
Database of nationals
whose right to departure
was temporarily restricted
Mobile networks user database
retained by the Ministry of Internal Affairs
retained by the Ministry of Internal Affairs
retained by the Ministry of Internal Affairs
retained by the Social Protection Fund
retained by the National Bank
retained by mobile network operators
Automated Information
Data System "Raschet"
retained by the National Bank
retained by the Ministry of Internal Affairs
DATABASES UNDER REVIEW

5. Main criteria for comparison of personal data databases
Whether the register
of users who enter
the data is kept
Whether the data
users are registered
Whether the purpose
for retaining the data
is provided
Whether the closed
register of the collected
data is provided
Whether the person
is enabled to learn who
got access to his data
Whether the responsibility
for leaks is stipulated
Whether reasonable
retention period
is provided for the data
Whether the data
can be deleted
CRITERIA FOR COMPARISON

6. Population Register
Credit Register
Personal Record-Keeping
United State Delict Data Bank
Dactyloscopic Registration
Database
Database of nationals whose right
to departure is temporarily restricted
Mobile network users database
Automated Information
Data System "Raschet"
Whether the register
of users who enter
the data is kept
legislation regulates
this issue
no legislation regulates
this issue or is too general
legislation does not protect
personal data
Whether the closed
register of the collected
data is provided
Whether reasonable
retention period is
provided for the data
Whether the data
users are registered
Whether the person
is enabled to learn who
got access to his data
Whether the data
can be deleted
Whether the purpose
for retaining the data
is provided
Whether
the responsibility
for leaks is stipulated
ASCERTAINED FEATURES

7. The data user is registered automatically or manually
The purposes for collecting and retaining data are too general and unspecific
Authorized employees are responsible for illegal provision or distribution of personal data
which they learned because of their official (work) duties,even after they ceased
to perform them
The data is retained permanently.When a person dies,his data is filed
Population Register
ASCERTAINED FEATURES

8. ASCERTAINED FEATURES
The insured who make payments,are registered when they access data; but the remote data
access by the Ministry of Internal Affairs is not registered
It can be enlarged with "other data which is needed to grant or pay a pension or an
allowance"
Responsibility for the leak is stipulated by the Administrative and Criminal Codes
The data is retained for life,but it answers its purpose: granting and paying pensions
Personal Record-Keeping

9. Credit Register
ASCERTAINED FEATURES
The data user is registered when the interested party files an application and with
the individual's consent.No such consent is needed if the data is requested by courts,
law enforcement bodies,notaries (see the list of bodies in the Bank Code)
The special law stipulates no responsibility for the leak.It stipulates administrative
responsibility for divulgation of trade (or other) secret (clause 22.13 of the Administrative
Code)
The data is retained for 15 years after the credit agreement is terminated and the debt
is discharged

10. ASCERTAINED FEATURES
The data is retained for 25 years after it is excluded (due to falsity) or filed
(due to death or restrictions being lifted)
Database of nationals whose right
to departure was temporarily restricted

11. Mobile networks user database
ASCERTAINED FEATURES
The data is retained for not less than 5 years
Data cannot be deleted

12. Automated Information Data System "Raschet"
ASCERTAINED FEATURES
Data is retained for 3 years
Data cannot be deleted

13. United State Delict Database
ASCERTAINED FEATURES
The data user is registered by way of registration of the inquiry of an interested body
or an official
Retention period for crime data is 100 years; for delict data,it is 10 years.
These periods are unreasonably long.
For example,a person is not considered being held administratively liable in a year after
he was called to account; there is no need to retain such data for more than 1 year.

14. ASCERTAINED FEATURES
The data user is registered by way of registration of the inquiry of an interested body
or an official
The purposes for collecting and retaining data are too general and unspecific
Dactyloscopic information is retained not less than until the person is 80 years old,
or dead,or has retired or resigned
Data can be deleted when the retention period is over,or when a written application is filed
in case the registration was voluntary,or if the suspicions have not been confirmed
Dactyloscopic Registration Database

15. Databases which retain it*
full name & patronimyc
identification number
sex
date of birth
birthplace
digital portrait photo
citizenship
place of residence
death information
disability, legal incapacity
nearest relations
marriage
wardship, guardianship
status of being working, unemployed, inactive
tax liabilities
military duty
education
academic degree (rank)
labor activity
pensions, support
compulsory insurance
credits
electric communication service
AIDS "Raschet" data
departure restriction
crimes and delicts data
dactyloscopic information
Population Register
Credit Register
Personal Record-Keeping
Dactyloscopic Registration
Database
Database of nationals
whose right to departure
is temporarily restricted
Mobile networks users
database
Automated Information
Data System "Raschet"
United State Delict Data Bank
PERSONAL DATA
*main databases are listed

16. Entities which enter it to these databases
full name & patronimyc
identification number
sex
date of birth
birthplace
digital portrait photo
citizenship
place of residence
death information
disability, legal incapacity
nearest relations
marriage
wardship, guardianship
status of being working, unemployed, inactive
tax liabilities
military duty
education
academic degree (rank)
labor activity
pensions, support
compulsory insurance
credits
electric communication service
AIDS "Raschet" data
departure restriction
crimes and delicts data
dactyloscopic information
Ministry of Internal Affairs
Social Protection Fund
State Security Committee
Ministry for Emergency Situations
Military registration
and enlistment offices
Ministry of taxation
Ministry of Education
Belgosstrakh
Executive committees
Courts
Civil Registry Offices
National Bank
Operations and Analysis Center
under the President
of the Republic of Belarus
Presidential Security Service
Service providers
Ministry of Defense
Higher Attestation Commission
PERSONAL DATA

17. There is no clear understanding
what personal data is
Personal data is retained
in several databases
Total registration
of personal data accesses
is not implemented
Information about national’s
data users is inaccessible
There is no real responsibility
for illegal access and divulgence
of personal data
There is no uniform approach
to retention periods
It is impossible to delete
personal data by request
MAIN CONCLUSIONS

18. Definitions stipulated by the laws on population register and on information,
informatization and information security,differ in scope.The law on register
contains an exhaustive definition; the law on information attributes any data that
can help identify the person to it.Such non-coordination of the key definition
makes uniform approach to legal regulation of this sphere impossible.
MAIN CONCLUSIONS
There is no clear understanding
what personal data is

19. Personal data is retained
in different databases
Though the law on population register stipulates that the Ministry of Internal
Affairs is the body responsible for the personal data databases,other bodies have
their own databases with such information (National Bank retains credit histories,
Social Protection Fund retains state social insurance data).
MAIN CONCLUSIONS

20. Total registration of personal data accesses
is not implemented
National legislation contains no uniform approach to registration of the access
to the personal data.The law on population register stipulates that each fact
of access to the population register data should be registered online.Legislation
contains no such requirement to personal data retained in other databases.
MAIN CONCLUSIONS

21. Information about national’s data users
is inaccessible
National legislation does not regulate the right of a national to be informed
about who,when and why has got access to his personal data.
MAIN CONCLUSIONS

22. There is no real responsibility for illegal access
and divulgence of personal data
Though the legislation stipulates responsibility for the leak and illegal access to
personal data,it would be extremely difficult to prove guilt of any specific official
in practice as the legislation does not oblige to register each fact of access to it.
MAIN CONCLUSIONS

23. There is no uniform approach
to retention periods
National legislation does not contain uniform approach to the period of retention
of personal data.International legal regulations of the personal data protection
provide necessity to limit such periods to the duration needed to achieve the
purpose of the data retention; Belarusian legislation stipulates that such periods
can last until the national dies.
ОСНОВНЫЕ ВЫВОДЫ

24. It is impossible to delete personal data
by request
The "to be forgotten"principle which has been formulated in international
standards,is not implemented in various personal data databases.Databases
which somehow have such option have unreasonably long retention periods
for personal data.
ОСНОВНЫЕ ВЫВОДЫ

25. RHRPA “Belarusian Helsinki Committee”
220036, Republic of Belarus
Minsk, Karl Liebknecht Street 68
Office 1201
Phone: +375 17 222-48-00
Fax: +375 17 222-48-01
Email: office@belhelcom.org
BELHELCOM.ORG FACEBOOK.COM/
BELHELCOM