Personal data
What is personal data?
Personal data is any information which enables identification of a person. For instance:
-
Name and surname,
-
Personal number,
-
Photo,
-
Video image,
-
Fingerprint,
-
Address,
-
Location,
-
Telephone number,
-
IP address.
This list is not exhaustive and it may be expanded. However, we shall discuss the most basic personal data below:
-
Name and surname is personal data that every person has from the moment of birth. However, there may be multiple persons bearing the same name and surname and this information may not be sufficient to identify a person.
-
Personal number is also ascribed to a person at the moment of birth registration. This is a unique combination of numbers and is not repeated. It is possible to find a lot of information about a person via personal number, e.g. address or ownership of a property.
-
Photo or fingerprint, unlike a name and a surname, are unique and enable identification of a person with a 100 percent accuracy.
-
Video Footage, quite as much as a selfie, has become an integral part of everyday life. People depict important, interesting or funny moments of their lives and rush to share it on the social media. But often times, they are not aware that a videoimage is personal data and besides physical appearance, contains plenty of information about a person’s skills, manners, gestures, behaviour and other traits
-
Address is a piece of personal data that enables location of a person’s place of residence. It is used to contact with the person, to send him or her a letter or a parcel. Sometimes, a person’s legal and factual address do not correspond.
-
Smartphones and various applications often request access to location data. Other times we share this information on social media on our own without even realizing that by checking into a certain place, we disclose our personal data. Analyzing location data of a person may give us a lot of information, including one’s whereabouts at a specific time and travel route.
-
It is hard to find a person without a phone these days and consequently - without a telephone number, which is as much of a personal data as one’s name or address.
-
IP address. Personal data and internet have become inseparable notions. Any internet user has a unique IP address, that is assigned to him or her by a service provider and that not only enables to determine one’s identity and address, but also an exact location.
Who uses our data and for what purposes?
Personal data is an invaluable asset for private and public organizations. It has been called ‘oil of the 21st century” for a reason - it is believed that modern technologies use personal data as a fuel to offer fast, effective and cost-efficient services to consumers, e.g. banks use it to grant loans, marketing companies to place targeted advertisements. In some instances it is impossible to receive a service without personal data, e.g. we will not be able to receive an ID without submitting a photo.
Extraordinary volumes of data are collected and used by the government. It needs your data as much as the companies do. For instance, to solve a crime, an investigation body may intercept a private phone conversation with a judicial permission.
The more data are controlled by the government or a private organization, the higher is the risk of misusing these data. As an example, for its own financial profit, a company might use more data than necessary for the provision of services, or it might sell our data, such as phone number database, to a counterpart without our consent. When it comes to misuse, the government is no exclusion. It is more than possible that investigation authority might use the collected data against a person.
The government and commercial enterprises are not the only one who misuse personal data. Hackers, fraudsters, stalkers and doxers - this is an incomplete list of those who hunt after personal data for financial, personal or political interests (see more details in cybersecurity).
In any case, unauthorized disclosure or use of personal data might cause you financial as well as moral damage. At the same time it should be noted that often we are the ones to compromise our confidentiality, whenever we unthinkably share our data to strangers or on social media.
What types of personal data are protected?
European Convention on Human Rights considers personal data as part of one’s private life and recognizes data privacy as a basic human right. According to Article 8 of the Convention, a state shall respect a human’s private life and any information held about a person.
Any interference by the government with this right is inadmissible, except when this interference is:
-
State Inspector's Service
-
Reasoned
-
Necessary
-
Proportionate
Inviolability of private life is recognized by the Constitution of Georgia:
“Every individual's private life, home, personal papers, correspondence, communication by telephone and by other technical means, including messages received through technical means, shall be inviolable”,- Article 20 of the Constitution.
Further, according to Article 41 of the Constitution, information contained in official records relating to a person’s health, finances, or other private matters shall not be made accessible to anyone.
Therefore, personal data are not public information. State authorities, as well as commercial organizations are obliged to protect the confidentiality of the following data:
-
Person’s identity
-
Address
-
Diagnosis
-
Bank account number
-
Any other data that enable identification of a person
According to the Personal Data Protection Act of Georgia, a special protection should be granted to special category of information, such as:
-
Race and ethnic origin
-
Political opinions
-
Religious and philosophical beleifs
-
Health status
-
Sexual life
-
Criminal records
-
Police custody
-
Information about the conclusion of plea bargain
-
Biometric and genetic data
Disclosure of these data without a person’s consent is inadmissible, save for exceptional cases.
What types of personal data are not protected?
Personal data are not always confidential and in cases established by the law, certain information may be disclosed. Such exceptions are admissible in the following instances:
-
By a judicial permission
-
On the ground of urgent necessity in accordance with the law
-
In the existence of a public interest
Judicial permission. According to the Constitution of Georgia, obtaining a person’s private information, personal papers and correspondence, consulting one’s messages or interception of telephone conversations is admissible on the basis of a judicial permission. For example, if police needs information about a person’s bank account to investigate a crime, it must seek a judicial permission prior to obtaining the information from the bank.
Urgent necessity in accordance with the law. When it is not feasible to obtain a judicial permission due to the risk of destruction of information necessary to solve the crime, obtaining this information is admissible without a court’s permission, on the basis of an urgent necessity. However, later on the investigative body will still have to prove before the court that applying this measure was necessary.
Public interest. Freedom of Speech and Expression Act of Georgia defines it as follows:
“Interest of the public (and not a mere curiosity of certain persons) in an event related to exercising public self governance in a democracy. “
When disclosing personal data, public and private institutions, as well as the media, must ensure a fair balance between the interests of data protection and public interest. The issue of the balance should be decided on a case by case basis. In the balance between the public and private interests, the public interest should prevail only in the cases if the disclosure of data overrides the damage caused to a person by the disclosure of his or her personal data. For instance, if a high official abuses his official position to cover the crimes committed by his child, public interests demands the information about the misconduct committed by the high official to be released to the public.
Other cases of disclosure of data
In accordance with the Personal Data Protection Act of Georgia, data, except for special categories of data, may be disclosed in the following cases:
-
Upon a person’s consent,
-
If disclosure of data is envisaged by the law
-
If disclosure of data is required to perform the organization's statutory obligations
-
If disclosure is necessary to secure vital interests of a person
-
When disclosure is necessary to protect the legitimate interests of the organization or another person
-
Data are publicly accessible
-
Disclosure of data is necessary to handle a person’s application or provide services
How to protect our data
A person should have the right to control who collects his or her personal data, what data are collected and to manage own data. For this purpose, a person is accorded several rights by the law, including
-
Right to access the data and receive a copy
-
Right to rectification of data
-
Right to object to using the data
-
Right to erasure of data
Right to access data and to receive a copy. Every individual has the right to know, what information is collected about him or her by the government and commercial organizations. If its a government body, you are entitled to request access to the data and receive their copy free of charge.
Right to rectification. If you are aware that a certain organization is collecting false or incorrect data related to you, you have the right to request a rectification of those data.
Right to object to using the data. If you no longer want an organization to use your personal data for its purposes (e.g. sending you spam advertisements), you are entitled to object to the processing of your data. If your request has not been complied with, you have a right to address Personal Data Protection Inspector with a complaint.
Right to erasure of data. If the request has been complied with and the organization stops processing our data, next we can request to erase it.
As a conclusion, we should remember that before submitting our data to an organization or a stranger, we should always ask:
-
For what purpose will they use our data?
-
Will they transfer our data to third parties without our consent?
Media and Personal Data
Chapter 10 of the Code of Conduct of Broadcasters defines the rules that the broadcasters have to comply with in relation to the personal data. In particular, except for the cases when there exists a public interest, a broadcaster should not disclose information about a person’s:
-
Place of residence,
-
Phone number,
-
Mail address,
-
Other personal contact details
Information obtained by a journalist without a person’s consent, in result of intrusion into one’s right to privacy will be considered personal data, except when public interest overrides the obligation to protect private information.
Chapter 10 of the Code lays down detailed rules that journalists have to observe when covering news story. These rules relate to:
-
Use of images, that are recorded in a public place and contain personal data;
-
Use of images recorded in schools and on the premises of public and private institutions;
-
Use of recording of a phone conversation;
-
Identification of deceased persons and victims of an accident or violence;
-
Identification of minors;
-
Identification of a suspect;
-
Identification of a victim of sexual violence;
Images recorded in public places. A broadcaster should ensure that that images, words or actions recorded in a public place are not so private that prior consent is required from the individual concerned..
Images recorded in schools and on the premises of public and private institutions. In accordance with Article 35 of the Code of Conduct of Broadcasters, when filming or audio recording in schools or public and private institutions, including hospitals, correctional institutions and police stations, filming and audio-recording are admissible at the consent of the relevant authorized person. In case of a person caught up in the material, consent is not required when the person is not identifiable. For example, if the filming in a hospital was conducted upon the administration’s consent, but a patient who is clearly identifiable was caught up in the material, in this case the media discloses this person’s health data.
Use of recording of a phone conversation. Prior to recording a telephone conversation with a respondent, broadcasters should identify themselves, explain the purpose of the call and that the call is being recorded for possible broadcast. A journalist must obtain the respondent’s consent before broadcasting the recording.
Identification of a deceased person, victim of an accident or violence. Image of a deceased person, victim of an accident or violence shall be recorded from a certain distance so that they are not identifiable.
Identification of a minor. A brooadcaster must not use the image of a minor in the material to iilustrate a certain problem and must cover the material with general shots. Identification of a minor is inadmissible if the material is related to:
-
Crime committed by a minor and the minor has a status of a suspect, defendant or convict, or is involved in the case as a witness or victim;
-
Sexual crime and the minor is exposed of committing the crime or is victim of sexual violence.
Identification of a suspect. A broadcaster should not reveal the identity of a suspect unless the suspect's name is known to the public or the case is in the public interest.
Identification of a victim of sexual violence. A broadcaster must not reveal the identity of a victim of sexual violence unless the victim gives a consent and there is public interest.
In all of the listed occasions there is an exception to the prohibition on the use of personal data without consent when there is a high public interest and the legitimate interest of the public overrides.
Who to address if we think our rights are being violated?
If the confidentiality of our personal data has been compromised we can address:
-
Personal Data Protection Inspector;
-
Police
-
Media self regulatory body (see the relevant chapter)
-
If the data has been compromised in the social media, the relevant social media
Personal Data Protection Inspector. We can address the inspector if our rights are being violated by commercial organizations, state authorities or individuals.
The Inspector is in charge of making inquiries into the violations related to data protection and responding to them. He/she handles citizens’ complaints and if violations are detected, demands the organization to remedy the violations and if necessary - imposes a fine.
Police. Illegal collection, storage, use or dissemination of personal data is a criminal offence. For example, if someone downloaded your private video file from your computer without authorization and shared it on social media, you should address the police. On the basis of your statement the police will launch investigation.
Media self regulatory body. If the media discloses your personal data without your consent and there is no public interests towards the issue, you can address the Appeals Commission of the Broadcasters. As for other types of media, you may address the Charter of Journalistic Ethics.
Social media. If someone uploads your photo on a social media web-page or makes it a profile picture, you may file a report and request the removal of the content.
-
If this happens on Facebook, click the following link, specify the content that needs to be removed, paste the URL of the content and send the message. Also, Facebook gives you the opportunity to report the user that has been sharing your photo or video content. Visit the profile page concerned, click on the right corner of the user’s cover photo and then click “Give feedback” or “report this profile”, then follow the instructions.
-
If this happens on Instagram, follow the link, answer several mandatory questions, indicate the URl of the content concerned and sent the report.
-
In case of Youtube, click the following link and fill in a form with necessary information.
It is impossible to foresee whether the undesirabe content will be removed from the social media on the basis of your report. The companies warn us beforehand that the report may not be complied with if the request is ungrounded. Therefore, the more precise information we submit, the higher the chances that our request will be granted.
History
First ever name. To highlight their identity ancient men depicted their names on various objects. The most widespread personal data, a person’s name has been encountered in ancient China in the form of symbols.
These symbols signify the name of the owner of terracotta pottery dated 6600-6200 BC.
The romans recorded personal data as early as 27 BC. This is the year when the first ever ‘birth certificate’ was issued. It contained a child’s name and age.
First selfie. It may seem unimaginable but the first selfie was taken by the American Photographer Robert Cornelius in 1839.
First internet communication. First ever email was sent by a famous American computer programmer Ray Tomlinson in 1971. The exact content of the email has long been forgotten.