Potential breach in system noted

A potential breach of data protection has been identified in the way the government handles people's complaints.

The Data Protection Act lays down that those receiving personal information should inform the person who furnished such particulars on how they intend using it and whether they will be sharing it with others.

However, Data Protection Commissioner Joseph Ebejer found in a recent investigation, that when complaints are lodged with the government, people's personal data "seems" to be passed from one person to another without the expressed consent of the person in question.

The practice of disclosing the information was often necessary, however, the government was obliged to get a person's expressed consent.

For this reason, Mr Ebejer recommended that a clause be included in the complaint forms people are expected to fill in when filing a complaint, saying expressly how the information would be used.

The recommendation was included in a ruling by Mr Ebejer on an alleged breach of data protection by Nationalist Party secretary general Paul Borg Olivier when he sent out an e-mail asking Cabinet ministers to forward personal details of people making complaints.

Dr Borg Olivier was cleared because the system he suggested was never implemented. However, Mr Ebejer noted that the request was illegal and could have had very "serious consequences" that would have led to a breach in the handling of personal information.

The case revolves around an e-mail Dr Borg Olivier sent last November to ministers and parliamentary secretaries and which was also mistakenly copied to (then) Labour Party general secretary Jason Micallef instead of Parliamentary Secretary Jason Azzopardi.

The e-mail referred to a meeting at the PN headquarters in which a data sharing strategy, which was put in place, called on ministries to pass on to the party details of people who would have lodged a complaint so the party could follow it up.

The PL had published the e-mail and asked Mr Ebejer to investigate whether it was a breach of data protection law. Dr Borg Olivier staunchly defended himself, saying there was nothing illegal in the system and he filed his own complaint asking the commissioner to investigate Labour's data-gathering practices.

As part of the investigation, data commission officials carried out an inspection in the customer care office of the Office of the Prime Minister to make sure that no personal information of individuals who filed a complaint had been passed on to third parties.

Although it was established that no data was transmitted to the party, Mr Ebejer called for a more unified and improved system of complaints registration after noting that many people filed two, one with the ministry and another with the Office of the Prime Minister.

The parties gave different interpretations to the ruling.

The PN said the commissioner dismissed allegations that Dr Borg Olivier breached the law when he asked Cabinet ministers to forward personal details on complainants. Since there was no processing of personal data, the law had not been violated, the PN said.

Labour, however, insisted that had it not revealed a web of spying, there would, in the words of the commissioner, have been "serious consequences" on the right to privacy of people whose personal information would have been divulged.