Valstybės Kontrolė

National Audit Office of the Republic of Lithuania (VK)

Protection of automatically processed personal data Read full summary in English

2013 report VA-P-90-3-21

Over the past few years, a number of legal, management, supervision, information, and methodological issues related to the protection of personal data have piled up. As they have not been fully resolved,the National Audit Office conducted an audit to assess the efficiency of the protection and supervision of automatically processed personal data and to check whether: - the regulation of personal data protection conforms to the data processing practices; - personal data is properly processed at public sector bodies; - the State Data Protection Inspectorate (SDPI) performs sufficient supervision of the processing of personal data. The audit was conducted at the SDPI, data and information was collected at the Ministry of Justice, Ministry of Transport and Communications, Ministry of Health, Ministry of the Interior, Information Society Development Committee under the Ministry of Transport and Communications, and public establishment Central Project Management Agency.

In the report: part Conclusions: 1,2 (page 4)

- When shaping the policy for the protection of personal data, the Ministry of Justice has no clear vision for the development of person data protection at the national level.

- There is a lack of long-term direction of the personal data protection in the state and clearly formulated personal data protection policy, and the distribution of functions has a number of deficiencies

- The Ministry of Justice has been focusing on the legislation, rather than the establishment of the priorities in this area and a long-term direction for the protection of personal data.

- The Ministry of Justice, which also shapes the policy for the protection of personal data and the implementation of the registers managed thereby, as the manager of the main registers in the country, faces a conflict of interest concerning the processing of personal data.

In the report: part Conclusions: 3,4 (page 3,4)

- 84 per cent of the inspected institutions do not comply with the legal protection requirements for personal data and only 47 per cent have been properly implementing the data subject’s right to privacy.

- When organising the supervision of data controllers, the SDPI has not been using any risk assessment and management system, preventive inspections and prior checks are usually conducted by way of correspondence, the Inspectorate does not always apply control measures to prevent breaches of data security. Morover, the SDPI does not automatically receive data on the automated processing and protection of personal data in the public sector

- The methodological guidelines prepared by SDPI have become obsolete and do not encompass all the problem areas relating to the application of new technologies, the quality of the consulting of data controllers is insufficient, and the information published on the website has been reviewed at irregular intervals. The number of publications about personal data protection prepared by the Inspectorate has been going down every year, not all prepared material is updated and made publicly available to the public.

- functions implemented by the SDPI lack quality and efficiency

- the organisation and control of personal data processing in the public sector is not sufficient

The risk cases visible on this page are collected and described by the e-Government Subgroup of the EUROSAI IT Working Group in contact with author Supreme Audit Institutions (SAI). In the same way, analytical assumptions and headings are chosen by the Subgroup. We encourage you to read the original texts by SAIs - to be found in the linked files.