Based on an anonymous notification, the Personal Data Protection Service of Georgia conducted an unplanned inspection in one of the Ministries.
During the inspection, it was determined that a special technical software program was activated on about 3,000 computers of the employees of the Ministry and more than 10 legal entities included in its system, which was used to send IT requests, temporary dismissals, and requests for passes, but at the same time, it collected data from the computers of the individuals employed in the Ministry's system, detailed information about the actions taken through the means. The collected data included the name of the electronic programs used by the employees on the computer (for example: "Opera", "Google Chrome", "Pdf", "Word", "Excel"), the period of use of the mentioned programs, the naming of active window (the so-called “Tabs”) opened in the programs (which meant, for example, the ability to access the title of the website and feasible familiarization with the information posted on this website) and others.
Also, the Ministry had developed special words (for example, "Facebook", "porn"), in case of finding these words in the active window of any program (for example, "Google Chrome", "Mozilla Firefox", "Internet Explorer", etc.), the periods of use of the corresponding keyword were added up.
As a result, information was collected about each employee regarding used computer programs, visited web pages and the latter's context.
As a result of inspection, it was discovered that the technical support program made available statistical information on the computer activities of each employee over the previous 60 days; Precisely — this included the 15 most frequently used programs by the employee (such as: “Excel”, “Teamviewer”, “Photoshop”, and “Powerpoint”) and a list of keywords with corresponding percentages of usage durations (such as “Facebook”, “Eflow”, and “eDocument”). The detailed information was accessible to up to 30 employees of the units of the Ministry's system (including HR departments) through the technical support program.
The Personal Data Protection Service of Georgia determined that the data collected through this process was being used by one of the departments to monitor employee activities within the scope of work (for example, the Head of the department, during the business trips, monitored the activities of their employees), and was also claimed by the Ministry to be used by employees to self-monitor their time usage. Furthermore, the Ministry stated that the program was functioning for the sake of information security goals.
Upon conducting an evaluation of the data processing procedure in relation to its stated objectives, it was discovered that the collected data was not utilized by the relevant managers of the Ministry, except for the Head of the Information Technology Department. Furthermore, employees were either not informed or insufficiently informed about the availability of their statistical information through the technical support program. Additionally, some of the acquired data was deemed unnecessary for the Ministry's information security purposes.
In its assessment, the Personal Data Protection Service of Georgia referred to a number of rulings made by the European Court of Human Rights, such as Copland v. UK (No. 62617/00; 03.04.2007), ANTOVIĆ AND MIRKOVIĆ v. MONTENEGRO (No. 70838/13; 28.11.2017), and BĂRBULESCU v. ROMANIA (No. 61496/08; 05.09.2017). The Service concluded that:
• Some of the data processed by the Ministry through the technical support program may contain personal or private information of individuals, which is not related to work activities. This is because an individual's personal life can overlap with their work activities. In situations where the objectives of official monitoring can be achieved with less interference with an individual's right to privacy (such as communicating with the employee's immediate supervisor or implementing a procedure for submitting periodic reports), collecting and processing personal data of employees in this manner was not deemed a proportionate means of achieving the goal of monitoring employees.
• The processing of the data collected through the technical support program for the purpose of self-monitoring of employees was not based on their consent or willingness, and they were not adequately informed or actively utilizing the opportunity. The Service concluded that even if the employees were properly informed, the better organization of their working time using the obtained computer data would still ultimately depend on their own volition. Therefore, the acquisition and processing of data on computer activities through the technical support program for the purpose of self-monitoring could only be conducted with the employees' initiative and consent.
• As for obtaining data for the sake of information security, the Service found that the Ministry is a critical infrastructure entity of the first degree, using modern licensed equipment and software to maintain information security. Accordingly, the data obtained through the concerned program would have limited efficacy in achieving the Ministry's information security goals. Therefore, data collection from employees’ computers should have been minimized, and access to recorded information should have been restricted to the greatest extent possible to ensure compliance with information security requirements.
The Personal Data Protection Service of Georgia concluded that the Ministry had identified several purposes for data processing (such as self-monitoring of employees and information security), yet without employees’ desire or initiative; furthermore, collection of large volumes of data for the sake of self-monitoring without informing employees prior, was unjustified; for the purposes of information security, the organizational and technical measures taken by the Ministry created risks of illegal data collection. This referred to a violation of Article 17 (Data Security) of the Law of Georgia "On Personal Data Protection" due to which the Ministry was recognized as an administrative offender for violation provided for in Article 46 of the Law of Georgia "On Personal Data Protection". Additionally, taking into account the complexity of the data processing via the technical support program, the Ministry was given a mandatory instruction, and was required to cease data processing and delete already processed data for the purposes of monitoring/self-monitoring of the employees of the Ministry by means of the mentioned program.