Mechanism of administrative and legal regulation of the use of personal data by local governments

Introduction

With the beginning of the third millennium, the intensive development of information technology began. The spheres of the information society in Ukraine are e-government, democracy, justice, digitalization of public administration, digital economy, digital voting as promising areas of modern information and communication technologies (Reznik, Slinko, Kravchuk, Serohin, & Strelianyi, 2021). State information policy, defined in current concepts and strategies in all spheres of public life, leads to an accelerated increase in government officials' use of personal data in their activities. Along with the emergence of new intellectual property and the latest information technologies, new problems arise regarding their protection (Utkina, Bondarenko, & Malanchuk, 2021).

The strengthened information exchange provides performance of functions of local self-government bodies, formation and use of the corresponding databases in local self-government bodies: village, settlement, city councils, and their executive bodies, representing the territorial community's interests. A significant part of the information used by persons empowered by local governments refers to information with limited access.

The protection of personal data is a fundamental element of human rights in the information society. As a basic human right, its violation endangers the security, honor, dignity of the person, and so on. This right is also derived from the constitutional right not to interfere with privacy and the right to prohibit the collection, storage, use, and dissemination of confidential personal information (Davydova, Bernaz-Lukavetska, & Reznichenko, 2020).

The authors agree with the position of some scientists and justify that common problems and cases of violations in this area are illegal collection, storage, use, and disclosure of personal data; lack of adequate means of protection of the right to privacy, and cessation of violations of the law in the processing of personal data; imperfect institutional mechanism of independent control over the observance of the right to protection of personal data; excessive number of individual databases owned or operated by government agencies, etc. (Dumchykov, & Bondarenko, 2020). That is why the state information system needs to be modernized because, despite the adoption of new and improved legislation on personal data protection, several confidentiality issues remain. This task requires all government agencies' joint efforts and work without exception (Bondarenko, Utkina, Dumchikov, Prokofieva-Yanchylenko Yanishevska, 2021).

The problem of compliance with the personal data protection rules of local government employees and persons applying to them for administrative services is significant. For the most part, they are residents of the territory, the disclosure of confidential information can have serious negative consequences for such persons within this territorial community.

The purpose of the study was to determine the characteristics of the mechanism of administrative and legal regulation of the use of personal data by local governments in comparison with the best practices of foreign countries.

In this article the authors described features of administrative and legal regulation personal data usage by local governments, its content and elements. Special attention was paid to the international experience in the legal regulation of the use of personal data by local governments and thee possibility of its implementation (best practices for Ukrainian legislation).

Theoretical Framework

It is first necessary to analyze the definitions proposed by scientists, which already exist in theoretical and legal science, to study the mechanism of administrative and legal procedure for the use of personal data by local governments. Personal data should be defined as "a set of data that represents and is related to the identity, activities, and offer of services related to a unique person" (Labadie, & Legner, 2020).

In general, legal regulation is a complicated and, at the same time, essential concept in legal theory. It should be emphasized that legal science still does not have a unanimous and stable approach to formulating "administrative and legal regulation". Today, there are many proposed interpretations of this concept, which differ significantly from each other.

According to O. M. Melʹnyk, "legal regulation - is embodied by the entire system of legal means of state influence on public relations, for their regulation, consolidation, protection and development" (Melʹnyk, 2004, p. 31).

As for the administrative and legal sphere, V. Y. Razvodovsky (2003) defines administrative law regulation as a set of methods of legal regulation, with a predominance of obligations and prohibitions. Such a set is formed through the endowment of participants in legal relations, subjective legal rights, responsibilities through the formulation and enshrinement in specific regulations due to law-making activities of authorized bodies (officials).

V. I. Temeretsky points out that "administrative and legal regulation in the general sense is the regulation of public relations by the rules of administrative law in the field of public administration in the interests of the individual and the state" (Teremetsky, 2012, p. 51).

For their part, V. Yu. Petrova and A. A Semenov define this type of legal regulation as executive and administrative activity of state bodies endowed with state-administrative powers, which is aimed at normalizing public relations by adopting rules and ensuring their further implementation (Petrova, & Semenov, 2015, p. 31).

In general, the mechanism of administrative and legal regulation is defined as a set of organizational and lawful means that influence the relations that arise during the implementation of administrative obligations of public administration (Kovalenko, 2012); a category that reflects the process of translating the rule of law into the orderliness of social relations, which are governed by the rules of this branch of law, i.e., statistical, administrative rules are set in motion by the mechanism of administrative and legal regulation (Falatyuk, 2014, p. 125), etc.

Methodology

The methodological basis of the study is a set of tools and methods of scientific knowledge, which are defined following the study’s purpose. The given article combines general scientific and unique methods. In their joint usage these methods allow to achieve positive research results. The logical-semantic method allowed us to study in-depth the conceptual apparatus on the researched question. Using this method the authors gave definitions to such notions as “use of personal data”, “grounds for the processing of personal data” and “the mechanism of administrative and legal procedure for the use of personal data by local governments”. This method and definitions helped to build strong theoretical framework of the given article for further research of more practical aspects. The system-structural method analyzes the powers vested in local governments, which use personal data in their activities. According to this method and received research data, the authors stressed out features of administrative and legal regulation of the use of personal data. The given information helped to focus on disadvantages and advantages and necessity of its improvement. At the same time, the descriptive method was used by the authors to reveal some concepts, conduct an available description of the elements of administrative and legal regulation personal data usage by local governments. As addition to general scientific methods, authors used  the comparative legal method, it was possible to characterize the administrative and legal regulation of the use of personal data by local governments in different countries. Using this method the authors made conclusions on the two groups of regulations of the use of personal data by local governments in the biggest part of foreign countries: 1) which regulate access to public information; 2) those that protect information with limited access.

Results and discussion

Use of personal data by local governments: features of administrative and legal regulation, its content and elements

Important areas of local governments' implementation of power functions are socio-economic and cultural prosperity; finance; budget planning and accounting; management of housing and communal services and communal property, etc. Performance of the functions assigned to them by local self-government bodies is ensured by enhanced information exchange. One such activity is using databases, particularly local governments and their executive bodies representing the local community's interests. Much of the information processed by local government employees belong to the data classified as restricted under current law.

The issue of compliance with the rules on personal data protection is of paramount importance. It should be noted that today the legislation on personal data protection in Ukraine is in constant rapid development. Thus, in particular, among such regulations should be mentioned:

1. Law of Ukraine of 01.06.2010 № 2297-VI  "On protection of personal data";
2. Law of Ukraine of 09.01.2007 № 537-V "On the Basic Principles of Information Society Development in Ukraine for 2007-2015";
3. Procedures for processing and protection of personal data of executive authorities.

The legislator also paid attention to this issue at the level of the program act - Information Security Strategy until 2025 (Official website  of Ukraine, 2021). The Strategy provides the principles of ensuring information security of Ukraine, counteracting threats to national security in the information sphere, protection of civil rights to information, and protection of personal data.

The main elements of administrative and legal regulation of the use of personal data by local governments are the information environment of the subjects of power, tasks, principles, subjects, objects, means of regulating the use of personal data by the issues of power and guarantees of legality in this sphere.

The system of realization and ensuring the right of every person to access information held by public authorities, other managers of public information, and information of public interest is determined by the Law of Ukraine "On Access to Public Information" (Law of Ukraine No. № 2939-VI, 2011). This law is designed to guarantee the transparency and openness of the subjects of power and to create the functioning of the right of everyone to access public information, which is reflected and documented by any means on any media, information received or made during the implementation of public authorities. The power of their duties, defined by the current legislation, or which owns subjects of power or other managers of public information, is determined by the law mentioned above's norms. At the same time, in the process of exercising their powers by state bodies, not only available information is accumulated, but also information with limited access, which is evidenced by the content of Part 2 of Art. 1 of the Law of Ukraine "On Access to Public Information" (Law of Ukraine No. № 2939-VI, 2011).

The provisions of the Constitution of Ukraine prohibit the collection, storage, use, and dissemination of confidential information about a person without his consent, except in specific cases, and only in the interests of national security, economic welfare, and human rights (Law of Ukraine No. № 254к/96-ВР, 1996). Provisions on the mandatory consent of a person when using confidential information about him are contained in Art. 6 of the Law of Ukraine "On Personal Data Protection", exceptions to this rule are specified in Art. 7 of the same law (Law of Ukraine No. № 2297-VI, 2010).

Following the current legislation (Article 10), mandatory is also the consent to the disclosure of information about the private life of citizens received by public authorities and associations of citizens on citizens' appeals (Law of Ukraine  No. 393/96-ВР, 1996).  This norm also contains provisions on the prohibition of disclosure of information obtained from requests, which is a state or other secret protected by law without the consent of the person who applied.

The owner or administrator of personal data may be enterprises, institutions, and organizations of all forms of ownership, public authorities or local governments, natural persons - entrepreneurs who process personal data following the powers granted to them following the law. The controller of personal data owned by a state authority or local self-government bodies, in addition to these bodies, maybe only an enterprise of state or communal ownership, which belongs to the sphere of management of this body.

Current legislation defines "use of personal data" as any actions of the owner to process this data, measures to protect them, as well as efforts to grant partial or total right to process personal data to other subjects of relations related to personal data that carried out with the consent of the personal data subject or by the law (Law of Ukraine No. № 2297-VI, 2010).

Employees' data of the subjects of relations related to personal data should be carried out only following their professional or official or employment responsibilities. These employees are obliged not to disclose in any way personal data that has been entrusted to them, or that has become known in connection with the performance of professional or official or labor duties, except as provided by law. Such obligation is valid after the termination of their activities related to personal data, except as provided by law.

The grounds for the processing of personal data are: 1) the consent of the personal data subject to the processing of his personal data; 2) a permit for the processing of personal data granted to the owner of personal data in accordance with the law solely for the exercise of his powers; 3) concluding and executing a transaction to which the personal data subject is a party or which is concluded for the benefit of the personal data subject or for the implementation of measures preceding the conclusion of the transaction at the request of the personal data subject; 4) protection of vital interests of the subject of personal data; 5) the need to perform the duty of the owner of personal data, which is provided by law; 6) the need to protect the legitimate interests of the owner of personal data or a third party to whom personal data are transferred, except when the need to protect the fundamental rights and freedoms of the personal data subject in connection with the processing of his data outweighs such interests (Law of Ukraine  No. № 2297-VI, 2010).

In cases of work with personal data that pose a particular risk to human rights, the owner, represented by local governments or executive authorities, also determines the responsibilities and rights of persons responsible for organizing work related to the protection of personal data during their processing.

It is important to emphasize that the procedures for processing personal data, the timing and composition of their processing should be relevant to the purpose of processing. Accordingly, the purpose of personal data processing must be clearly defined and comply with legal norms; it must also be defined before they are collected.

In case of changing the specified purpose of personal data processing to another purpose that is incompatible with the previous one, for further data processing, the personal data owner, except as provided by law, must obtain the consent of the personal data subject to process his data following the new purpose (Shcherbyna, 2020).

According to Art. 9 of the Law of Ukraine "On Personal Data Protection" the owner of personal data, i.e., local governments and executive authorities, must notify the Commissioner for Human Rights about the processing of personal data, which carries a particular risk to the rights and freedoms of personal data subjects, within thirty working days from the date of commencement of such processing (Law of Ukraine No. 2297-VI, 2010).

The owner/manager must keep records of employees who have access to the personal data of persons. The owner/manager determines the appropriate entry of these employees to the subjects' personal data. Each of these employees has access only to the personal data (parts thereof) of persons necessary to perform professional or official, or labor duties.

As for other employees, the owner/manager has access to information only on their own personal data. Employees with access to personal data provide a written non-disclosure agreement that has been entrusted to them or that has become known to them in connection with the performance of their professional or official or employment duties. The date of granting the right to access personal data is calculated from the date of granting the obligation by the respective employee (Law of Ukraine No. 1/02-14, 2014).

From the above provisions, the mechanism of administrative and legal procedure for the use of personal data by local governments can be defined as a set of legal, organizational, technical techniques to ensure the legality, effectiveness, and rationality of actions related to the use of personal data by local governments in the balance between the public interest and the constitutional right to privacy.

International experience in the legal regulation of the use of personal data by local governments

Local self-government is one of the important institutions of civil society. Most democracies in the world have a developed system of local self-government, to which several state functions are delegated. To characterize this institute to clarify its inherent features of private and public law, it is necessary to study modern systems of local self-government and theoretical achievements in the field of private and public law (Perezhniak, Hryshchuk, Menso, Strukova, & Nazarko, 2021).

The emergence of new precedents for the use of personal data by local governments requires the development of new ways to resolve disputes and optimize mechanisms for personal data protection. Regarding the effectiveness of national legislation, O. M. Boyko (Boyko, 2021) points to the lack of effective mechanisms for comprehensive information security, adding that regulations in this area are imperfect and that human rights to the protection of personal data are constantly violated.

To propose effective mechanisms for improving the legislation on the subject, it is necessary to analyze the foreign experience of ensuring the confidentiality of these entities' personal data in their operation.

In the context of the separation of personal data into a separate group with special legal regulations, we note that the classification of personal data and their separation into a particular group is not a new phenomenon and is often found in the national legislation of European countries.

The early 1970s were marked by the adoption of legislation to protect the privacy of various countries around the world. There is a worldwide global movement towards a comprehensive law that establishes a framework for protecting personal data. The need for such legal norms, stated in the explanatory note to the Convention for the Protection of Individuals concerning Automatic Processing of Personal Data, is explained by the growing use of computer technology for management purposes.

Modern international law contains about 20 pan-European conventions, directives, and recommendations on personal data protection. For its part, Ukraine has ratified basic European standards in personal data protection, including the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, as well as an additional protocol on supervisory activities and cross-border activities data flows. Thus, Ukraine has committed itself to implementing its provisions in Ukrainian law (Shcherbyna, 2020).

The consolidation at the international level of norms that determine the need for legal protection of personal information reflects a steady trend in the development of information relations arising in the functioning of the subjects of public authorities, namely the significant expansion of the use of personal data of citizens.

In connection with the Ukrainian state's commitments by choosing the path of European integration, it is important to first turn to a different legal framework to protect personal data in the European Union. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons concerning the processing of personal data and the free movement of such data, (GDPR) and repealing Directive 95/46 / EC - the leading international document, which enters into force on May 25, 2018 (Regulation (EU) 2016/679). This normative act is aimed at "harmonizing the protection of fundamental rights and freedoms of individuals concerning the processing activities and ensuring the free flow of personal data between the Member States". The Regulation provides appropriate powers to monitor and enforce data protection rules and penalties for breaches in the Member States.

It should be noted that the process of systematization of information legislation of Ukraine must meet the conditions of implementation of the Association Agreement signed between Ukraine and the European Union. Following this international agreement, Ukraine should develop and implement a mechanism for the appropriate level of protection of personal data per "the highest European and international standards, including relevant documents of the Council of Europe." At the same time, Article 14 of the Association Agreement signed between Ukraine and the European Union emphasizes that the system of protection in the field of personal data may include "among other things, exchange of information and experts" (Official EN Journal of the European Union, 2014).

As for the world's countries, most of them have two groups of regulations: 1) which regulate access to public information; 2) those that protect information with limited access.

Most democracies have passed laws regulating access to public information. They are an effective legal mechanism for realizing one of the fundamental human rights - the right of access to public information, which is, in turn, a need for European legislation and an essential condition for integration into the European Community. The countries whose legislation contains laws on access to public information are the United States ("Freedom of Information Act"), the United Kingdom ("Freedom of Information Act"), Estonia ("Freedom of Information Act"), Latvia ("Freedom of Information Act"), Bulgaria ("Law on Access to Public Information"), Slovakia ("Law on Free Access to Information"), Slovenia ("Law on Access to Public Information"), Hungary ("Law on Information Protection"), etc.

Almost all countries of the world recognize the constitutional right to privacy. For example, the Constitutions of South Africa and Hungary have access to and control of personal information. In many other countries where the right to privacy is not explicitly provided for in the constitution, such as the United States, Ireland, and India, courts apply additional rules to exercise this right. International treaties recognizing the right to privacy are the International Covenant on Civil and Political Rights (UN General Assembly, 1966) or the European Convention on Human Rights (Council of Europe, 1981, art. 7), which are part of the legislation of many countries.

Over the years, the United States and Europe have taken different approaches to protect personal information. American and European practices to the formulation of public and private information differ. Disputes between the Organization for Economic Co-operation and Development (OECD) and the United States continue over this issue, as US legislation and practice in personal data protection do not comply with OECD principles and European Union standards. Representatives of the United States believe that the European Union member states do not have a sufficiently effective legal framework that would reliably guarantee freedom of information (Shcherbyna, 2020).

Next, we will consider examples of administrative and legal regulation of the use of personal data by local governments in some countries.

The legal act in the UK that regulates the protection and use of personal data is the law "On Data Protection" 2018 (Data Protection Law 2018, 2018).
In addition, in classifying data as "personal", the United Kingdom considers the additional criteria set out in the Durant v. FSA (Financial Services Authority). In particular, personally identifiable information also includes information about a person's private life, including their own life or that of a family member, business life, or professional connections.

Turkey is an excellent example for Ukraine, as it is also trying to join the EU. The normative act that currently regulates the processing of personal data in the country is the "Law on Personal Data Protection" (from now on - TDPL) № 6698 of 2016. TDPL has provisions for the processing of personal data and sensitive personal data. Sensitive personal data may be processed, like all other data, only with express consent. The provisions of the law provide sufficient clarity on how data should be processed; it contains clear rules governing data processing and the legal grounds for processing and liability for non-compliance. Data subjects were provided with effective remedies, including civil lawsuits  (Law of  the Turkey No. 6698, 2016).

Germany is the undisputed leader among European countries in legal regulation and protection of personal data. The country is a prime example of the application of Regulation 2016/679 of 27 April 2016, adapting the German legal framework to the General Regulation by adopting the Federal Data Protection Act (Bundesdatenschutzgesetz - «BDSG») (Law of German "Bundesdatenschutzgesetz", 2017). The BDSG was officially published on July 5, 2017, and entered into force with the General Regulations on May 25, 2018 (GDPR). The purpose of the BDSG is to regulate the use of numerous provisions under the General Regulation, which allow the Member States to specify or even limit the data processing requirements under the General Regulation. The law is a clear example of creating such a legal mechanism for the protection of personal data in Ukraine, as European trends in this area are significantly ahead of Ukraine.

From the above study of foreign experience in the legal regulation of the use of personal data by local governments, it can be concluded that compared to the Ukrainian reality and legal environment, Turkish amendments to personal data protection legislation can serve as a guide to comply with EU standards. The experience of Germany and the United Kingdom can be quite effective in transposing it into Ukrainian law, from the point of view of existing administrative and civil case law, which protects the rights of the data subject quite strictly and effectively, and from the point of view of strong and effective national law.

Conclusion

With the tendency of fast informatization of civil life and activity of the system of state bodies. In this regard, ensuring the right of citizens to be prohibited from interfering in their personal and family life is becoming increasingly important. The study provides grounds for concluding that the protection of information with limited access is one of the urgent tasks of ensuring the national information security of Ukraine in the process of interaction between the subjects of power, namely, local governments. Modern domestic legislation governing the use of confidential information annually expands and details the rules for the benefit of personal data in certain spheres of public life, but despite this, the current legislation can not be called perfect due to systematic violations of citizens' rights to personal data protection.

To improve its national legislation, Ukraine, under its obligations under the Association Agreement with the EU, must implement mechanisms for the appropriate level of protection of personal data. In addition, the primary and priority measures to improve the means of the proper level of administrative and legal procedure for the use of personal data by local governments, the authors identify: bringing Ukrainian legislation in line with EU Regulation on the protection of individuals concerning personal data processing and free movement of such data (GDPR), using the experience of the member states of the European Union; approval at the legislative level of provisions on public registers, personal databases, as well as the procedures for processing personal data processed in them; introduction of monitoring of the state of observance of the requirements of the legislation on personal data protection in local self-government bodies; making changes to internal acts under the requirements of the legislation on personal data protection, which determine the procedure for processing personal data.