Ministry points finger at schools
The investigation found 107 school readiness assessments, 35 Rajaleidja counselling committee decisions, 18 data requests or descriptions for criminal proceedings, 17 social welfare department queries or replies etc. This does not include documents that merely mention a person’s name, place of residence, age, grade, marks or school and documents that included personal information of school employees.
“It seems we have a lot of work to do,” said Kadri Levand, senior inspector of the data protection inspectorate who brought supervision proceedings against system administrator the education ministry.
The ministry’s preliminary analysis suggests schools and kindergartens are to blame for the leak. “The cause of the data leak is failure on the part of users [of the database] to pay attention to public access settings when entering documents,” Secretary General Tea Varrak wrote to local governments on October 2.
The ministry’s position is lent credibility by the fact headmasters of several schools and kindergartens told “Radar” their employees had made mistakes in registering documents, including those entered back in 2015.
On the other hand, accidentally making documents public should not be possible in EKIS. The default publication setting in the system is “do not show in public interface”. To make a document fully visible, a user has to check a box to remove access restrictions. That is not all. The system also displays a warning: “The object will be made public. Press Cancel if you want to review data or OK to proceed.”
“That is not human error, it is deliberate action,” said Headmaster of the Randvere School Leelo Tiisvelt when demonstrating how a document is registered in EKIS. Leaked descriptions of the school’s students were among the most sensitive.
Tiisvelt said she very much doubts the school removed access restrictions when entering the data in 2016. She said that documents became public after EKIS received an update this September. “As head of a school, I would like to know how the system has been monitored. How can there be so many human errors the system did not pick up on?” Tiisvelt asked.
The position of the Randvere headmaster is supported by the fact delicate documents were only found in EKIS but not in municipal document registers that schools and kindergartens also use.
That said, Tiisvelt’s timeframe does not fit. The first freely accessible descriptions of students were found in January of this year and the data protection watchdog pointed to publicly available documents of two schools already back in 2015.
Documents with personal information of children can no longer be found in EKIS today while the system still does not meet public document registry requirements. Documents with no access restrictions need to be accessible through public registers while EKIS only includes metadata. “These proceedings will likely take a long time,” senior inspector Kadri Levand said.