A data tracker is a software solution designed to give individuals an overview of queries made about their personal data in state databases.

Using the tracker, a person can see when (date and time), by which institution or individual, from which database and for what purpose inquiries into their personal data have been made.

The data tracker service has been available to the public through the eesti.ee portal since 2017 and can also be accessed via the eesti.ee mobile app.

Currently, integration with the tracker is voluntary and covers only a small portion of databases — just 15 out of more than 300 information systems are using it.

The Ministry of Justice has submitted a legislative intent document for approval that would make using the tracker mandatory for nearly all public databases that store personal data.

Some information systems would be exempt — for example, those handling classified information or databases that do not contain personal data.

"Personal data belongs to the individual, not the government agency. Our goal is to end the current situation where the state's use of data is a black box for people. If an official looks at someone's data, there should be a record of it and people have a right to see that record," said Minister of Justice and Digital Affairs Liisa Pakosta (Eesti 200).

"We're making the data tracker mandatory to build trust in the state and give people real control over their data. This marks a fundamental shift from a project-based approach to systemic transparency," Pakosta added.

To ensure a smooth transition that takes into account agencies' technical readiness, specific deadlines have been set.

"I've instructed all ministries to develop a concrete roadmap within their administrative areas by the end of this year. These plans must include exact dates for when the data tracker will be implemented," Pakosta emphasized.

The legislative intent document notes that in recent years, there have been multiple cases where individuals' data was accessed from state databases, such as the population register or land registry, for unclear or questionable reasons.

The minister described the tracker as a tool for safeguarding fundamental rights.

"It also acts as a check on officials and data processors — knowing that every query leaves a trace visible to the individual is the best deterrent against curiosity-driven or unlawful inquiries," Pakosta said, adding that in recent years, audit logs have helped uncover several data protection violations.

The Ministry of Justice Digital Affairs is seeking feedback on the legislative intent from other ministries, constitutional institutions and stakeholder organizations, including the Estonian Bar Association, Estonian Data Protection Association and the Estonian Association of Information Technology and Telecommunications, by December 31, 2025.

Following the feedback review, a draft amendment to the Public Information Act will be prepared.

In parallel with the legislative process, technical preparations are continuing under the leadership of the Information System Authority (RIA), which is responsible for the central management and development of the data tracker.

Difficult for people to monitor data access

The legislative intent document outlines several existing issues, including the lack of a comprehensive overview for individuals regarding how their personal data, held by the state, is being used.

People also struggle to understand log entries. As a possible solution, the ministry proposes developing clear guidelines for how data tracker log entries should be explained to ensure they are easy for individuals to interpret.

In 2024, the Ministry of Economic Affairs and Communications, as part of its analysis of the data tracker's cost-effectiveness, estimated the average cost of a single query (including the request and delivery of the response) at approximately €0.30.

According to the same ministry's 2024 estimates, the average cost of handling an individual inquiry — most often via email — ranges from €4 to €12, depending on the scope and complexity of the request.

This means that if implementing the data tracker system costs a database administrator around €8,000, with annual maintenance expenses averaging €600, the total lifecycle cost would amount to roughly €14,000.

A potential downside to making the data tracker mandatory is a temporary increase in query volume following its launch. In addition, questions arising from how to interpret log entries could lead to a rise in clarification requests.

--

Follow ERR News on Facebook and X and never miss an update!