Data Protection and Enabling Psi Re-use EVPSI & LAPSI Final Meeting Tools for Enforcing Data Protection and Enabling Psi Re-use EVPSI & LAPSI Final Meeting Turin, 9-10/7/2012 Eleonora Bassi University of Turin

The case for reuse of personal data from psi shows that data protection and data circulation are not incompatible. It is not only a matter of balancing: it involves our concept of data protection. The challenge is protecting data (and personal data) for their circulation, not only for collection and conservation. Following this approach, Open Data policies and Data Protection laws have a similar objective: to create a fair environment for the circulation and the processing of data.

Working Party Art. 29 recommended to adopt a case by case approach “in order to strike the balance between the right to privacy and the right to public access” (Opinion 7/2003, wp 83) different solutions for different kinds of data and for different purposes

Proactive Approach: In his Opinion on Open Data Package (18 April 2012) EDPS stated that "it is crucial that public sector bodies take a proactive approach when making personal data available for reuse. A proactive approach would make it possible to make the data publicly available with the explicit purpose of reuse, subject to specific conditions and safeguards in compliance with data protection rules" (§ 39) "this requires that the scope for a public disclosure of personal data is analysed proactively and at the earliest stage, and that the persons involved are informed accordingly so as to allow them to exercise their rights" (§23)

Recommended Tools: PETs Privacy by Design Anonymisation Privacy Policies PIA Codes of Conduct Guidelines

Anonymisation by Default Art. 29 Working Party recommended the use of anonymisation techniques for the re-use of personal data collected by public bodies (Opinion 7/2003 wp83) In his Opinion on the Open Data Package EDPS recommended 1) anonymisation as a default rule (§45) 2) different levels of anonymisation (with respect to the context: nature of the data, the purpose of the processing and the potential risks for individuals) (§46) 3) PSBs could be compensated for costs of anonymisation (§§63-65)

Privacy by Design & PETs Both Psbs and Reusers have to adopt technical and organizational measures for confidentiality and security of processing (Art. 17 Dir-95/46/EC) “Privacy by Design” mechanisms have a key role for managing the interaction between law and technology in privacy and data protection issues, ensuring the minimization and quality of the data, its controllability, transparency, confidentiality, etc... PETs are designed to protect personal privacy by eliminating or minimizing personal information to avoid unnecessary and unlawful data processing, without causing loss of functionality of the information system

Privacy Impact Assessment In his Opinion on the Open Data Package EDPS suggested the adoption of PIA for the reuse of personal data (§§ 40-41) PIA must ensure: 1) adequate legal basis under national laws 2) the reuse is available only for a compatible purpose 3) reusers are required to comply with all data protection laws 4) other additional safeguards (anonymisation, security measures, etc..)

White Papers of best practices, DPOs activity, etc. Soft Law Measures Privacy Policies for Openess at any level of public sector (national, local, sectorial..) following both a proactive and a case by case approach with particular attention to the nature of the data and the purpose of the reuse processing Codes of Conduct, Guidelines White Papers of best practices, DPOs activity, etc.

Data Protection Clause ? The Inclusion of a Data Protection Clause in licence conditions (EDPS, §§ 50-56): it should include indications on purposes, security measures, the adoption of PIA, anonymisation