Presentation is loading. Please wait.

Presentation is loading. Please wait.

The role of privacy in the security landscape

Published byPosy Gilmore Modified over 8 years ago

Similar presentations

Presentation on theme: "The role of privacy in the security landscape"— Presentation transcript:

1 The role of privacy in the security landscape
Frank Robben General manager Crossroads Bank for Social Security CEO Smals Sint-Pieterssteenweg 375 B-1040 Brussels Website: Personal website:

2 Legal pillars of European Privacy Law
Treaty on the European Union, Title I - Common Provisions - Article F the Union shall respect fundamental rights, as guaranteed by the European Convention for the Protection of Human Rights and Fundamental Freedoms signed in Rome on 4 November 1950 and as they result from the constitutional traditions common to the Member States, as general principles of Community law. European Convention for the Protection of Human Rights and Fundamental Freedoms, Article 8 everyone has the right to respect for his private and family life, his home and his correspondence. there shall be no interference by a public authority with the exercise of this right (exceptions: e.g. national security)

3 Legal pillars of European Privacy Law
Data protection directive Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data Directive on privacy and electronic communications Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector

4 European directive 95/46/EC
the two basic principles of the directive scope of application and exemptions key players national law applicable obligations of the controller rights of the data subject remedies, liability and sanctions transfer of personal data to third countries codes of conduct supervisory authorities, working parties and committee conclusion

5 Two basic principles equivalent and high protection of fundamental rights and freedoms of natural persons, in particular the right to privacy with respect to the processing of personal data within the EU no restriction nor prohibition of the free flow of personal data between Member States for reasons connected with the protection of fundamental rights and freedoms

6 Scope of application processing of personal data
any operation or set of operations, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction of personal data any information relating to an identified or identifiable an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity natural person wholly or partly by automatic means or otherwise than by automatic means if the data (are intended to) form part of a filing system any structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis

7 Scope of application: exclusion
processing of personal data in the course of an activity which falls outside the scope of Community law and in any case to processing operations concerning public security, defence, State security and the activities of the State in areas of criminal law by a natural person, in the course of activities of a purely personal or household activity

8 Exemptions of some of the provisions
Member States shall provide for exemptions or derogations from the provisions concerning the obligations of the controller the rights of the data subject the data transfer to third countries the power of the supervisory authority for the processing of personal data carried out solely for journalistic purposes the purpose of artistic or literary expression if they are necessary to reconcile the right to privacy with the rules governing freedom of expression (37) this should not lead the Member States to lay down exemptions from the measures to ensure security of processing; at least the supervisory authority responsible for this sector should also be provided with certain ex-post powers, e.g. to publish a regular report or to refer matters to the judicial authorities.

9 Exemptions of some of the provisions
Member States may adopt measures to restrict the scope of some obligations and rights when this is necessary to safeguard national security, defence or public security prevention, investigation, detection or prosecution of criminal offences or of breaches of ethics for regulated professions an important economic or financial interest of a Member State or of the EU a monitoring, inspection or regulatory function connected with the exercise of public authority in some cases the protection of the data subject or of the rights and freedoms of others (42) Member States may for example specify that access to medical data may be obtained only through a health professional.

10 Exemptions of some of the provisions
Member States may restrict the rights of access, rectification, erasure and blocking when data are processed solely for purposes of scientific research or are kept in personal form for a period which does not exceed the period necessary for the sole purpose of creating statistics where there is clearly no risk of breaching the privacy of the data subject providing adequate safeguards, in particular that the data are not used for taking measures or decisions regarding any particular individual

11 Key players data subject controller processor
the natural person the personal data relate to controller the natural or legal person, public authority, agency or any other body which alone or jointly determines the purposes and means of the processing of personal data processor any natural or legal person, public authority, agency or any other body which processes data on behalf of the controller e.g. personnel, IT service providers, network operators, ...

12 National law applicable
Each Member State applies its national law to the processing of personal data where the processing is carried out in the context of an establishment of a controller on its territory the controller is not established on its territory, but in a place where its national law applies by virtue of international public law the controller is not established on Community territory, but makes use of (automated) equipment for the processing of personal data situated on its territory, unless such equipment is used only for purposes of transit through the territory of the Community => controller must designate a representative established in the territory of that Member State (18) in order to ensure that individuals are not deprived of the protection to which they are entitled under the directive, any processing of data in the Community must be carried out in accordance with the law of one and only one of the Member States; in this connection, processing carried out under responsibility of a controller who is established in a Member State should be governed by the law of that State. One applicable law => unique supervision and enforcement mechanisms and one competent supervisory authority for every processing of personal data. The legal form of the stable set-up, whether a simple branch or a subsidiary with legal personality is not the determinative factor. Art. 4, 1 (a): when the same controller is established on the territory of several Member States, he must take the necessary measures to ensure that each of these establishments complies with the obligations laid down by the national law applicable. (21) the directive is without prejudice to the rules of territoriality applicable in criminal matters.

13 Obligations of the controller
principles relating to fair and lawful processing and data quality criteria for making data processing legitimate specific rules for processing of sensitive data information to be given to the data subject confidentiality and security of processing notification of the processing of personal data

14 Fair and lawful processing and data quality
collection only for specified, explicit and legitimate purposes no further processing in a way incompatible with those purposes personal data must be adequate, relevant and not excessive in relation to those purposes personal data must be accurate and kept up to date personal data must not be kept longer than necessary for those purposes in a form which permits the identification of the data subject Fairness principle: the collection or processing should be as transparent as possible, thus allowing individuals the possibility to choose wether they provide their personal data or not, unless there is a legal obligation. Specified purpose: directive forbids the collection of data for the sake of it, or simply for some ill-defined future purpose, the nature of which is not clear. The purpose has to be defined in a concrete way; a very general description, such as “for business purposes” would not satisfy the requirement. Legitimate: i.a. not against public order and the public decency Further processing of data for historical, statistical and scientific purposes is not considered as incompatible provided that Member States provide appropriate safeguards. (29) these safeguards must in particular rule out the use of the data in support of measures or decisions regarding any particular individual. What can be considered as a “compatible processing” ? What is within the normal expectations of an average citizen.

15 Legitimacy of the processing
Processing of personal data is only legitimate in 6 cases unambiguous consent of the data subject (pre)contractual relationship with the data subject compliance of a legal obligation to which the controller is subject protection of the vital interests of the data subject performance of a task of public interest or official authority legitimate interests of the controller that prevail on the interests for fundamental rights and freedoms of the data subject

16 Processing of sensitive data
processing of personal data revealing or concerning racial or ethnic origin political opinions religious or philosophical beliefs trade union membership health sexual life is in principle prohibited

17 Processing of sensitive data
Member States can provide that those sensitive data may be processed in a limitative number of cases explicit consent of the data subject carrying out of obligations and specific rights of the controller in the field of employment law protection of vital interests of the data subject or another person processing related solely to members or contact persons by a non-profit-seeking body with a political, philosophical or trade-union aim data are manifestly made public by the data subject establishment, exercise of defence of legal claims preventive medicine, medical diagnosis, provision of care or treatment or management of health-care services, if the data are processed by a health professional other reasons of substantial public interest National law has to provide for adequate safeguards in case of processing being allowed for carrying out obligations and specific rights of the controller in the field of employment law or for other reasons of substantial public interest. Processing of sensitive data for purposes of preventive medecine, medical diagnosis, the provision of care and treatment or the managmenet of health-care services is to be done by a health professional or another person subject to an obligation of professional secrecy. (33-35): examples of other reasons of substantial public interest: public health, social protection, scientific research, government statistics, defence of the fundamental freedoms, ...

18 Processing of sensitive data
data relating to offences, criminal convictions or security measures may only be processed under the control of official authorities or in execution of national provisions providing suitable specific safeguards Member States have to determine the conditions under which a national identification number may be processed A complete register of criminal convictions may be kept only under the control of official authority. Member States may provide that data relating to administrative sanctions or judgements in civil cases shall also be processed under the control of official authority.

19 Informing the data subject
the controller or his representative must provide the data subject a minimum of information when obtaining personal data from the data subject when undertaking the recording or envisaging a disclosure to a third party of personal data that have not been obtained from the data subject exceptions: the data subject already has the information informing the data subject in case of processing of data obtained from another person proves impossible, in particular for processing for statistical purposes or purposes of historical or scientific research or would involve disproportionate effort for the controller in particular for processing for statistical purposes or purposes of historical or scientific research or is not necessary because the recording or disclosure is expressly laid down by law Collecting data implies an initiative of another person than the data subject. (40) disproportionate effort: in this regard the number of data subjects, the age of the data and any compensatory measures adopted may be taken into consideration.

20 Informing the data subject
information to be given identity of the controller and his representative, if any the purposes of the processing any further information necessary to guarantee fair processing in respect of the data subject such as categories of processed data (categories of) recipients whether replies are obligatory or not, as well as the possible consequences of failure to reply the existence of rights of access and rectification

21 Confidentiality and security
no access to personal data except on instructions from the controller or if required by law appropriate technical and organizational security measures protection against accidental or unlawful destruction accidental loss alteration unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network all other forms of unlawful processing measures have to be appropriate to the risks represented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation

22 Confidentiality and security
where processing is carried out by a processor the controller has to choose a processor guaranteeing sufficient technical and organizational security measures the controller must ensure compliance of the processing with the security measures the carrying out of the processing must be governed by a written contract or legal act stipulating in particular that the processor shall act only on instructions from the controller the security obligations shall also be incumbent on he processor

23 Recommendation Belgian Privacy Commission
see referenciemaatregelen%20vs%2001.pdf risk analysis taking into account the nature of the processed data the applicable legal requirements the size of the organization the importance and the complexity of the information systems the extent of internal and external access to personal data the probability and the impact of the several risks the cost of the implementation of risk mitigating measures

24 Recommendation Belgian Privacy Commission
11 types of measures information security policy information security officer classification of information minimal organizational measures and measures related to staff physical security network security access control logging and investigation of logging supervision, audit and maintenance management of security incidents and continuity documentation

25 Notification of automatic processing
the controller has to notify the supervisory authority before carrying out automatic processing operations intended to serve a single purpose or several related purposes notification can be extended by Member States to non-automatic processing operations minimal contents of the notification name and address of the controller and of his representative purpose(s) of the processing categories of processed data and data subjects (categories of) recipients proposed data transfers to third countries general description of the security measures

26 Notification of automatic processing
Member States may provide simplified notific ation or exemptions for categories of processing operations which are unlikely, taking account of the data to be processed, to affect adversely the rights and freedoms of data subjects for controllers that have appointed a personal data protection officer in compliance with the national law for processing operations whose sole purpose is the keeping of a public register for processing operations relating to their members or contact persons performed by a non-profit-seeking body with a political, philosophical or trade-union aim Member States providing simplification of or exemption from notification for categories of processing operations that are unlikely to affect adversely the rights and freedoms of the data subjects have to specify - the purposes of processing - the (categories of) data undergoing processing - the categor(y)(ies) of data subjects - the (categories of) recipients - the length of time the data are to be stored. According to the national law, the personal data protection officer has to be responsible in particular for ensuring in an independent manner the internal application of the national provisions taken pursuant to the Directive and for keeping the register of processing operations carried out by the controller containing the items of information to be contained in a notification to the supervisory authority.

27 Notification of automatic processing
processing operations likely to present specific risks to the rights and freedoms of data subjects as determined by national law have to be examined prior to their start by the supervisory authority in case of notification or the personal data protection official information contained in the notifications, possibly excepting the security measures, is stored in a public register kept by the supervisory authority the controllers that are not subject to notification have to make available the same information, excepting the security measures, to any person on request (53) presenting specific risks can be by virtue of the nature, the scope or the purposes of the processing operations, such as that of excluding individuals form a right, benefit or a contract, or by virtue of the specific use of new technologies.

28 Rights of the data subject
right of privacy protection right of information access to the public register in case of collection of data in case of the recording or disclosure of data obtained elsewhere right of access right of rectification, erasure or blocking right to object right not to be subject to fully automated individual decisions right of a judicial remedy

29 Right of access the data subject has the right to obtain from the controller without constraint, at reasonable intervals and without excessive delay or expense confirmation as whether or not data relating to him are being processed information at least about the purposes of the processing the categories of data the (categories of) recipients communication of the data and any available information as to their source knowledge of the logic in case of an automated processing intended to evaluate certain personal aspects relating to him (41) the right to know the logic involved in the automatic processing of data must not adversely affect trade secrets or intellectual property and in particular the copyright protecting the software; these considerations must not, however, result in the data subject being refused all information. (42) Member States may for example specify that access to medical data may be obtained only through a health professional.

30 Right of rectification, erasure or blocking
the data subject has the right to obtain from the controller the rectification, erasure or blocking of data, the processing of which does not comply with the provisions of the directive (e.g. incomplete or inaccurate data) the controller has to notify any rectification, erasure or blocking to third parties to whom the data have been disclosed, unless this proves impossible or involves a disproportionate effort

31 Right to object The data subject has the right to object
in general to the processing of data relating to him at least where this processing is performed for a task of public interest or official authority for the purposes of legitimate interests of the controller that prevail on the interests for fundamental rights and freedoms of the data subject based on compelling legitimate grounds relating to his particular situation national law may provide exceptions in particular to the processing, disclosure or use of data relating to him for the purposes of direct marketing on simple request free of charge

32 Automated individual decisions
every person is granted the right not to be subject to a decision which produces legal effects for him or significantly effects him and which is based solely on the automated processing of data intended to evaluate certain personal aspects, such as his performance at work, creditworthiness, reliability, conduct, ... derogations are possible under certain circumstances, in the course of the entering into or the performance of a contract or by law providing measures to safeguard the data subject’s legitimate interests

33 Remedies, liability and sanctions
administrative remedies, inter alia before an independent supervisory authority judicial remedies for any breach of the rights guaranteed by the national law applicable liability right to compensation from the controller for the damage suffered as a result of an unlawful processing operation, unless the controller proves not to be responsible for the event giving rise to the damage sanctions penal sanctions interdiction to process personal data (55) controller will not be responsible in particular in cases where he establishes fault on the part of the data subject or in case of force majeur.

34 Data transfer to third countries
transfer of personal data intended to be processed may only take place to third countries ensuring an adequate level of protection the adequacy of the level of protection shall be assessed in the light of all circumstances surrounding the data transfer, such as the nature of the data the purpose and duration of the proposed processing the country of origin and of final destination the law, professional rules and security measures in force in the third country Member States and the Commission inform each other of cases where they consider that a third country does not ensure an adequate level of protection

35 Data transfer to third countries
where the Commission finds that a third country ensures an adequate level of protection, Member States shall take the measures necessary to comply with the Commission's decision (e.g. Argentina, Canada, Switzerland) where the Commission finds that a third country does not ensure an adequate level of protection, Member States shall take the measures necessary to prevent any transfer of data of the same type to the third country in question if a problem of adequate protection in a third country exists, the Commission may enter into negotiations with that country in order to remedy the situation

36 Data transfer to third countries
a transfer or a set of transfers of personal data to a third country which does not ensure an adequate level of protection may that place in the following situations unambiguous consent of the data subject (pre)contractual relationship between the controller and the data subject (pre)contractual relationship between the controller and a third party in the interest of the data subject important public interest grounds (e.g. social security, tax, …) establishment, exercise or defence of legal claims protection of the vital interests of the data subject public registers adequate safeguards, e.g. resulting from contractual clauses

37 Specific case of the US US uses a sectoral approach that relies on a mix of legislation, regulation and self-regulation US is not being considered by the European Commission as a third country having an adequate protection US Department of Commerce in consultation with the European Commission developed a “safe harbor” framework (see individual companies certifying to the “safe harbor” framework are considered as companies providing an adequate level of protection as defined by the European Data protection directive

38 Specific case of the US an organization that decides to participate in the safe harbor must comply with the safe harbor's requirements self certify annually to the US Department of Commerce in writing that it agrees to adhere to the safe harbor's requirements state in its published privacy policy statement that it adheres to the safe harbor the US Department of Commerce maintains a publicly availbale list of all organizations that file self certification letters to qualify for the safe harbor, an organization can join a self-regulatory privacy program that adheres to the safe harbor's requirements or develop its own self regulatory privacy policy that conforms to the safe harbor requirements

39 Codes of conduct Member States and the EU shall encourage codes of conduct intended to contribute to the proper implementation of the principles of the directive taking account of the specific features of the various sectors elaborated by trade associations or other bodies representing categories of controllers possibility to submit codes of conduct on the national level to the supervisory authority on EU level to the Working Party

40 Supervisory authorities
each Member State has to appoint at least one independent public authority that monitors the application of the provisions adopted by the Member State pursuant to the directive powers of the supervisory authorities: advice and recommendations concerning administrative measures or regulations investigation intervention (e.g. warning the controller, ordering the erasure of data, imposing a ban on processing,…) engaging in legal proceedings claims handling public report

41 Working Party composition: tasks
1 representative of the supervisory authorities per Member State 1 representative of the supervisory authority of the EU 1 representative of the EU Commission tasks giving an opinion about the application of national measures adopted under the directive in order to contribute to the uniform application of the measures the level of protection in the Community and third countries proposed Community measures affecting rights and freedoms with regard to the processing of personal data codes of conduct drawn up at Community level recommending on all matters relating to the protection of persons with regard to the processing of personal data publishing an annual report to the Commission, the European Parliament and the Council

42 Committee composition: task
chaired by a representative of the Commission representatives of the Member States task giving an opinion on the draft of measures to be taken by the Commission if these measures are not in accordance with the opinion of the Committee, they are deferred for a period of three months and communicated to the Council the Council, acting by a qualified majority, may take a different decision within three months

43 An example: whistleblowing systems
fair and lawful processing clear description of the procedures of reporting the procedures of report handling the possible consequences of pertinent and impertinent reports the controller of the whistleblowing system no obligation to report in principle no anonymous reporting sufficiently precise reporting only reporting of facts, no value judgements designation of an independent person dedicated to handle the reports confidentially no communication of the identity of the informant without his consent in principle no communication about the report towards other instances than the data subject during the report handling

44 An example: whistleblowing systems
fair and lawful processing limiting of the scope of the whistleblowing system only serious irregularities whistleblowing schemes should only supplement organisation’s regular information and reporting channels (e.g. normal hierarchic channels) where these would appear to be insufficient to detect and handle serious irregularities within the organisation only reporting by of concerning personnel of the company reported information must be adequate, relevant and not excessive in relation to the purposes of the whistleblowing system reported information must not be kept longer than necessary transparency obligation to provide adequate information about the whistleblowing scheme, the related procedures and the possible consequences at collective and individual level

45 An example: whistleblowing systems
security separate processing of data guarantees related to integrity, authenticity, availability, confidentiality and irregular erasure auditability no transfer of whistleblowing data to non-EU countries unless adequate level protection and strictly required data subject rights of all persons concerned, concerning the data relating to each of them right of information right of access to data right of rectification right of erasure prior notification of the whistleblowing scheme to the Privacy Commission

46 More info Belgian Privacy Commission
European Data protection working party personal website Crossroads Bank for Social Security

47 Th@nk you ! Any questions ?
Frank Robben

Download ppt "The role of privacy in the security landscape"

Similar presentations

Re-use of PSI Data Protection Issues Cécile de Terwangne Professor at the Law Faculty, Research Director at CRIDS University of Namur (Belgium) 2 nd LAPSI.

Re-use of PSI Data Protection Issues Cécile de Terwangne Professor at the Law Faculty, Research Director at CRIDS University of Namur (Belgium) 2 nd LAPSI.
PRIVACY ASPECTS OF RE-USE OF PSI: BETWEEN PRIVATE AND PUBLIC SECTOR

PRIVACY ASPECTS OF RE-USE OF PSI: BETWEEN PRIVATE AND PUBLIC SECTOR
Data Protection & Privacy in the Information Age COMNET – Legal Frameworks for ICTs Malta 2013 Dr Antonio Ghio Dr Jeanine Rizzo.

Data Protection & Privacy in the Information Age COMNET – Legal Frameworks for ICTs Malta 2013 Dr Antonio Ghio Dr Jeanine Rizzo.
DATA PROTECTION and Research University Research Ethics Committee – 30.05.2008 David Cauchi David Cauchi Office of the Commissioner for Data Protection.

DATA PROTECTION and Research University Research Ethics Committee – David Cauchi David Cauchi Office of the Commissioner for Data Protection.
The data retention directive: data protection aspects Frank Robben General manager Crossroads Bank for Social Security Sint-Pieterssteenweg 375 B-1040.

The data retention directive: data protection aspects Frank Robben General manager Crossroads Bank for Social Security Sint-Pieterssteenweg 375 B-1040.
Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.

Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.
Convention for the protection of individual with regard to automatic processing of personal data “The purpose of this convention is to secure in the territory.

Convention for the protection of individual with regard to automatic processing of personal data “The purpose of this convention is to secure in the territory.
Www.dataprotection.gov.je The Data Protection (Jersey) Law 2005.

The Data Protection (Jersey) Law 2005.
DATA PROTECTION and Research University Research Ethics Committee – 08.05.2006 David Cauchi Office of the Data Protection Commissioner.

DATA PROTECTION and Research University Research Ethics Committee – David Cauchi Office of the Data Protection Commissioner.
What does the Data Protection Act do? It sets standards which must be satisfied when obtaining, recording, holding, using, disclosing or disposing of.

What does the Data Protection Act do? It sets standards which must be satisfied when obtaining, recording, holding, using, disclosing or disposing of.
1 1 Legal aspects of incident reporting and data collection : Fear of the Dark? Meeting on “Incident Reporting in Radiotherapy” 3rd of September – Federal.

1 1 Legal aspects of incident reporting and data collection : Fear of the Dark? Meeting on “Incident Reporting in Radiotherapy” 3rd of September – Federal.
The European Union legal framework for clinical data access: The European Union legal framework for clinical data access: potential challenges and opportunities.

The European Union legal framework for clinical data access: The European Union legal framework for clinical data access: potential challenges and opportunities.
ILONA GAVRONSKA GROUP IL-41 INTERNATIONAL LAW DEPARTMENT KYIV - 2011 NATIONAL ACADEMY OF SCIENCES OF UKRAINE KYIV UNIVERSITY OF LAW.

ILONA GAVRONSKA GROUP IL-41 INTERNATIONAL LAW DEPARTMENT KYIV NATIONAL ACADEMY OF SCIENCES OF UKRAINE KYIV UNIVERSITY OF LAW.
Per Anders Eriksson

Per Anders Eriksson
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Attorney at the Bars of Paris and Brussels Database exploitation & Data protection Thibault Verbiest Amsterdam 1 April 2005

Attorney at the Bars of Paris and Brussels Database exploitation & Data protection Thibault Verbiest Amsterdam 1 April 2005
Data Protection Overview

Data Protection Overview
The Data Protection Act

The Data Protection Act
Data Protection for Church of Scotland Congregations

Data Protection for Church of Scotland Congregations
European data protection and privacy regulations Johny GASSER Orange Business Services – Consulting & Solutions Integration International Cyber Center.

European data protection and privacy regulations Johny GASSER Orange Business Services – Consulting & Solutions Integration International Cyber Center.

Similar presentations

Ads by Google