1 / 47

The role of privacy in the security landscape

The role of privacy in the security landscape. Frank Robben General manager Crossroads Bank for Social Security CEO Smals Sint-Pieterssteenweg 375 B-1040 Brussels E-mail: Frank.Robben@ksz.fgov.be Website: http://www.ksz.fgov.be

jcalloway
Download Presentation

The role of privacy in the security landscape

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. The role of privacyin the security landscape Frank Robben General managerCrossroads Bank for Social Security CEO Smals Sint-Pieterssteenweg 375 B-1040 Brussels E-mail: Frank.Robben@ksz.fgov.be Website: http://www.ksz.fgov.be Personal website: http://www.law.kuleuven.ac.be/icri/frobben

  2. Legal pillars of European Privacy Law • Treaty on the European Union, Title I - Common Provisions - Article F • the Union shall respect fundamental rights, • as guaranteed by the European Convention for the Protection of Human Rights and Fundamental Freedoms signed in Rome on 4 November 1950 • and as they result from the constitutional traditions common to the Member States, as general principles of Community law. • European Convention for the Protection of Human Rights and Fundamental Freedoms, Article 8 • everyone has the right to respect for his private and family life, his home and his correspondence. • there shall be no interference by a public authority with the exercise of this right (exceptions: e.g. national security)

  3. Legal pillars of European Privacy Law • Data protection directive • Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data • Directive on privacy and electronic communications • Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector

  4. European directive 95/46/EC • the two basic principles of the directive • scope of application and exemptions • key players • national law applicable • obligations of the controller • rights of the data subject • remedies, liability and sanctions • transfer of personal data to third countries • codes of conduct • supervisory authorities, working parties and committee • conclusion

  5. Two basic principles • equivalent and high protection of fundamental rights and freedoms of natural persons, in particular the right to privacy with respect to the processing of personal data within the EU • no restriction nor prohibition of the free flow of personal data between Member States for reasons connected with the protection of fundamental rights and freedoms

  6. Scope of application • processing • any operation or set of operations, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction • of personal data • any information • relating to an identified or identifiable • an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity • natural person • wholly or partly by automatic means • or otherwise than by automatic means if the data (are intended to) form part of a filing system • any structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis

  7. Scope of application: exclusion • processing of personal data • in the course of an activity which falls outside the scope of Community law • and in any case to processing operations concerning public security, defence, State security and the activities of the State in areas of criminal law • by a natural person, in the course of activities of a purely personal or household activity

  8. Exemptions of some of the provisions • Member States shall provide for exemptions or derogations from the provisions concerning • the obligations of the controller • the rights of the data subject • the data transfer to third countries • the power of the supervisory authority • for the processing of personal data carried out solely for • journalistic purposes • the purpose of artistic or literary expression • if they are necessary to reconcile the right to privacy with the rules governing freedom of expression

  9. Exemptions of some of the provisions • Member States may adopt measures to restrict the scope of some obligations and rights when this is necessary to safeguard • national security, defence or public security • prevention, investigation, detection or prosecution of criminal offences or of breaches of ethics for regulated professions • an important economic or financial interest of a Member State or of the EU • a monitoring, inspection or regulatory function connected with the exercise of public authority in some cases • the protection of the data subject or of the rights and freedoms of others

  10. Exemptions of some of the provisions • Member States may restrict the rights of access, rectification, erasure and blocking • when data are processed solely for purposes of scientific research or are kept in personal form for a period which does not exceed the period necessary for the sole purpose of creating statistics • where there is clearly no risk of breaching the privacy of the data subject • providing adequate safeguards, in particular that the data are not used for taking measures or decisions regarding any particular individual

  11. Key players • data subject • the natural person the personal data relate to • controller • the natural or legal person, public authority, agency or any other body • which alone or jointly determines the purposes and means of the processing of personal data • processor • any natural or legal person, public authority, agency or any other body • which processes data on behalf of the controller • e.g. personnel, IT service providers, network operators, ...

  12. National law applicable • the processing is carried out in the context of an establishment of a controller on its territory • the controller is not established on its territory, but in a place where its national law applies by virtue of international public law • the controller is not established on Community territory, but makes use of (automated) equipment for the processing of personal data situated on its territory, unless such equipment is used only for purposes of transit through the territory of the Community => controller must designate a representative established in the territory of that Member State Each Member State applies its national law to the processing of personal data where

  13. Obligations of the controller • principles relating to fair and lawful processing and data quality • criteria for making data processing legitimate • specific rules for processing of sensitive data • information to be given to the data subject • confidentiality and security of processing • notification of the processing of personal data

  14. Fair and lawful processing and data quality • fair and lawful processing • collection only for specified, explicit and legitimate purposes • no further processing in a way incompatible with those purposes • personal data must be adequate, relevant and not excessive in relation to those purposes • personal data must be accurate and kept up to date • personal data must not be kept longer than necessary for those purposes in a form which permits the identification of the data subject

  15. Legitimacy of the processing Processing of personal data is only legitimate in 6 cases • unambiguous consent of the data subject • (pre)contractual relationship with the data subject • compliance of a legal obligation to which the controller is subject • protection of the vital interests of the data subject • performance of a task of public interest or official authority • legitimate interests of the controller that prevail on the interests for fundamental rights and freedoms of the data subject

  16. Processing of sensitive data • processing of personal data revealing or concerning • racial or ethnic origin • political opinions • religious or philosophical beliefs • trade union membership • health • sexual life • is in principle prohibited

  17. Processing of sensitive data • Member States can provide that those sensitive data may be processed in a limitative number of cases • explicit consent of the data subject • carrying out of obligations and specific rights of the controller in the field of employment law • protection of vital interests of the data subject or another person • processing related solely to members or contact persons by a non-profit-seeking body with a political, philosophical or trade-union aim • data are manifestly made public by the data subject • establishment, exercise of defence of legal claims • preventive medicine, medical diagnosis, provision of care or treatment or management of health-care services, if the data are processed by a health professional • other reasons of substantial public interest

  18. Processing of sensitive data • data relating to offences, criminal convictions or security measures may only be processed under the control of official authorities or in execution of national provisions providing suitable specific safeguards • Member States have to determine the conditions under which a national identification number may be processed

  19. Informing the data subject • the controller or his representative must provide the data subject a minimum of information • when obtaining personal data from the data subject • when undertaking the recording or envisaging a disclosure to a third party of personal data that have not been obtained from the data subject • exceptions: • the data subject already has the information • informing the data subject in case of processing of data obtained from another person • proves impossible, in particular for processing for statistical purposes or purposes of historical or scientific research or • would involve disproportionate effort for the controller in particular for processing for statistical purposes or purposes of historical or scientific research or • is not necessary because the recording or disclosure is expressly laid down by law

  20. Informing the data subject • information to be given • identity of the controller and his representative, if any • the purposes of the processing • any further information necessary to guarantee fair processing in respect of the data subject such as • categories of processed data • (categories of) recipients • whether replies are obligatory or not, as well as the possible consequences of failure to reply • the existence of rights of access and rectification

  21. Confidentiality and security • no access to personal data except on instructions from the controller or if required by law • appropriate technical and organizational security measures • protection against • accidental or unlawful destruction • accidental loss • alteration • unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network • all other forms of unlawful processing • measures have to be appropriate • to the risks represented by the processing • and the nature of the data to be protected • having regard to the state of the art • and the cost of their implementation

  22. Confidentiality and security • where processing is carried out by a processor • the controller has to choose a processor guaranteeing sufficient technical and organizational security measures • the controller must ensure compliance of the processing with the security measures • the carrying out of the processing must be governed by a written contract or legal act stipulating in particular that • the processor shall act only on instructions from the controller • the security obligations shall also be incumbent on he processor

  23. Recommendation Belgian Privacy Commission • see http://www.privacycommission.be/machtigingen/ referenciemaatregelen%20vs%2001.pdf • risk analysis taking into account • the nature of the processed data • the applicable legal requirements • the size of the organization • the importance and the complexity of the information systems • the extent of internal and external access to personal data • the probability and the impact of the several risks • the cost of the implementation of risk mitigating measures

  24. Recommendation Belgian Privacy Commission • 11 types of measures • information security policy • information security officer • classification of information • minimal organizational measures and measures related to staff • physical security • network security • access control • logging and investigation of logging • supervision, audit and maintenance • management of security incidents and continuity • documentation

  25. Notification of automatic processing • the controller has to notify the supervisory authority before carrying out automatic processing operations intended to serve a single purpose or several related purposes • notification can be extended by Member States to non-automatic processing operations • minimal contents of the notification • name and address of the controller and of his representative • purpose(s) of the processing • categories of processed data and data subjects • (categories of) recipients • proposed data transfers to third countries • general description of the security measures

  26. Notification of automatic processing • Member States may provide simplified notific ation or exemptions • for categories of processing operations which are unlikely, taking account of the data to be processed, to affect adversely the rights and freedoms of data subjects • for controllers that have appointed a personal data protection officer in compliance with the national law • for processing operations whose sole purpose is the keeping of a public register • for processing operations relating to their members or contact persons performed by a non-profit-seeking body with a political, philosophical or trade-union aim

  27. Notification of automatic processing • processing operations likely to present specific risks to the rights and freedoms of data subjects as determined by national law have to be examined prior to their start by • the supervisory authority in case of notification or • the personal data protection official • information contained in the notifications, possibly excepting the security measures, is stored in a public register kept by the supervisory authority • the controllers that are not subject to notification have to make available the same information, excepting the security measures, to any person on request

  28. Rights of the data subject • right of privacy protection • right of information • access to the public register • in case of collection of data • in case of the recording or disclosure of data obtained elsewhere • right of access • right of rectification, erasure or blocking • right to object • right not to be subject to fully automated individual decisions • right of a judicial remedy

  29. Right of access • the data subject has the right to obtain from the controller without constraint, at reasonable intervals and without excessive delay or expense • confirmation as whether or not data relating to him are being processed • information at least about • the purposes of the processing • the categories of data • the (categories of) recipients • communication of the data and any available information as to their source • knowledge of the logic in case of an automated processing intended to evaluate certain personal aspects relating to him

  30. Right of rectification, erasure or blocking • the data subject has the right to obtain from the controller the rectification, erasure or blocking of data, the processing of which does not comply with the provisions of the directive (e.g. incomplete or inaccurate data) • the controller has to notify any rectification, erasure or blocking to third parties to whom the data have been disclosed, unless this proves impossible or involves a disproportionate effort

  31. Right to object The data subject has the right to object • in general to the processing of data relating to him • at least where this processing is performed • for a task of public interest or official authority • for the purposes of legitimate interests of the controller that prevail on the interests for fundamental rights and freedoms of the data subject • based on compelling legitimate grounds relating to his particular situation • national law may provide exceptions • in particular to the processing, disclosure or use of data relating to him for the purposes of direct marketing • on simple request • free of charge

  32. Automated individual decisions • every person is granted the right not to be subject to a decision which produces legal effects for him or significantly effects him and which is based solely on the automated processing of data intended to evaluate certain personal aspects, such as his performance at work, creditworthiness, reliability, conduct, ... • derogations are possible • under certain circumstances, in the course of the entering into or the performance of a contract or • by law providing measures to safeguard the data subject’s legitimate interests

  33. Remedies, liability and sanctions • remedies • administrative remedies, inter alia before an independent supervisory authority • judicial remedies • for any breach of the rights guaranteed by the national law applicable • liability • right to compensation from the controller for the damage suffered as a result of an unlawful processing operation, unless the controller proves not to be responsible for the event giving rise to the damage • sanctions • penal sanctions • interdiction to process personal data

  34. Data transfer to third countries • transfer of personal data intended to be processed may only take place to third countries ensuring an adequate level of protection • the adequacy of the level of protection shall be assessed in the light of all circumstances surrounding the data transfer, such as • the nature of the data • the purpose and duration of the proposed processing • the country of origin and of final destination • the law, professional rules and security measures in force in the third country • Member States and the Commission inform each other of cases where they consider that a third country does not ensure an adequate level of protection

  35. Data transfer to third countries • where the Commission finds that a third country ensures an adequate level of protection, Member States shall take the measures necessary to comply with the Commission's decision (e.g. Argentina, Canada, Switzerland) • where the Commission finds that a third country does not ensure an adequate level of protection, Member States shall take the measures necessary to prevent any transfer of data of the same type to the third country in question • if a problem of adequate protection in a third country exists, the Commission may enter into negotiations with that country in order to remedy the situation

  36. Data transfer to third countries • a transfer or a set of transfers of personal data to a third country which does not ensure an adequate level of protection may that place in the following situations • unambiguous consent of the data subject • (pre)contractual relationship between the controller and the data subject • (pre)contractual relationship between the controller and a third party in the interest of the data subject • important public interest grounds (e.g. social security, tax, …) • establishment, exercise or defence of legal claims • protection of the vital interests of the data subject • public registers • adequate safeguards, e.g. resulting from contractual clauses

  37. Specific case of the US • US uses a sectoral approach that relies on a mix of legislation, regulation and self-regulation • US is not being considered by the European Commission as a third country having an adequate protection • US Department of Commerce in consultation with the European Commission developed a “safe harbor” framework (see http://www.export.gov/safeharbor) • individual companies certifying to the “safe harbor” framework are considered as companies providing an adequate level of protection as defined by the European Data protection directive

  38. Specific case of the US • an organization that decides to participate in the safe harbor must • comply with the safe harbor's requirements • self certify annually to the US Department of Commerce in writing that it agrees to adhere to the safe harbor's requirements • state in its published privacy policy statement that it adheres to the safe harbor • the US Department of Commerce maintains a publicly availbale list of all organizations that file self certification letters • to qualify for the safe harbor, an organization can • join a self-regulatory privacy program that adheres to the safe harbor's requirements or • develop its own self regulatory privacy policy that conforms to the safe harbor requirements

  39. Codes of conduct • Member States and the EU shall encourage codes of conduct • intended to contribute to the proper implementation of the principles of the directive • taking account of the specific features of the various sectors • elaborated by trade associations or other bodies representing categories of controllers • possibility to submit codes of conduct • on the national level to the supervisory authority • on EU level to the Working Party

  40. Supervisory authorities • each Member State has to appoint at least one independent public authority that monitors the application of the provisions adopted by the Member State pursuant to the directive • powers of the supervisory authorities: • advice and recommendations concerning administrative measures or regulations • investigation • intervention (e.g. warning the controller, ordering the erasure of data, imposing a ban on processing,…) • engaging in legal proceedings • claims handling • public report

  41. Working Party • composition: • 1 representative of the supervisory authorities per Member State • 1 representative of the supervisory authority of the EU • 1 representative of the EU Commission • tasks • giving an opinion about • the application of national measures adopted under the directive in order to contribute to the uniform application of the measures • the level of protection in the Community and third countries • proposed Community measures affecting rights and freedoms with regard to the processing of personal data • codes of conduct drawn up at Community level • recommending on all matters relating to the protection of persons with regard to the processing of personal data • publishing an annual report to the Commission, the European Parliament and the Council

  42. Committee • composition: • chaired by a representative of the Commission • representatives of the Member States • task • giving an opinion on the draft of measures to be taken by the Commission • if these measures are not in accordance with the opinion of the Committee, they are deferred for a period of three months and communicated to the Council • the Council, acting by a qualified majority, may take a different decision within three months

  43. An example: whistleblowing systems • fair and lawful processing • clear description of • the procedures of reporting • the procedures of report handling • the possible consequences of pertinent and impertinent reports • the controller of the whistleblowing system • no obligation to report • in principle no anonymous reporting • sufficiently precise reporting • only reporting of facts, no value judgements • designation of an independent person dedicated to handle the reports confidentially • no communication of the identity of the informant without his consent • in principle no communication about the report towards other instances than the data subject during the report handling

  44. An example: whistleblowing systems • fair and lawful processing • limiting of the scope of the whistleblowing system • only serious irregularities • whistleblowing schemes should only supplement organisation’s regular information and reporting channels (e.g. normal hierarchic channels) where these would appear to be insufficient to detect and handle serious irregularities within the organisation • only reporting by of concerning personnel of the company • reported information must be adequate, relevant and not excessive in relation to the purposes of the whistleblowing system • reported information must not be kept longer than necessary • transparency • obligation to provide adequate information about the whistleblowing scheme, the related procedures and the possible consequences at collective and individual level

  45. An example: whistleblowing systems • security • separate processing of data • guarantees related to integrity, authenticity, availability, confidentiality and irregular erasure • auditability • no transfer of whistleblowing data to non-EU countries unless adequate level protection and strictly required • data subject rights of all persons concerned, concerning the data relating to each of them • right of information • right of access to data • right of rectification • right of erasure • prior notification of the whistleblowing scheme to the Privacy Commission

  46. More info • Belgian Privacy Commission http://www.privacycommission.be • European Data protection working party http://ec.europa.eu/justice_home/fsj/privacy/workinggroup/index_en.htm?refer=true&theme=blue • personal website http://www.law.kuleuven.ac.be/icri/frobben • Crossroads Bank for Social Security http://www.ksz.fgov.be

  47. Th@nk you !Any questions ? Frank Robben

More Related