Data protection audit and data protection issues in the telecom sector Dr. Katalin Egri Legal advisor Office of the Parliamentary Commissioner for Data Protection and Freedom of Information 7-1-2009
22
Embed
Data protection audit and data protection issues in the telecom sector Dr. Katalin Egri Legal advisor Office of the Parliamentary Commissioner for Data.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Slide 1
Data protection audit and data protection issues in the telecom
sector Dr. Katalin Egri Legal advisor Office of the Parliamentary
Commissioner for Data Protection and Freedom of Information
7-1-2009
Slide 2
Introduction Data protection audit - the merits of data
protection audit - EuroPriSe European Privacy Seal a special
auditing project International Working Group on Data Protection in
Telecommunications
Slide 3
Data protection audit Issues, interests of companies Foreign
samples, methods, practices to be followed, for a more effective
operation purposes can me reached by not infringing the right to
data protection, other personality rights and by serving the
interests of the company at the same time
Slide 4
Data protection audit Data processing occurs in context with
other legal relations, procedures It occurs within a comprehensive
scheme where it serves a specific purpose The principle that data
processing has to be completed by a specific purpose is emphasized
by the Act LXIII of 1992 on the protection of personal data and
public access to data of public interest (DPAct) and by the
Constitution of the Republic of Hungary
Slide 5
Data protection audit Data protection audit may serve as a
solution for complying with standards of adequate data protection
Constructive approach basis for effective data protection Companies
realised its importance in complex strategies, complicated business
processes, internal rules
Slide 6
Data protection audit Data protection audit is very widespread
and has high importance in the European Union Legal background:
Directive 95/46/EC of the European Parliament and of the Council of
24 October 1995 on the protection of individuals with regard to the
processing of personal data and on the free movement of such data
Strict requirements, all Member States have to comply with it both
in the public and private sector Data protection has a value Need
for quality assurance and uniform standards In many countries e.g.
Germany an act regulates the legal framework, methods, and the
audit is performed with the assistance of the authority
Slide 7
Data protection audit The DPAct regulates in the scope of data
security that the data controller shall take all technical and
organisational measures and elaborate the rules of procedure
necessary to enforce compliance with the Act and other rules
pertaining to data protection and confidentiality (Art. 10.) It
makes it obligatory for certain data controllers to appoint an
internal data protection officer with a set scope of duties and the
development of data protection and data security rules ( Art.
31/A).
Slide 8
Data protection audit Audit may have significance when the
number of data subjects is big, the scope of data processed is wide
and varying. Typical areas: Electronic telecommunications,
financial relations, employment, direct marketing, insurance
sensitive data are also processed Different kind of audit is
necessary in case of information security technical requirements
prevail
Slide 9
Data protection audit Purposes of the data protection audit:
complying with legal regulations and technical requirements of data
security Data security, information security required by the DPAct,
interest of data subjects also, its analysing requires special
knowledge Interests of the company: information security,
protection of business secrets etc. Complying with legal
regulations: its analysing includes the observation of purposes,
interests also T he aim of the audit is to give assurance that the
data controlling complies with laws and ensures conformity between
the effective operation and data protection, data security
Slide 10
Data protection audit There is no uniform method for data
protection audit Guidelines may be: Personal Data Protection Audit
Framework of the European Committee for Standardization, EU
Directive 95/46/EC Main areas to be dealt with in general: -
specifying the target of audit - choosing the person for performing
the audit - specifying the method of audit - overview of areas,
issues to be evaluated - results - follow up
Slide 11
EuroPriSe European Privacy Seal The European Privacy Seal
(EuroPriSe) project introduces a trans-European privacy seal issued
by independent third parties certifying compliance of IT-products
and IT- based services with European regulations on privacy and
data security. The European Privacy Seal project aims to establish
a European product audit certifying compliance of IT-products and
IT-based services with European regulations on privacy and data
security after the completion of a specific two-step procedure: an
evaluation of the product or service by accepted legal and IT
experts and a crosschecking of the evaluation report by an
accredited certification body.
Slide 12
EuroPriSe European Privacy Seal EuroPriSe provides: - a
transparent procedure and reliable criteria to award a European
Privacy Seal. - it visualizes that a product has been checked and
approved by an independent privacy organisation and thus indicates
a trustworthy product. - the privacy seal at the same time fosters
consumer protection and trust and provides a marketing incentive to
manufacturers and vendors for privacy relevant goods and
services.
Slide 13
EuroPriSe European Privacy Seal EuroPriSe aims to establish -
Voluntary privacy certification valid throughout Europe -
Transparent non-bureaucratic procedure and reliable criteria based
on a cataloge of legal regulations, criteria, requirements, points
of evaluation, basic issues, authorization of data processing,
technical and organizational measures - Supervision by an
independent third party - Visibility of privacy compliance
available for marketing - Comparability of products by short public
reports
Slide 14
EuroPriSe European Privacy Seal The EuroPriSe consortium is
lead by the Independent Centre for Privacy Protection
Schleswig-Holstein (ICPP/ULD), Germany. The partners from 8
European countries include the data protection authorities from
Madrid, Agencia de Proteccin de Datos de la Communidad de Madrid
and France, the Commission Nationale de lInformatique et de Liberts
(CNIL), the Austrian Academy of Science and London Metropolitan
University from the UK, Borking Consultancy from the Netherlands,
Ernst and Young AB from Sweden, TV Informationstechnik GmbH from
Germany, and VaF s.r.o. from Slovakia.
Slide 15
EuroPriSe European Privacy Seal The pilot project of EuroPriSe
is financed by the European Commission, though it has not decided
whether to introduce the Seal uniformly. Since the EuroPriSe
specifies clear and high criteria at European level, its wider
introduction will need a common opinion, the European Data
Protection Supervisor and the Article 29 Working Party will also
deal with this issue. Further information may be sought at the
following link: www.european-privacy-seal.eu
Slide 16
International Working Group on Data Protection in
Telecommunications The Working Group was founded in 1983 in the
framework of the International Conference of Data Protection and
Privacy Commissioners at the initiative of the Berlin Commissioner
for Data Protection, who has since then been chairing the Group. It
has since 1983 adopted numerous recommendations (Common Positions
and Working Papers) aimed at improving the protection of privacy in
telecommunications. Membership of the Group includes
representatives from Data Protection Authorities and other bodies
of national public administrations, international organisations and
scientists from all over the world. The Group has meetings twice in
every year.
Slide 17
International Working Group on Data Protection in
Telecommunications The Group has in particular focused on the
protection of privacy on the Internet since the 1990s. Latest
papers of the Working Group cover the following issues indicating
the trends and main interests of data protection: -Privacy in
Social Network Services - 3./4.03.2008 -Cybercrime (a.k.a. Budapest
Convention) - 3./4.03.2008 -Privacy Issues in the Distribution of
Digital Media Content and Digital Television - 4./5.09.2007
-E-Ticketing in Public Transport - 4./5.09.2007 -Cross-Border
Telemarketing - 12./13.04.2007 -Trusted Computing, Associated
Digital Rights Management Technologies, and Privacy - Some issues
for governments and software developers - 05./06.09.2006 -Online
Availability of Electronic Health Records 06./07.04.2006
Slide 18
Privacy in Social Network Services A social network service
focuses on the building and verifying of online social networks for
communities of people who share interests and activities, or who
are interested in exploring the interests and activities of others,
and which necessitates the use of software. Most services are
primarily web based and provide a collection of various ways for
users to interact. Risks for privacy and security: no oblivion on
the Internet, the misleading notion of community, Free of charge
may in fact not be for free, traffic data collection, giving away
more personal information, misuse of profile data by third parties,
further increased risks of identity theft, use of a notoriously
insecure infrastructure, existing unsolved security problems of
Internet
Slide 19
Privacy in Social Network Services Recommendations to
regulators, providers and users of social network services:
Introduce the option of a right to pseudonymous use Introduction of
an obligation to data breach notification Improve integration of
privacy issues into the educational system Re-thinking the current
regulatory framework with respect to controllership Transparent and
open information of users Privacy-friendly default settings Improve
user control over use of profile data Appropriate complaint
handling mechanisms Improve and maintain security of information
systems Offer encrypted connections for maintaining user
profiles
Slide 20
Privacy in Social Network Services Recommendations in
particular to users : Be careful Think twice before using your real
name in a profile Respect the privacy of others Be informed: e.g.
Who operates the service? Use privacy friendly settings Use
different identification data Use opportunities to control Pay
attention to the activity of your children
Slide 21
International Working Group on Data Protection in
Telecommunications Berliner Beauftragter fr Datenschutz und
Informationsfreiheit An der Urania 4- 10, D-10787 Berlin Tel.: +49
/ 30 / 13889 0 Fax: +49 / 30 / 215 5050 E-Mail:
[email protected] Internet:
http://www.berlin-privacy-group.orghttp://www.berlin-privacy-group.org
Slide 22
Thank you for your attention! Office of the Parliamentary
Commissioner for Data Protection and Freedom of Information
www.obh.hu H-1051 Budapest Ndor u. 22 [email protected] tel: 4757138
fax: 2693541 [email protected]