The role of privacy in the security landscape Frank Robben General manager Crossroads Bank for Social Security CEO Smals Sint-Pieterssteenweg 375 B-1040 Brussels E-mail: [email protected]Website: http://www.ksz.fgov.be Personal website: http://www.law.kuleuven.ac.be/icri/frobben
47
Embed
The role of privacy in the security landscape Frank Robben General manager Crossroads Bank for Social Security CEO Smals Sint-Pieterssteenweg 375 B-1040.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
The role of privacyin the security landscape
Frank RobbenGeneral manager Crossroads Bank for Social SecurityCEO SmalsSint-Pieterssteenweg 375B-1040 BrusselsE-mail: [email protected]: http://www.ksz.fgov.bePersonal website: http://www.law.kuleuven.ac.be/icri/frobben
Treaty on the European Union, Title I - Common Provisions - Article F- the Union shall respect fundamental rights,
• as guaranteed by the European Convention for the Protection of Human Rights and Fundamental Freedoms signed in Rome on 4 November 1950
• and as they result from the constitutional traditions common to the Member States, as general principles of Community law.
European Convention for the Protection of Human Rights and Fundamental Freedoms, Article 8- everyone has the right to respect for his private and family
life, his home and his correspondence. - there shall be no interference by a public authority with the
exercise of this right (exceptions: e.g. national security)
3 23/03/2007Frank Robben
Legal pillars of European Privacy Law
Data protection directive - Directive 95/46/EC of the European Parliament and of the
Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data
Directive on privacy and electronic communications- Directive 2002/58/EC of the European Parliament and of the
Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector
4 23/03/2007Frank Robben
European directive 95/46/EC
the two basic principles of the directive scope of application and exemptions key players national law applicable obligations of the controller rights of the data subject remedies, liability and sanctions transfer of personal data to third countries codes of conduct supervisory authorities, working parties and
committee conclusion
5 23/03/2007Frank Robben
Two basic principles
equivalent and high protection of fundamental rights and freedoms of natural persons, in particular the right to privacy with respect to the processing of personal data within the EU
no restriction nor prohibition of the free flow of personal data between Member States for reasons connected with the protection of fundamental rights and freedoms
6 23/03/2007Frank Robben
Scope of application processing
- any operation or set of operations, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction
of personal data- any information- relating to an identified or identifiable
• an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity
- natural person wholly or partly by automatic means or otherwise than by automatic means if the data (are intended
to) form part of a filing system- any structured set of personal data which are accessible according
to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis
7 23/03/2007Frank Robben
Scope of application: exclusion
processing of personal data- in the course of an activity which falls outside the scope of
Community law- and in any case to processing operations concerning public
security, defence, State security and the activities of the State in areas of criminal law
- by a natural person, in the course of activities of a purely personal or household activity
8 23/03/2007Frank Robben
Exemptions of some of the provisions
Member States shall provide for exemptions or derogations from the provisions concerning- the obligations of the controller- the rights of the data subject- the data transfer to third countries- the power of the supervisory authority
for the processing of personal data carried out solely for- journalistic purposes- the purpose of artistic or literary expression
if they are necessary to reconcile the right to privacy with the rules governing freedom of expression
9 23/03/2007Frank Robben
Exemptions of some of the provisions
Member States may adopt measures to restrict the scope of some obligations and rights when this is necessary to safeguard- national security, defence or public security- prevention, investigation, detection or prosecution of criminal
offences or of breaches of ethics for regulated professions- an important economic or financial interest of a Member
State or of the EU- a monitoring, inspection or regulatory function connected with
the exercise of public authority in some cases- the protection of the data subject or of the rights and
freedoms of others
10 23/03/2007Frank Robben
Exemptions of some of the provisions
Member States may restrict the rights of access, rectification, erasure and blocking- when data are processed solely for purposes of scientific
research or are kept in personal form for a period which does not exceed the period necessary for the sole purpose of creating statistics
- where there is clearly no risk of breaching the privacy of the data subject
- providing adequate safeguards, in particular that the data are not used for taking measures or decisions regarding any particular individual
11 23/03/2007Frank Robben
Key players
data subject- the natural person the personal data relate to
controller- the natural or legal person, public authority, agency or any
other body- which alone or jointly determines the purposes and means of
the processing of personal data
processor- any natural or legal person, public authority, agency or any
other body- which processes data on behalf of the controller- e.g. personnel, IT service providers, network operators, ...
12 23/03/2007Frank Robben
National law applicable
the processing is carried out in the context of an establishment of a controller on its territory
the controller is not established on its territory, but in a place where its national law applies by virtue of international public law
the controller is not established on Community territory, but makes use of (automated) equipment for the processing of personal data situated on its territory, unless such equipment is used only for purposes of transit through the territory of the Community => controller must designate a representative established in the territory of that Member State
Each Member State applies its national law to the processing of personal data where
13 23/03/2007Frank Robben
Obligations of the controller
principles relating to fair and lawful processing and data quality
criteria for making data processing legitimate
specific rules for processing of sensitive data
information to be given to the data subject
confidentiality and security of processing
notification of the processing of personal data
14 23/03/2007Frank Robben
Fair and lawful processing and data quality
fair and lawful processing collection only for specified, explicit and legitimate
purposes no further processing in a way incompatible with those
purposes personal data must be adequate, relevant and not
excessive in relation to those purposes personal data must be accurate and kept up to date personal data must not be kept longer than necessary
for those purposes in a form which permits the identification of the data subject
15 23/03/2007Frank Robben
Legitimacy of the processing
Processing of personal data is only legitimate in 6 cases unambiguous consent of the data subject (pre)contractual relationship with the data subject compliance of a legal obligation to which the controller
is subject protection of the vital interests of the data subject performance of a task of public interest or official
authority legitimate interests of the controller that prevail on the
interests for fundamental rights and freedoms of the data subject
16 23/03/2007Frank Robben
Processing of sensitive data
processing of personal data revealing or concerning- racial or ethnic origin- political opinions- religious or philosophical beliefs- trade union membership- health- sexual life
is in principle prohibited
17 23/03/2007Frank Robben
Processing of sensitive data Member States can provide that those sensitive data
may be processed in a limitative number of cases- explicit consent of the data subject- carrying out of obligations and specific rights of the controller
in the field of employment law- protection of vital interests of the data subject or another
person- processing related solely to members or contact persons by
a non-profit-seeking body with a political, philosophical or trade-union aim
- data are manifestly made public by the data subject- establishment, exercise of defence of legal claims- preventive medicine, medical diagnosis, provision of care or
treatment or management of health-care services, if the data are processed by a health professional
- other reasons of substantial public interest
18 23/03/2007Frank Robben
Processing of sensitive data
data relating to offences, criminal convictions or security measures may only be processed under the control of official authorities or in execution of national provisions providing suitable specific safeguards
Member States have to determine the conditions under which a national identification number may be processed
19 23/03/2007Frank Robben
Informing the data subject the controller or his representative must provide the
data subject a minimum of information- when obtaining personal data from the data subject- when undertaking the recording or envisaging a disclosure to
a third party of personal data that have not been obtained from the data subject
exceptions:- the data subject already has the information- informing the data subject in case of processing of data
obtained from another person• proves impossible, in particular for processing for statistical purposes or
purposes of historical or scientific research or• would involve disproportionate effort for the controller in particular for
processing for statistical purposes or purposes of historical or scientific research or
• is not necessary because the recording or disclosure is expressly laid down by law
20 23/03/2007Frank Robben
Informing the data subject
information to be given- identity of the controller and his representative, if any- the purposes of the processing- any further information necessary to guarantee fair
processing in respect of the data subject such as• categories of processed data• (categories of) recipients• whether replies are obligatory or not, as well as the possible
consequences of failure to reply• the existence of rights of access and rectification
21 23/03/2007Frank Robben
Confidentiality and security
no access to personal data except on instructions from the controller or if required by law
appropriate technical and organizational security measures- protection against
• accidental or unlawful destruction• accidental loss• alteration• unauthorized disclosure or access, in particular where the processing
involves the transmission of data over a network• all other forms of unlawful processing
- measures have to be appropriate• to the risks represented by the processing• and the nature of the data to be protected• having regard to the state of the art• and the cost of their implementation
22 23/03/2007Frank Robben
Confidentiality and security
where processing is carried out by a processor- the controller has to choose a processor guaranteeing
sufficient technical and organizational security measures- the controller must ensure compliance of the processing with
the security measures- the carrying out of the processing must be governed by a
written contract or legal act stipulating in particular that• the processor shall act only on instructions from the controller• the security obligations shall also be incumbent on he processor
23 23/03/2007Frank Robben
Recommendation Belgian Privacy Commission
see http://www.privacycommission.be/machtigingen/ referenciemaatregelen%20vs%2001.pdf
risk analysis taking into account- the nature of the processed data- the applicable legal requirements- the size of the organization- the importance and the complexity of the information systems- the extent of internal and external access to personal data- the probability and the impact of the several risks- the cost of the implementation of risk mitigating measures
11 types of measures- information security policy- information security officer- classification of information- minimal organizational measures and measures related to
staff- physical security- network security- access control- logging and investigation of logging- supervision, audit and maintenance- management of security incidents and continuity- documentation
25 23/03/2007Frank Robben
Notification of automatic processing
the controller has to notify the supervisory authority before carrying out automatic processing operations intended to serve a single purpose or several related purposes
notification can be extended by Member States to non-automatic processing operations
minimal contents of the notification- name and address of the controller and of his representative- purpose(s) of the processing- categories of processed data and data subjects- (categories of) recipients- proposed data transfers to third countries- general description of the security measures
26 23/03/2007Frank Robben
Notification of automatic processing
Member States may provide simplified notific ation or exemptions- for categories of processing operations which are unlikely,
taking account of the data to be processed, to affect adversely the rights and freedoms of data subjects
- for controllers that have appointed a personal data protection officer in compliance with the national law
- for processing operations whose sole purpose is the keeping of a public register
- for processing operations relating to their members or contact persons performed by a non-profit-seeking body with a political, philosophical or trade-union aim
27 23/03/2007Frank Robben
Notification of automatic processing
processing operations likely to present specific risks to the rights and freedoms of data subjects as determined by national law have to be examined prior to their start by- the supervisory authority in case of notification or- the personal data protection official
information contained in the notifications, possibly excepting the security measures, is stored in a public register kept by the supervisory authority
the controllers that are not subject to notification have to make available the same information, excepting the security measures, to any person on request
28 23/03/2007Frank Robben
Rights of the data subject
right of privacy protection right of information
- access to the public register- in case of collection of data- in case of the recording or disclosure of data obtained
elsewhere
right of access right of rectification, erasure or blocking right to object right not to be subject to fully automated individual
decisions right of a judicial remedy
29 23/03/2007Frank Robben
Right of access
the data subject has the right to obtain from the controller without constraint, at reasonable intervals and without excessive delay or expense- confirmation as whether or not data relating to him are being
processed- information at least about
• the purposes of the processing• the categories of data• the (categories of) recipients
- communication of the data and any available information as to their source
- knowledge of the logic in case of an automated processing intended to evaluate certain personal aspects relating to him
30 23/03/2007Frank Robben
Right of rectification, erasure or blocking
the data subject has the right to obtain from the controller the rectification, erasure or blocking of data, the processing of which does not comply with the provisions of the directive (e.g. incomplete or inaccurate data)
the controller has to notify any rectification, erasure or blocking to third parties to whom the data have been disclosed, unless this proves impossible or involves a disproportionate effort
31 23/03/2007Frank Robben
Right to object
The data subject has the right to object in general to the processing of data relating to him
- at least where this processing is performed• for a task of public interest or official authority• for the purposes of legitimate interests of the controller that prevail on
the interests for fundamental rights and freedoms of the data subject
- based on compelling legitimate grounds relating to his particular situation
- national law may provide exceptions
in particular to the processing, disclosure or use of data relating to him for the purposes of direct marketing- on simple request- free of charge
32 23/03/2007Frank Robben
Automated individual decisions
every person is granted the right not to be subject to a decision which produces legal effects for him or significantly effects him and which is based solely on the automated processing of data intended to evaluate certain personal aspects, such as his performance at work, creditworthiness, reliability, conduct, ...
derogations are possible- under certain circumstances, in the course of the entering
into or the performance of a contract or- by law providing measures to safeguard the data subject’s
legitimate interests
33 23/03/2007Frank Robben
Remedies, liability and sanctions
remedies- administrative remedies, inter alia before an independent
supervisory authority- judicial remedies- for any breach of the rights guaranteed by the national law
applicable
liability- right to compensation from the controller for the damage
suffered as a result of an unlawful processing operation, unless the controller proves not to be responsible for the event giving rise to the damage
sanctions- penal sanctions- interdiction to process personal data
34 23/03/2007Frank Robben
Data transfer to third countries transfer of personal data intended to be processed
may only take place to third countries ensuring an adequate level of protection
the adequacy of the level of protection shall be assessed in the light of all circumstances surrounding the data transfer, such as- the nature of the data- the purpose and duration of the proposed processing- the country of origin and of final destination- the law, professional rules and security measures in force in
the third country Member States and the Commission inform each
other of cases where they consider that a third country does not ensure an adequate level of protection
35 23/03/2007Frank Robben
Data transfer to third countries
where the Commission finds that a third country ensures an adequate level of protection, Member States shall take the measures necessary to comply with the Commission's decision (e.g. Argentina, Canada, Switzerland)
where the Commission finds that a third country does not ensure an adequate level of protection, Member States shall take the measures necessary to prevent any transfer of data of the same type to the third country in question
if a problem of adequate protection in a third country exists, the Commission may enter into negotiations with that country in order to remedy the situation
36 23/03/2007Frank Robben
Data transfer to third countries
a transfer or a set of transfers of personal data to a third country which does not ensure an adequate level of protection may that place in the following situations- unambiguous consent of the data subject- (pre)contractual relationship between the controller and the
data subject- (pre)contractual relationship between the controller and a
third party in the interest of the data subject- important public interest grounds (e.g. social security, tax, …)- establishment, exercise or defence of legal claims- protection of the vital interests of the data subject- public registers- adequate safeguards, e.g. resulting from contractual clauses
37 23/03/2007Frank Robben
Specific case of the US
US uses a sectoral approach that relies on a mix of legislation, regulation and self-regulation
US is not being considered by the European Commission as a third country having an adequate protection
US Department of Commerce in consultation with the European Commission developed a “safe harbor” framework (see http://www.export.gov/safeharbor)
individual companies certifying to the “safe harbor” framework are considered as companies providing an adequate level of protection as defined by the European Data protection directive
Specific case of the US an organization that decides to participate in the safe
harbor must- comply with the safe harbor's requirements- self certify annually to the US Department of Commerce in
writing that it agrees to adhere to the safe harbor's requirements
- state in its published privacy policy statement that it adheres to the safe harbor
the US Department of Commerce maintains a publicly availbale list of all organizations that file self certification letters
to qualify for the safe harbor, an organization can- join a self-regulatory privacy program that adheres to the
safe harbor's requirements or- develop its own self regulatory privacy policy that conforms to
the safe harbor requirements
39 23/03/2007Frank Robben
Codes of conduct
Member States and the EU shall encourage codes of conduct- intended to contribute to the proper implementation of the
principles of the directive- taking account of the specific features of the various sectors- elaborated by trade associations or other bodies representing
categories of controllers
possibility to submit codes of conduct- on the national level to the supervisory authority- on EU level to the Working Party
40 23/03/2007Frank Robben
Supervisory authorities
each Member State has to appoint at least one independent public authority that monitors the application of the provisions adopted by the Member State pursuant to the directive
powers of the supervisory authorities:- advice and recommendations concerning administrative
measures or regulations- investigation- intervention (e.g. warning the controller, ordering the erasure
of data, imposing a ban on processing,…)- engaging in legal proceedings- claims handling- public report
41 23/03/2007Frank Robben
Working Party composition:
- 1 representative of the supervisory authorities per Member State
- 1 representative of the supervisory authority of the EU- 1 representative of the EU Commission
tasks- giving an opinion about
• the application of national measures adopted under the directive in order to contribute to the uniform application of the measures
• the level of protection in the Community and third countries• proposed Community measures affecting rights and freedoms with
regard to the processing of personal data• codes of conduct drawn up at Community level
- recommending on all matters relating to the protection of persons with regard to the processing of personal data
- publishing an annual report to the Commission, the European Parliament and the Council
42 23/03/2007Frank Robben
Committee
composition:- chaired by a representative of the Commission- representatives of the Member States
task- giving an opinion on the draft of measures to be taken by the
Commission- if these measures are not in accordance with the opinion of
the Committee, they are deferred for a period of three months and communicated to the Council
- the Council, acting by a qualified majority, may take a different decision within three months
43 23/03/2007Frank Robben
An example: whistleblowing systems
fair and lawful processing- clear description of
• the procedures of reporting• the procedures of report handling• the possible consequences of pertinent and impertinent reports• the controller of the whistleblowing system
- no obligation to report- in principle no anonymous reporting- sufficiently precise reporting- only reporting of facts, no value judgements- designation of an independent person dedicated to handle
the reports confidentially• no communication of the identity of the informant without his consent• in principle no communication about the report towards other instances
than the data subject during the report handling
44 23/03/2007Frank Robben
An example: whistleblowing systems
fair and lawful processing- limiting of the scope of the whistleblowing system
• only serious irregularities• whistleblowing schemes should only supplement organisation’s regular
information and reporting channels (e.g. normal hierarchic channels) where these would appear to be insufficient to detect and handle serious irregularities within the organisation
- only reporting by of concerning personnel of the company- reported information must be adequate, relevant and not
excessive in relation to the purposes of the whistleblowing system
- reported information must not be kept longer than necessary
transparency- obligation to provide adequate information about the
whistleblowing scheme, the related procedures and the possible consequences at collective and individual level
45 23/03/2007Frank Robben
An example: whistleblowing systems security
- separate processing of data- guarantees related to integrity, authenticity, availability,
confidentiality and irregular erasure- auditability- no transfer of whistleblowing data to non-EU countries unless
adequate level protection and strictly required data subject rights of all persons concerned,
concerning the data relating to each of them- right of information- right of access to data- right of rectification- right of erasure
prior notification of the whistleblowing scheme to the Privacy Commission
46 23/03/2007Frank Robben
More info
Belgian Privacy Commissionhttp://www.privacycommission.be
European Data protection working partyhttp://ec.europa.eu/justice_home/fsj/privacy/workinggroup/index_en.htm?refer=true&theme=blue
personal websitehttp://www.law.kuleuven.ac.be/icri/frobben
Crossroads Bank for Social Securityhttp://www.ksz.fgov.be