SlideShare a Scribd company logo

2013 02 22_w_wiewiorowski_epsi

ePSI Platform
ePSI Platform
1 of 30
Download to read offline
“PRIVACY AND OPEN DATA. SIAMESE TWINS OR MORTAL ENEMIES?” 2013 ePSI “Gotcha! – getting everyone on board” Warsaw, February 22, 2013 WOJCIECH WIEWIÓROWSKI PhD University of Gdańsk, Faculty of Law and Administration Inspector General for Personal Data Protection, Poland Generalny Inspektor Ochrony Danych Osobowych ul. Stawki 2, 00-193 Warszawa www.giodo.gov.pl Warsaw, February 22nd, 2012 kancelaria@giodo.gov.pl
www.giodo.gov.pl © M. Narojek for GIODO 2011
PROFILING “Profile” refers to a set of data characterising a category of individuals that is intended to be applied to an individual. “Profiling” means an automatic data processing technique that consists of applying a “profile” to an individual, namely in order to take decisions concerning him or her; or for analysing or predicting personal preferences, behaviours and attitudes. Warsaw, February 22nd, 2012 www.giodo.gov.pl
www.giodo.gov.pl
www.giodo.gov.pl
PROFILING “Profile” refers to a set of data characterising a category of individuals that is intended to be applied to an individual. “Profiling” means an automatic data processing technique that consists of applying a “profile” to an individual, namely in order to take decisions concerning him or her; or for analysing or predicting personal preferences, behaviours and attitudes. Warsaw, February 22nd, 2012 www.giodo.gov.pl
PROFILING Building profiles according to Group of Art. 29 There are two main approaches to building user profiles: i) Predictive profiles are established by inference from observing individual and collective user behaviour over time, particularly by monitoring visited pages and ads viewed or clicked on. ii) Explicit profiles are created from personal data that data subjects themselves provide to a web service, such as by registering. Both approaches can be combined. Additionally, predictive profiles may be made explicit at a later time, when a data subject creates login credentials for a website. Opinion of Art. 29 WP, 2/2010 on behavioural advertising adopted on June 22 , 2010, page 8 Warsaw, February 22nd, 2012 www.giodo.gov.pl
PROFILING Profiling is generaly used in order to 1. get a sociologic and psycologic assessment of the client 2. discover material and social status of the client 3. create sugestions and strategies to be used in marketing activities I would accept such explanation of profiling for marketing purposes …. but ….. ….. This is a thesis of FBI experts on criminal profiling. I have just exchanged notions ”ofender” v. ”client” and ”investigation” v. ”marketing activites”  R. M. Holmes, S.T. Holmes: Profiling Violent Crimes: An Investigative Tool , 4th Ed.,Thousand Oaks: Sage Publications, Inc. 2008 Warsaw, February 22nd, 2012 www.giodo.gov.pl
© M. Narojek for GIODO 2011 www.giodo.gov.pl
PUBLIC RESOURCES Information is gathered by public sector entities for the purposes which are inline with the constitutional principle of Article 7: ”The organs of public authority shall function on the basis of, and within the limits of, the law”. This information is transfered to the entities who can use the same information to the purposes they were not collected for. Do we need to agree that our personal data will become public sector information and they will be „re-usable” according to EU law ? Can they be used in order to create our peronal profile. Warsaw, February 22nd, 2012 www.giodo.gov.pl
www.giodo.gov.pl
www.giodo.gov.pl
PUBLIC RESOURCES Taking in to consideration that data from public registers can be treated as the public sector information, we should be used to the fact, that data from formally public land and mortgage register can be re-used and combined with: - INSPIRE registers and databases, - physical and urban planning documents, - registers of legal persons, associations etc., - statistical registers (REGON, TERYT in Poland), - public offers for debt trading purposes, - property statements of state officers (not only politicians but also public kindergarten and library managers) - client data possessed by profiling entity Warsaw, February 22nd, 2012 www.giodo.gov.pl
INFORMATION INFRASTRUCTURE OF THE STATE Classic definition of state by Georg Jellinek (1851-1911), The state shell have: • teritory, • citizens • powers (today – law ). Information infrastructure of the state: 1) The resources explaining how the state looks like (geospatial information), who resides in the state and which organisations (eg. legal persons) exist, as well as the information what are the authorities and which law is in force. GIS + registers + legal information-retriaval systems 2) The system consisting of institutions, entities, resources and ICT systems and technologies which are the basis for the existing social (including legal), political and economic relations. J. Oleński, Infrastruktura informacyjna państwa w globalnej gospodarce, Warsaw 2006 p. 270-272. Warsaw, February 22nd, 2012 www.giodo.gov.pl
INFORMATION INFRASTRUCTURE OF THE STATE • norms on information, • information resources • ICT systems, • information institutions • organisations • technical equipement supporting gathering, processing and transfer of information Warsaw, February 22nd, 2012 www.giodo.gov.pl
Re-use in the new style 2. This Directive shall not apply to: […] (c) documents which are excluded from access by virtue of the access regimes in the Member States, including on the grounds of: – the protection of national security (i.e. State security), defence, or public security, – statistical or commercial confidentiality; (d) documents held by public service broadcasters and their subsidiaries, and by other bodies or their subsidiaries for the fulfilment of a public service broadcasting remit; (e) documents held by educational and research establishments, such as [schools, universities, archives, libraries and] research facilities including, where relevant, organisations established for the transfer of research results, schools and universities (except university libraries in respect of documents other than research documents protected by third party intellectual property rights) and (f) documents held by cultural establishments other than libraries, museums and archives. Warsaw, February 22nd, 2012 www.giodo.gov.pl
Re-use in the new style Article 3 General principle 1. Subject to paragraph (2) Member States shall ensure that documents referred to in Article 1 shall be re-usable for commercial or non-commercial purposes in accordance with the conditions set out in Chapters III and IV. 2. For documents for which libraries (including university libraries), museums and archives have intellectual property rights, Member States shall ensure that, where the re-use of documents is allowed, these documents shall be re-usable for commercial or non-commercial purposes in accordance with the conditions set out in Chapters III and IV. Warsaw, February 22nd, 2012 www.giodo.gov.pl
Document • This Directive lays down a generic definition of the term "document", in line with developments in the information society. • It covers any representation of acts, facts or information – and any compilation of such acts, facts or information – whatever its medium (written on paper, or stored in electronic form or as a sound, visual or audiovisual recording), held by public sector bodies. A document held by a public sector body is a document where the public sector body has the right to authorise re-use. Warsaw, February 22nd, 2012 www.giodo.gov.pl
CONSTUTUTION OF THE REPUBLIC OF POLAND (ARTICLE 51) • No one may be obliged, except on the basis of statute, to disclose information concerning his person. • Public authorities shall not acquire, collect or make accessible information on citizens other than that which is necessary in a democratic state ruled by law. • Everyone shall have a right of access to official documents and data collections concerning him. Limitations upon such rights may be established by statute. • Everyone shall have the right to demand the correction or deletion of untrue or incomplete information, or information acquired by means contrary to statute. • Principles and procedures for collection of and access to information shall be specified by statute Warsaw, February 22nd, 2012 www.giodo.gov.pl
DRAFT OF THE NEW EU REGULATION Article 20 Measures based on profiling 1. Every natural person shall have the right not to be subject to a measure which produces legal effects concerning this natural person or significantly affects this natural person, and which is based solely on automated processing intended to evaluate certain personal aspects relating to this natural person or to analyse or predict in particular the natural person's performance at work, economic situation, location, health, personal preferences, reliability or behaviour. 2. Subject to the other provisions of this Regulation, a person may be subjected to a measure of the kind referred to in paragraph 1 only if the processing: (a) is carried out in the course of the entering into, or performance of, a contract, where the request for the entering into or the performance of the contract, lodged by the data subject, has been satisfied or where suitable measures to safeguard the data subject's legitimate interests have been adduced, such as the right to obtain human intervention; or (b) is expressly authorized by a Union or Member State law which also lays down suitable measures to safeguard the data subject's legitimate interests; or (c) is based on the data subject's consent, subject to the conditions laid down in Article 7 and to suitable safeguards. Warsaw, February 22nd, 2012 www.giodo.gov.pl
DRAFT OF THE NEW EU REGULATION Article 20 Measures based on profiling 3. Automated processing of personal data intended to evaluate certain personal aspects relating to a natural person shall not be based solely on the special categories of personal data referred to in Article 9. 4. In the cases referred to in paragraph 2, the information to be provided by the controller under Article 14 shall include information as to the existence of processing for a measure of the kind referred to in paragraph 1 and the envisaged effects of such processing on the data subject. 5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and conditions for suitable measures to safeguard the data subject's legitimate interests referred to in paragraph 2. Warsaw, February 22nd, 2012 www.giodo.gov.pl
COUNCIL OF EUROPE AND PROFILING Recommendation CM/Rec(2010)13 of the Committee of Ministers to member states on the protection of individuals with regard to automatic processing of personal data in the context of profiling Adopted by the Committee of Ministers on 23 November 2010 at the 1099th meeting of the Ministers’ Deputies Warsaw, February 22nd, 2012 www.giodo.gov.pl
COUNCIL OF EUROPE AND PROFILING 4. Information. 4.1. Where personal data are collected in the context of profiling, the controller should provide the data subjects with the following information: a. that their data will be used in the context of profiling; b. the purposes for which the profiling is carried out; c. the categories of personal data used; d. the identity of the controller and, if necessary, her or his representative; e. the existence of appropriate safeguards; Warsaw, February 22nd, 2012 www.giodo.gov.pl
COUNCIL OF EUROPE AND PROFILING 4. Information. (…) Where personal data are collected in the context of profiling, the controller should provide the data subjects with the following information: (…) f. all information that is necessary for guaranteeing the fairness of recourse to profiling, such as: - the categories of persons or bodies to whom or to which the personal data may be communicated, and the purposes for doing so; - the possibility, where appropriate, for the data subjects to refuse or withdraw consent and the consequences of withdrawal; - the conditions of exercise of the right of access, objection or correction, as well as the right to bring a complaint before the competent authorities; - the persons from whom or bodies from which the personal data are or will be collected; - the compulsory or optional nature of the reply to the questions used for personal data collection and the consequences for the data subjects of not replying; - the duration of storage; - the envisaged effects of the attribution of the profile to the data subject. Warsaw, February 22nd, 2012 www.giodo.gov.pl
COUNCIL OF EUROPE AND PROFILING 4. Information. (…) 4.2. Where the personal data are collected from the data subject, the controller should provide the data subject with the information listed in Principle 4.1 at the latest at the time of collection. 4.3. Where personal data are not collected from data subjects, the controller should provide the data subjects with the information listed in Principle 4.1 as soon as the personal data are recorded or, if it is planned to communicate the personal data to a third party, at the latest when the personal data are first communicated. 4.4. Where the personal data are collected without the intent of applying profiling methods and are processed further in the context of profiling, the controller should have to provide the same information as that foreseen under Principle 4.1. (…) Warsaw, February 22nd, 2012 www.giodo.gov.pl
COUNCIL OF EUROPE AND PROFILING 5. Rights of data subjects 5.1. The data subject who is being, or has been, profiled should be entitled to obtain from the controller, at her or his request, within a reasonable time and in an understandable form, information concerning: a. her or his personal data; b. the logic underpinning the processing of her or his personal data and that was used to attribute a profile to her or him, at least in the case of an automated decision; c. the purposes for which the profiling was carried out and the categories of persons to whom or bodies to which the personal data may be communicated. 5.2. Data subjects should be entitled to secure correction, deletion or blocking of their personal data, as the case may be, where profiling in the course of personal data processing is performed contrary to the provisions of domestic law which enforce the principles set out in this recommendation. 5.3. Unless the law provides for profiling in the context of personal data processing, the data subject should be entitled to object, on compelling legitimate grounds relating to her or his situation, to the use of her or his personal data for profiling. Where there is justified objection, the profiling should no longer involve the use of the personal data of the data subject. Where the purpose of the processing is direct marketing, the data subject does not have to present any justification. Warsaw, February 22nd, 2012 www.giodo.gov.pl
COUNCIL OF EUROPE AND PROFILING 5. Rights of data subjects (…) 5.4. If there are any grounds for restricting the rights set out in this section in accordance with Section 6, this decision should be communicated to the data subject by any means that allows it to be put on record, with a mention of the legal and factual reasons for such a restriction. This mention may be omitted when a reason exists which endangers the aim of the restriction. In such cases, information should be given to the data subject on how to challenge this decision before the competent national supervisory authority, a judicial authority or a court. 5.5. Where a person is subject to a decision having legal effects concerning her or him, or significantly affecting her or him, taken on the sole basis of profiling, she or he should be able to object to the decision unless: a. this is provided for by law, which lays down measures to safeguard data subjects’ legitimate interests, particularly by allowing them to put forward their point of view; b. the decision was taken in the course of the performance of a contract to which the data subject is party or for the implementation of pre-contractual measures taken at the request of the data subject and that measures for safeguarding the legitimate interests of the data subject are in place. Warsaw, February 22nd, 2012 www.giodo.gov.pl
PRIVACY BY DESIGN Privacy by Design Resolution 27-29 October 2010, Jerusalem, Israel 32nd International Conference of Data Protection and Privacy Commissioners Privacy by Design: The 7 Foundational Principles 1. Proactive not Reactive; Preventative not Remedial 2. Privacy as the Default Setting 3. Privacy Embedded into Design 4. Full Functionality: Positive-Sum, not Zero-Sum 5. End-to-End Security — Full Lifecycle Protection 6. Visibility and Transparency — Keep it Open 7. Respect for User Privacy — Keep it User-Centric Warsaw, February 22nd, 2012 www.giodo.gov.pl
PRIVACY IMPACT ASSESSMENT • A Privacy Impact Assessment (PIA) is a process whereby a conscious and systematic effort is made to assess the privacy and data protection impacts of a specific actions with the view of taking appropriate actions to prevent or at least minimise those impacts. • A PIA Report is the document resulting from the PIA Process that is made available to competent authorities. Proprietary and security sensitive information may be removed from PIA Reports before the Reports are provided externally (e.g., to the competent authorities) as long as the information is not specifically pertinent to privacy and data protection implications. The manner in which the PIA should be made available (e.g., upon request or not) will be determined by member states. In particular, the use of special categories of data may be taken into account, as well as other factors such as the presence of a data protection officer. • PIA Templates may be developed based on the Framework to provide industry-based, application-based, or other specific formats for PIAs and resulting PIA Reports. Warsaw, February 22nd, 2012 www.giodo.gov.pl
THANK YOU FOR YOUR ATTENTION ! desiwm@giodo.gov.pl http://edugiodo.giodo.gov.pl www.giodo.gov.pl

Recommended

Key principles for data protection & lawful protection in GDPR
Key principles for data protection & lawful protection in GDPRKey principles for data protection & lawful protection in GDPR
Key principles for data protection & lawful protection in GDPRDr. Marinos Papadopoulos
 
TDM of National Libraries in the EU.pptx
TDM of National Libraries in the EU.pptxTDM of National Libraries in the EU.pptx
TDM of National Libraries in the EU.pptxDr. Marinos Papadopoulos
 
Sovereignty: the state of data
Sovereignty: the state of dataSovereignty: the state of data
Sovereignty: the state of datadan hyde
 
Caring control or controlling care? Double bind facilitated by biometrics bet...
Caring control or controlling care? Double bind facilitated by biometrics bet...Caring control or controlling care? Double bind facilitated by biometrics bet...
Caring control or controlling care? Double bind facilitated by biometrics bet...Ahmad Altamimi
 
Jjb e psi warsaw
Jjb e psi warsawJjb e psi warsaw
Jjb e psi warsawePSI Platform
 
Transport Data Byrd
Transport Data ByrdTransport Data Byrd
Transport Data ByrdePSI Platform
 
E psi 22nd of february_warsaw_2013
E psi 22nd of february_warsaw_2013E psi 22nd of february_warsaw_2013
E psi 22nd of february_warsaw_2013ePSI Platform
 
Iicensing open data
Iicensing open dataIicensing open data
Iicensing open dataePSI Platform
 

Recommended

Key principles for data protection & lawful protection in GDPR
Key principles for data protection & lawful protection in GDPRKey principles for data protection & lawful protection in GDPR
Key principles for data protection & lawful protection in GDPRDr. Marinos Papadopoulos
 
TDM of National Libraries in the EU.pptx
TDM of National Libraries in the EU.pptxTDM of National Libraries in the EU.pptx
TDM of National Libraries in the EU.pptxDr. Marinos Papadopoulos
 
Sovereignty: the state of data
Sovereignty: the state of dataSovereignty: the state of data
Sovereignty: the state of datadan hyde
 
Caring control or controlling care? Double bind facilitated by biometrics bet...
Caring control or controlling care? Double bind facilitated by biometrics bet...Caring control or controlling care? Double bind facilitated by biometrics bet...
Caring control or controlling care? Double bind facilitated by biometrics bet...Ahmad Altamimi
 
Jjb e psi warsaw
Jjb e psi warsawJjb e psi warsaw
Jjb e psi warsawePSI Platform
 
Transport Data Byrd
Transport Data ByrdTransport Data Byrd
Transport Data ByrdePSI Platform
 
E psi 22nd of february_warsaw_2013
E psi 22nd of february_warsaw_2013E psi 22nd of february_warsaw_2013
E psi 22nd of february_warsaw_2013ePSI Platform
 
Iicensing open data
Iicensing open dataIicensing open data
Iicensing open dataePSI Platform
 
Psi group scoreboard
Psi group scoreboardPsi group scoreboard
Psi group scoreboardePSI Platform
 
Epsi conference
Epsi conferenceEpsi conference
Epsi conferenceePSI Platform
 
Christian Laux on Liability
Christian Laux on LiabilityChristian Laux on Liability
Christian Laux on LiabilityePSI Platform
 
Estudio sobre hábitos seguros en el uso de las TIC por niños y adolescentes
Estudio sobre hábitos seguros en el uso de las TIC por niños y adolescentesEstudio sobre hábitos seguros en el uso de las TIC por niños y adolescentes
Estudio sobre hábitos seguros en el uso de las TIC por niños y adolescentesDavid J Castresana
 
Infonetics Network and Content Security Vendor Scorecard
Infonetics Network and Content Security Vendor ScorecardInfonetics Network and Content Security Vendor Scorecard
Infonetics Network and Content Security Vendor ScorecardCisco Security
 
Seo Basics: Google Rankingfaktoren 2016
Seo Basics: Google Rankingfaktoren 2016Seo Basics: Google Rankingfaktoren 2016
Seo Basics: Google Rankingfaktoren 2016Hanns Kronenberg
 
Information Security as Exemplified by Clandestine Collaboration and Influen...
Information Security as Exemplified by Clandestine Collaboration and Influen... Information Security as Exemplified by Clandestine Collaboration and Influen...
Information Security as Exemplified by Clandestine Collaboration and Influen...RemigiuszRosicki
 
Practical recommendations on the draft-law Uzbekistan/Unesco 06042013 10072013
Practical recommendations on the draft-law Uzbekistan/Unesco 06042013 10072013Practical recommendations on the draft-law Uzbekistan/Unesco 06042013 10072013
Practical recommendations on the draft-law Uzbekistan/Unesco 06042013 10072013Jarmo Koponen
 
Data science and privacy regulation
Data science and privacy regulationData science and privacy regulation
Data science and privacy regulationblogzilla
 
CO3 - Open Data
CO3 - Open DataCO3 - Open Data
CO3 - Open DataGijsbert Koren
 
Legal aspects of data gathering and information exchange
Legal aspects of data gathering and information exchangeLegal aspects of data gathering and information exchange
Legal aspects of data gathering and information exchangeStevenSegaert
 
Personal Data Protection in Pharmaceutical Sector (webinar presentation)
Personal Data Protection in Pharmaceutical Sector (webinar presentation)Personal Data Protection in Pharmaceutical Sector (webinar presentation)
Personal Data Protection in Pharmaceutical Sector (webinar presentation)Anastasiya Lemysh
 
Track H - Cristina Dos Santos
Track H - Cristina Dos SantosTrack H - Cristina Dos Santos
Track H - Cristina Dos SantosePSI Platform
 
Institutional mechanism of national identification card bangladesh experience
Institutional mechanism of national identification card bangladesh experienceInstitutional mechanism of national identification card bangladesh experience
Institutional mechanism of national identification card bangladesh experienceAlexander Decker
 
E psi open data - rejseplanen
E psi open data - rejseplanenE psi open data - rejseplanen
E psi open data - rejseplanenePSI Platform
 
Ds.e psi conference.21 22.02.2013
Ds.e psi conference.21 22.02.2013Ds.e psi conference.21 22.02.2013
Ds.e psi conference.21 22.02.2013ePSI Platform
 
Liability for open data
Liability for open dataLiability for open data
Liability for open dataePSI Platform
 
Big Data Session Presentations
Big Data Session PresentationsBig Data Session Presentations
Big Data Session PresentationsePSI Platform
 
Sl lgo
Sl lgoSl lgo
Sl lgoePSI Platform
 
Otwarte zabytki epsi
Otwarte zabytki epsiOtwarte zabytki epsi
Otwarte zabytki epsiePSI Platform
 
E psi tomek-zielinski-transportoid-conference-slides
E psi tomek-zielinski-transportoid-conference-slidesE psi tomek-zielinski-transportoid-conference-slides
E psi tomek-zielinski-transportoid-conference-slidesePSI Platform
 
Moja polis basic
Moja polis basicMoja polis basic
Moja polis basicePSI Platform
 

More Related Content

Viewers also liked

Psi group scoreboard
Psi group scoreboardPsi group scoreboard
Psi group scoreboardePSI Platform
 
Christian Laux on Liability
Christian Laux on LiabilityChristian Laux on Liability
Christian Laux on LiabilityePSI Platform
 
Estudio sobre hábitos seguros en el uso de las TIC por niños y adolescentes
Estudio sobre hábitos seguros en el uso de las TIC por niños y adolescentesEstudio sobre hábitos seguros en el uso de las TIC por niños y adolescentes
Estudio sobre hábitos seguros en el uso de las TIC por niños y adolescentesDavid J Castresana
 
Infonetics Network and Content Security Vendor Scorecard
Infonetics Network and Content Security Vendor ScorecardInfonetics Network and Content Security Vendor Scorecard
Infonetics Network and Content Security Vendor ScorecardCisco Security
 
Seo Basics: Google Rankingfaktoren 2016
Seo Basics: Google Rankingfaktoren 2016Seo Basics: Google Rankingfaktoren 2016
Seo Basics: Google Rankingfaktoren 2016Hanns Kronenberg
 

Viewers also liked (6)

Psi group scoreboard
Psi group scoreboardPsi group scoreboard
Psi group scoreboard
 
Epsi conference
Epsi conferenceEpsi conference
Epsi conference
 
Christian Laux on Liability
Christian Laux on LiabilityChristian Laux on Liability
Christian Laux on Liability
 
Estudio sobre hábitos seguros en el uso de las TIC por niños y adolescentes
Estudio sobre hábitos seguros en el uso de las TIC por niños y adolescentesEstudio sobre hábitos seguros en el uso de las TIC por niños y adolescentes
Estudio sobre hábitos seguros en el uso de las TIC por niños y adolescentes
 
Infonetics Network and Content Security Vendor Scorecard
Infonetics Network and Content Security Vendor ScorecardInfonetics Network and Content Security Vendor Scorecard
Infonetics Network and Content Security Vendor Scorecard
 
Seo Basics: Google Rankingfaktoren 2016
Seo Basics: Google Rankingfaktoren 2016Seo Basics: Google Rankingfaktoren 2016
Seo Basics: Google Rankingfaktoren 2016
 

Similar to 2013 02 22_w_wiewiorowski_epsi

Information Security as Exemplified by Clandestine Collaboration and Influen...
Information Security as Exemplified by Clandestine Collaboration and Influen... Information Security as Exemplified by Clandestine Collaboration and Influen...
Information Security as Exemplified by Clandestine Collaboration and Influen...RemigiuszRosicki
 
Practical recommendations on the draft-law Uzbekistan/Unesco 06042013 10072013
Practical recommendations on the draft-law Uzbekistan/Unesco 06042013 10072013Practical recommendations on the draft-law Uzbekistan/Unesco 06042013 10072013
Practical recommendations on the draft-law Uzbekistan/Unesco 06042013 10072013Jarmo Koponen
 
Data science and privacy regulation
Data science and privacy regulationData science and privacy regulation
Data science and privacy regulationblogzilla
 
Legal aspects of data gathering and information exchange
Legal aspects of data gathering and information exchangeLegal aspects of data gathering and information exchange
Legal aspects of data gathering and information exchangeStevenSegaert
 
Personal Data Protection in Pharmaceutical Sector (webinar presentation)
Personal Data Protection in Pharmaceutical Sector (webinar presentation)Personal Data Protection in Pharmaceutical Sector (webinar presentation)
Personal Data Protection in Pharmaceutical Sector (webinar presentation)Anastasiya Lemysh
 
Track H - Cristina Dos Santos
Track H - Cristina Dos SantosTrack H - Cristina Dos Santos
Track H - Cristina Dos SantosePSI Platform
 
Institutional mechanism of national identification card bangladesh experience
Institutional mechanism of national identification card bangladesh experienceInstitutional mechanism of national identification card bangladesh experience
Institutional mechanism of national identification card bangladesh experienceAlexander Decker
 

Similar to 2013 02 22_w_wiewiorowski_epsi (8)

Information Security as Exemplified by Clandestine Collaboration and Influen...
Information Security as Exemplified by Clandestine Collaboration and Influen... Information Security as Exemplified by Clandestine Collaboration and Influen...
Information Security as Exemplified by Clandestine Collaboration and Influen...
 
Practical recommendations on the draft-law Uzbekistan/Unesco 06042013 10072013
Practical recommendations on the draft-law Uzbekistan/Unesco 06042013 10072013Practical recommendations on the draft-law Uzbekistan/Unesco 06042013 10072013
Practical recommendations on the draft-law Uzbekistan/Unesco 06042013 10072013
 
Data science and privacy regulation
Data science and privacy regulationData science and privacy regulation
Data science and privacy regulation
 
CO3 - Open Data
CO3 - Open DataCO3 - Open Data
CO3 - Open Data
 
Legal aspects of data gathering and information exchange
Legal aspects of data gathering and information exchangeLegal aspects of data gathering and information exchange
Legal aspects of data gathering and information exchange
 
Personal Data Protection in Pharmaceutical Sector (webinar presentation)
Personal Data Protection in Pharmaceutical Sector (webinar presentation)Personal Data Protection in Pharmaceutical Sector (webinar presentation)
Personal Data Protection in Pharmaceutical Sector (webinar presentation)
 
Track H - Cristina Dos Santos
Track H - Cristina Dos SantosTrack H - Cristina Dos Santos
Track H - Cristina Dos Santos
 
Institutional mechanism of national identification card bangladesh experience
Institutional mechanism of national identification card bangladesh experienceInstitutional mechanism of national identification card bangladesh experience
Institutional mechanism of national identification card bangladesh experience
 

More from ePSI Platform

E psi open data - rejseplanen
E psi open data - rejseplanenE psi open data - rejseplanen
E psi open data - rejseplanenePSI Platform
 
Ds.e psi conference.21 22.02.2013
Ds.e psi conference.21 22.02.2013Ds.e psi conference.21 22.02.2013
Ds.e psi conference.21 22.02.2013ePSI Platform
 
Liability for open data
Liability for open dataLiability for open data
Liability for open dataePSI Platform
 
Big Data Session Presentations
Big Data Session PresentationsBig Data Session Presentations
Big Data Session PresentationsePSI Platform
 
Otwarte zabytki epsi
Otwarte zabytki epsiOtwarte zabytki epsi
Otwarte zabytki epsiePSI Platform
 
E psi tomek-zielinski-transportoid-conference-slides
E psi tomek-zielinski-transportoid-conference-slidesE psi tomek-zielinski-transportoid-conference-slides
E psi tomek-zielinski-transportoid-conference-slidesePSI Platform
 
PSI Re-use in Bulgaria
PSI Re-use in BulgariaPSI Re-use in Bulgaria
PSI Re-use in BulgariaePSI Platform
 
Hamburg Transparency Law
Hamburg Transparency LawHamburg Transparency Law
Hamburg Transparency LawePSI Platform
 
Open Data: the state of the European Union
Open Data: the state of the European UnionOpen Data: the state of the European Union
Open Data: the state of the European UnionePSI Platform
 
Community Building as Scaffolding for a Working Public Sector
Community Building as Scaffolding for a Working Public SectorCommunity Building as Scaffolding for a Working Public Sector
Community Building as Scaffolding for a Working Public SectorePSI Platform
 
Making Open Data Work for the Public Sector
Making Open Data Work for the Public SectorMaking Open Data Work for the Public Sector
Making Open Data Work for the Public SectorePSI Platform
 
Cleaning up the relationship with our government
Cleaning up the relationship with our governmentCleaning up the relationship with our government
Cleaning up the relationship with our governmentePSI Platform
 
Open Data Opportunities
Open Data OpportunitiesOpen Data Opportunities
Open Data OpportunitiesePSI Platform
 
Creating Impact with Open Data
Creating Impact with Open DataCreating Impact with Open Data
Creating Impact with Open DataePSI Platform
 
Transport Data Is Like .....
Transport Data Is Like .....Transport Data Is Like .....
Transport Data Is Like .....ePSI Platform
 
EU Open Data Strategy
EU Open Data StrategyEU Open Data Strategy
EU Open Data StrategyePSI Platform
 
A Year in Open Data - OGD 2012 Key-note
A Year in Open Data - OGD 2012 Key-noteA Year in Open Data - OGD 2012 Key-note
A Year in Open Data - OGD 2012 Key-noteePSI Platform
 
Potential and Impact of Open Data in Europe
Potential and Impact of Open Data in EuropePotential and Impact of Open Data in Europe
Potential and Impact of Open Data in EuropeePSI Platform
 

More from ePSI Platform (20)

E psi open data - rejseplanen
E psi open data - rejseplanenE psi open data - rejseplanen
E psi open data - rejseplanen
 
Ds.e psi conference.21 22.02.2013
Ds.e psi conference.21 22.02.2013Ds.e psi conference.21 22.02.2013
Ds.e psi conference.21 22.02.2013
 
Liability for open data
Liability for open dataLiability for open data
Liability for open data
 
Big Data Session Presentations
Big Data Session PresentationsBig Data Session Presentations
Big Data Session Presentations
 
Sl lgo
Sl lgoSl lgo
Sl lgo
 
Otwarte zabytki epsi
Otwarte zabytki epsiOtwarte zabytki epsi
Otwarte zabytki epsi
 
E psi tomek-zielinski-transportoid-conference-slides
E psi tomek-zielinski-transportoid-conference-slidesE psi tomek-zielinski-transportoid-conference-slides
E psi tomek-zielinski-transportoid-conference-slides
 
Moja polis basic
Moja polis basicMoja polis basic
Moja polis basic
 
PSI Re-use in Bulgaria
PSI Re-use in BulgariaPSI Re-use in Bulgaria
PSI Re-use in Bulgaria
 
Hamburg Transparency Law
Hamburg Transparency LawHamburg Transparency Law
Hamburg Transparency Law
 
Open Data: the state of the European Union
Open Data: the state of the European UnionOpen Data: the state of the European Union
Open Data: the state of the European Union
 
Community Building as Scaffolding for a Working Public Sector
Community Building as Scaffolding for a Working Public SectorCommunity Building as Scaffolding for a Working Public Sector
Community Building as Scaffolding for a Working Public Sector
 
Making Open Data Work for the Public Sector
Making Open Data Work for the Public SectorMaking Open Data Work for the Public Sector
Making Open Data Work for the Public Sector
 
Cleaning up the relationship with our government
Cleaning up the relationship with our governmentCleaning up the relationship with our government
Cleaning up the relationship with our government
 
Open Data Opportunities
Open Data OpportunitiesOpen Data Opportunities
Open Data Opportunities
 
Creating Impact with Open Data
Creating Impact with Open DataCreating Impact with Open Data
Creating Impact with Open Data
 
Transport Data Is Like .....
Transport Data Is Like .....Transport Data Is Like .....
Transport Data Is Like .....
 
EU Open Data Strategy
EU Open Data StrategyEU Open Data Strategy
EU Open Data Strategy
 
A Year in Open Data - OGD 2012 Key-note
A Year in Open Data - OGD 2012 Key-noteA Year in Open Data - OGD 2012 Key-note
A Year in Open Data - OGD 2012 Key-note
 
Potential and Impact of Open Data in Europe
Potential and Impact of Open Data in EuropePotential and Impact of Open Data in Europe
Potential and Impact of Open Data in Europe
 

2013 02 22_w_wiewiorowski_epsi

  • 1. “PRIVACY AND OPEN DATA. SIAMESE TWINS OR MORTAL ENEMIES?” 2013 ePSI “Gotcha! – getting everyone on board” Warsaw, February 22, 2013 WOJCIECH WIEWIÓROWSKI PhD University of Gdańsk, Faculty of Law and Administration Inspector General for Personal Data Protection, Poland Generalny Inspektor Ochrony Danych Osobowych ul. Stawki 2, 00-193 Warszawa www.giodo.gov.pl Warsaw, February 22nd, 2012 kancelaria@giodo.gov.pl
  • 3. PROFILING “Profile” refers to a set of data characterising a category of individuals that is intended to be applied to an individual. “Profiling” means an automatic data processing technique that consists of applying a “profile” to an individual, namely in order to take decisions concerning him or her; or for analysing or predicting personal preferences, behaviours and attitudes. Warsaw, February 22nd, 2012 www.giodo.gov.pl
  • 6. PROFILING “Profile” refers to a set of data characterising a category of individuals that is intended to be applied to an individual. “Profiling” means an automatic data processing technique that consists of applying a “profile” to an individual, namely in order to take decisions concerning him or her; or for analysing or predicting personal preferences, behaviours and attitudes. Warsaw, February 22nd, 2012 www.giodo.gov.pl
  • 7. PROFILING Building profiles according to Group of Art. 29 There are two main approaches to building user profiles: i) Predictive profiles are established by inference from observing individual and collective user behaviour over time, particularly by monitoring visited pages and ads viewed or clicked on. ii) Explicit profiles are created from personal data that data subjects themselves provide to a web service, such as by registering. Both approaches can be combined. Additionally, predictive profiles may be made explicit at a later time, when a data subject creates login credentials for a website. Opinion of Art. 29 WP, 2/2010 on behavioural advertising adopted on June 22 , 2010, page 8 Warsaw, February 22nd, 2012 www.giodo.gov.pl
  • 8. PROFILING Profiling is generaly used in order to 1. get a sociologic and psycologic assessment of the client 2. discover material and social status of the client 3. create sugestions and strategies to be used in marketing activities I would accept such explanation of profiling for marketing purposes …. but ….. ….. This is a thesis of FBI experts on criminal profiling. I have just exchanged notions ”ofender” v. ”client” and ”investigation” v. ”marketing activites”  R. M. Holmes, S.T. Holmes: Profiling Violent Crimes: An Investigative Tool , 4th Ed.,Thousand Oaks: Sage Publications, Inc. 2008 Warsaw, February 22nd, 2012 www.giodo.gov.pl
  • 9. © M. Narojek for GIODO 2011 www.giodo.gov.pl
  • 10. PUBLIC RESOURCES Information is gathered by public sector entities for the purposes which are inline with the constitutional principle of Article 7: ”The organs of public authority shall function on the basis of, and within the limits of, the law”. This information is transfered to the entities who can use the same information to the purposes they were not collected for. Do we need to agree that our personal data will become public sector information and they will be „re-usable” according to EU law ? Can they be used in order to create our peronal profile. Warsaw, February 22nd, 2012 www.giodo.gov.pl
  • 13. PUBLIC RESOURCES Taking in to consideration that data from public registers can be treated as the public sector information, we should be used to the fact, that data from formally public land and mortgage register can be re-used and combined with: - INSPIRE registers and databases, - physical and urban planning documents, - registers of legal persons, associations etc., - statistical registers (REGON, TERYT in Poland), - public offers for debt trading purposes, - property statements of state officers (not only politicians but also public kindergarten and library managers) - client data possessed by profiling entity Warsaw, February 22nd, 2012 www.giodo.gov.pl
  • 14. INFORMATION INFRASTRUCTURE OF THE STATE Classic definition of state by Georg Jellinek (1851-1911), The state shell have: • teritory, • citizens • powers (today – law ). Information infrastructure of the state: 1) The resources explaining how the state looks like (geospatial information), who resides in the state and which organisations (eg. legal persons) exist, as well as the information what are the authorities and which law is in force. GIS + registers + legal information-retriaval systems 2) The system consisting of institutions, entities, resources and ICT systems and technologies which are the basis for the existing social (including legal), political and economic relations. J. Oleński, Infrastruktura informacyjna państwa w globalnej gospodarce, Warsaw 2006 p. 270-272. Warsaw, February 22nd, 2012 www.giodo.gov.pl
  • 15. INFORMATION INFRASTRUCTURE OF THE STATE • norms on information, • information resources • ICT systems, • information institutions • organisations • technical equipement supporting gathering, processing and transfer of information Warsaw, February 22nd, 2012 www.giodo.gov.pl
  • 16. Re-use in the new style 2. This Directive shall not apply to: […] (c) documents which are excluded from access by virtue of the access regimes in the Member States, including on the grounds of: – the protection of national security (i.e. State security), defence, or public security, – statistical or commercial confidentiality; (d) documents held by public service broadcasters and their subsidiaries, and by other bodies or their subsidiaries for the fulfilment of a public service broadcasting remit; (e) documents held by educational and research establishments, such as [schools, universities, archives, libraries and] research facilities including, where relevant, organisations established for the transfer of research results, schools and universities (except university libraries in respect of documents other than research documents protected by third party intellectual property rights) and (f) documents held by cultural establishments other than libraries, museums and archives. Warsaw, February 22nd, 2012 www.giodo.gov.pl
  • 17. Re-use in the new style Article 3 General principle 1. Subject to paragraph (2) Member States shall ensure that documents referred to in Article 1 shall be re-usable for commercial or non-commercial purposes in accordance with the conditions set out in Chapters III and IV. 2. For documents for which libraries (including university libraries), museums and archives have intellectual property rights, Member States shall ensure that, where the re-use of documents is allowed, these documents shall be re-usable for commercial or non-commercial purposes in accordance with the conditions set out in Chapters III and IV. Warsaw, February 22nd, 2012 www.giodo.gov.pl
  • 18. Document • This Directive lays down a generic definition of the term "document", in line with developments in the information society. • It covers any representation of acts, facts or information – and any compilation of such acts, facts or information – whatever its medium (written on paper, or stored in electronic form or as a sound, visual or audiovisual recording), held by public sector bodies. A document held by a public sector body is a document where the public sector body has the right to authorise re-use. Warsaw, February 22nd, 2012 www.giodo.gov.pl
  • 19. CONSTUTUTION OF THE REPUBLIC OF POLAND (ARTICLE 51) • No one may be obliged, except on the basis of statute, to disclose information concerning his person. • Public authorities shall not acquire, collect or make accessible information on citizens other than that which is necessary in a democratic state ruled by law. • Everyone shall have a right of access to official documents and data collections concerning him. Limitations upon such rights may be established by statute. • Everyone shall have the right to demand the correction or deletion of untrue or incomplete information, or information acquired by means contrary to statute. • Principles and procedures for collection of and access to information shall be specified by statute Warsaw, February 22nd, 2012 www.giodo.gov.pl
  • 20. DRAFT OF THE NEW EU REGULATION Article 20 Measures based on profiling 1. Every natural person shall have the right not to be subject to a measure which produces legal effects concerning this natural person or significantly affects this natural person, and which is based solely on automated processing intended to evaluate certain personal aspects relating to this natural person or to analyse or predict in particular the natural person's performance at work, economic situation, location, health, personal preferences, reliability or behaviour. 2. Subject to the other provisions of this Regulation, a person may be subjected to a measure of the kind referred to in paragraph 1 only if the processing: (a) is carried out in the course of the entering into, or performance of, a contract, where the request for the entering into or the performance of the contract, lodged by the data subject, has been satisfied or where suitable measures to safeguard the data subject's legitimate interests have been adduced, such as the right to obtain human intervention; or (b) is expressly authorized by a Union or Member State law which also lays down suitable measures to safeguard the data subject's legitimate interests; or (c) is based on the data subject's consent, subject to the conditions laid down in Article 7 and to suitable safeguards. Warsaw, February 22nd, 2012 www.giodo.gov.pl
  • 21. DRAFT OF THE NEW EU REGULATION Article 20 Measures based on profiling 3. Automated processing of personal data intended to evaluate certain personal aspects relating to a natural person shall not be based solely on the special categories of personal data referred to in Article 9. 4. In the cases referred to in paragraph 2, the information to be provided by the controller under Article 14 shall include information as to the existence of processing for a measure of the kind referred to in paragraph 1 and the envisaged effects of such processing on the data subject. 5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and conditions for suitable measures to safeguard the data subject's legitimate interests referred to in paragraph 2. Warsaw, February 22nd, 2012 www.giodo.gov.pl
  • 22. COUNCIL OF EUROPE AND PROFILING Recommendation CM/Rec(2010)13 of the Committee of Ministers to member states on the protection of individuals with regard to automatic processing of personal data in the context of profiling Adopted by the Committee of Ministers on 23 November 2010 at the 1099th meeting of the Ministers’ Deputies Warsaw, February 22nd, 2012 www.giodo.gov.pl
  • 23. COUNCIL OF EUROPE AND PROFILING 4. Information. 4.1. Where personal data are collected in the context of profiling, the controller should provide the data subjects with the following information: a. that their data will be used in the context of profiling; b. the purposes for which the profiling is carried out; c. the categories of personal data used; d. the identity of the controller and, if necessary, her or his representative; e. the existence of appropriate safeguards; Warsaw, February 22nd, 2012 www.giodo.gov.pl
  • 24. COUNCIL OF EUROPE AND PROFILING 4. Information. (…) Where personal data are collected in the context of profiling, the controller should provide the data subjects with the following information: (…) f. all information that is necessary for guaranteeing the fairness of recourse to profiling, such as: - the categories of persons or bodies to whom or to which the personal data may be communicated, and the purposes for doing so; - the possibility, where appropriate, for the data subjects to refuse or withdraw consent and the consequences of withdrawal; - the conditions of exercise of the right of access, objection or correction, as well as the right to bring a complaint before the competent authorities; - the persons from whom or bodies from which the personal data are or will be collected; - the compulsory or optional nature of the reply to the questions used for personal data collection and the consequences for the data subjects of not replying; - the duration of storage; - the envisaged effects of the attribution of the profile to the data subject. Warsaw, February 22nd, 2012 www.giodo.gov.pl
  • 25. COUNCIL OF EUROPE AND PROFILING 4. Information. (…) 4.2. Where the personal data are collected from the data subject, the controller should provide the data subject with the information listed in Principle 4.1 at the latest at the time of collection. 4.3. Where personal data are not collected from data subjects, the controller should provide the data subjects with the information listed in Principle 4.1 as soon as the personal data are recorded or, if it is planned to communicate the personal data to a third party, at the latest when the personal data are first communicated. 4.4. Where the personal data are collected without the intent of applying profiling methods and are processed further in the context of profiling, the controller should have to provide the same information as that foreseen under Principle 4.1. (…) Warsaw, February 22nd, 2012 www.giodo.gov.pl
  • 26. COUNCIL OF EUROPE AND PROFILING 5. Rights of data subjects 5.1. The data subject who is being, or has been, profiled should be entitled to obtain from the controller, at her or his request, within a reasonable time and in an understandable form, information concerning: a. her or his personal data; b. the logic underpinning the processing of her or his personal data and that was used to attribute a profile to her or him, at least in the case of an automated decision; c. the purposes for which the profiling was carried out and the categories of persons to whom or bodies to which the personal data may be communicated. 5.2. Data subjects should be entitled to secure correction, deletion or blocking of their personal data, as the case may be, where profiling in the course of personal data processing is performed contrary to the provisions of domestic law which enforce the principles set out in this recommendation. 5.3. Unless the law provides for profiling in the context of personal data processing, the data subject should be entitled to object, on compelling legitimate grounds relating to her or his situation, to the use of her or his personal data for profiling. Where there is justified objection, the profiling should no longer involve the use of the personal data of the data subject. Where the purpose of the processing is direct marketing, the data subject does not have to present any justification. Warsaw, February 22nd, 2012 www.giodo.gov.pl
  • 27. COUNCIL OF EUROPE AND PROFILING 5. Rights of data subjects (…) 5.4. If there are any grounds for restricting the rights set out in this section in accordance with Section 6, this decision should be communicated to the data subject by any means that allows it to be put on record, with a mention of the legal and factual reasons for such a restriction. This mention may be omitted when a reason exists which endangers the aim of the restriction. In such cases, information should be given to the data subject on how to challenge this decision before the competent national supervisory authority, a judicial authority or a court. 5.5. Where a person is subject to a decision having legal effects concerning her or him, or significantly affecting her or him, taken on the sole basis of profiling, she or he should be able to object to the decision unless: a. this is provided for by law, which lays down measures to safeguard data subjects’ legitimate interests, particularly by allowing them to put forward their point of view; b. the decision was taken in the course of the performance of a contract to which the data subject is party or for the implementation of pre-contractual measures taken at the request of the data subject and that measures for safeguarding the legitimate interests of the data subject are in place. Warsaw, February 22nd, 2012 www.giodo.gov.pl
  • 28. PRIVACY BY DESIGN Privacy by Design Resolution 27-29 October 2010, Jerusalem, Israel 32nd International Conference of Data Protection and Privacy Commissioners Privacy by Design: The 7 Foundational Principles 1. Proactive not Reactive; Preventative not Remedial 2. Privacy as the Default Setting 3. Privacy Embedded into Design 4. Full Functionality: Positive-Sum, not Zero-Sum 5. End-to-End Security — Full Lifecycle Protection 6. Visibility and Transparency — Keep it Open 7. Respect for User Privacy — Keep it User-Centric Warsaw, February 22nd, 2012 www.giodo.gov.pl
  • 29. PRIVACY IMPACT ASSESSMENT • A Privacy Impact Assessment (PIA) is a process whereby a conscious and systematic effort is made to assess the privacy and data protection impacts of a specific actions with the view of taking appropriate actions to prevent or at least minimise those impacts. • A PIA Report is the document resulting from the PIA Process that is made available to competent authorities. Proprietary and security sensitive information may be removed from PIA Reports before the Reports are provided externally (e.g., to the competent authorities) as long as the information is not specifically pertinent to privacy and data protection implications. The manner in which the PIA should be made available (e.g., upon request or not) will be determined by member states. In particular, the use of special categories of data may be taken into account, as well as other factors such as the presence of a data protection officer. • PIA Templates may be developed based on the Framework to provide industry-based, application-based, or other specific formats for PIAs and resulting PIA Reports. Warsaw, February 22nd, 2012 www.giodo.gov.pl
  • 30. THANK YOU FOR YOUR ATTENTION ! desiwm@giodo.gov.pl http://edugiodo.giodo.gov.pl www.giodo.gov.pl