Tag Archives: guidance

The Information Commissioner of the Republic of Slovenia

The IPRS issues a report on the Use of Drones

On 30 July 2015, the Information Commissioner (IP) issued a report on the use of drones in relation to the Data Protection Act.

It highlighted the features of such processing of personal data which may include; weapon systems, systems for the transportation and delivery and systems for control and data acquisition and outlined a wide range of risks which differ depending on what kind of data acquisition systems are used, giving a special enphasis to data capture by the police, especially in the case of mass captures and processes data.

One section of the report analyses risks associated with protecting information privacy and explain in detail to a wide range of stakeholders the principle of legality and the press exception and the principle of proportionality according to its national Data Protection Act.

Ultimately, the report examined the use of unmanned aircrafts by law enforcement authorities as they have important implications not only for the full range of constitutionally protected human rights but also as an ethical imperative and gave the following recommendations based on International Working Party on Data Protection and Telecommunications and the Article 29 Working Party:

a) The use of drones should be regulated in a way that ensures safe use and at the same time providing adequate safeguards for the provision and protection of fundamental rights.

b) They must ensure compliance with the reasonable expectations of privacy, both in private contexts such as in public places.

c) The collection and further processing of personal data by public sector shall be defined by law or under the terms of Article 9 of the PDPA-1.

d) They shall comply with the requirements regarding the protection of personal data (eg. the statements and actions of awareness among managers, certification of operators, etc.) and if necessary, the identification of the exemption for journalistic purposes.

e) In cooperation with the supervisory authorities for data protection regulators, it should develop an appropriate scheme for carrying out Data Protection Impact assesment, which will help operators of unmanned aircrafts.

f)  It is also necessary to improve the cooperation between the Civil Aviation Agency and the supervisory authorities for data protection and involve all stakeholders, including representatives of the media, non-governmental organizations, operators and service providers, among others.

h) Ultimately, it is indispensable to encourage the development of self-regulatory codes of conduct and other initiatives to ensure responsible use of drones.


Data protection agency publishes new IT security text

The Danish DPA has published guidance on IT security around shared log-ins.

This is part of a series of IT security guidance, started in 2014, and comprising 11 different publications. The purpose of IT security texts is to focus on selected IT security issues, as data controllers, data processors, project leaders and others in practice to deal with in regard to the processing of personal data. Each IT security text unfolds a selected IT security problem. The deployed problem can benefit from further consideration before making decisions on how the problem is solved in practice in their own organization.

Not all EU data protection authorities produce information security guidance – it is a relatively minority activity, although many DPAs do produce guidance documents (several of which are hosted in this repository).

Data Protection Commissioner

Data Protection Office issues Guidance on Location Data

The Office of the Data Protection Commissioner has today, 9 August 2016, published detailed guidance on location data.

Location data is any information which links an individual to a particular place including information about where a person currently is, or where they were at some point in the past.  Technology such as smart phones has made it easier than ever before for individuals to be located. Organisations use this data to offer personalised services, such as navigation apps or location-specific news content on websites.

 Aimed at both individuals and organisations, our guidance will assist individuals in understanding how information relating to their location is collected and processed, and provides clarity to organisations on their obligations regarding such data. The overriding principle of the guidance centres on the protection of the individual’s right to data privacy.

 Publishing the guidance, the Office of the Data Protection Commissioner advised users of smart phone apps, in particular, to familiarise themselves with the terms attaching to the downloading and use of apps and where location data is collected to be aware of the purposes for which it is being used. As the rate of technological innovation continues apace, more and more location data is being collected and transmitted and individuals should be vigilant of how this information is collected, processed and re-used.


New checklist prepares organisations for the new EU regulation

<<The Data Inspection Board has developed a checklist as an aid to companies and other organizations that now must prepare for the EU Regulation on data protection of two years replaces the Data Protection Act.

In two years the EU Data Protection Regulation become applicable in Sweden and other member countries. The regulation applies directly to Swedish law and replaces the Data Protection Act. This has major consequences for companies and other organizations that collect and use personal information.

– Ordinance has similarities with the current Data Protection Act but also great differences. It is important to businesses, governments and other already starting to prepare for the new rules, says the Data Inspectorate General of Kristina Svahn Starrsjö.

The Data Inspection Board has developed a checklist that provides support in the preparatory work. The checklist is based on a model from the Data Inspectorate’s sister agency in the UK, The Information Commissioner’s Office.

The checklist includes 13 items including reports on new standards of integrity analyzes, documentation, the legal arguments that can be used when personal information is collected and handled, and what information they must provide to the people whose data it collects.

– The checklist is available and I encourage all organizations that handle personal information to download and go through it, says Kristina Svahn Starrsjö.

The Data Inspection Board has also published some 20 questions and answers about the upcoming EU regulation on data protection and will fall to organize training courses with a special focus on regulation.>>

Data Protection Commissioner

Guidance on Data Sharing in the Public Sector

The Office of the Data Protection Commissioner (“ODPC”) welcomes the decision of the European Court of Justice in the case of Bara & Oths C-201/2014 and notes the strong trend emanating from recent judgments whereby the Court has interpreted the Data Protection Directive so as to extend and to re-enforce the protection of the rights of individuals. The Bara judgment which focused upon a public sector data sharing arrangement re-iterates the importance of informing the data subject about the processing of their personal data as it affects the exercise by the data subjects of their right of access to their personal data, their right to rectify their data being processed and their right to object to the processing of data.

An individual may expect public sector bodies to share their personal data where it is essential and necessary to provide him/her with the services sought and the ODPC fully support the aim of developing more efficient and customer centric public services in this regard. However, this must also be balanced with the fact that individuals need to be informed as to how their personal information is used and for what purpose, who has access to it and how the sharing of that information will impact upon them. Therefore, whilst data sharing can bring benefits in terms of efficient delivery of public services it must be done in a way that respects the rights of individuals to have their personal data treated with care and not accessed or used without good reason.

As such the ODPC recommends that all data sharing arrangements in the public sector should:

  • Have a basis in primary legislation;
  • Be made clear to individuals that their data may be shared and for what purpose;
  • Be proportionate in terms of their application and the objective to be achieved;
  • Have a clear justification for individual data sharing arrangements;
  • Share the minimum amount of data to achieve the stated public service objective;
  • Have strict access and security controls; and
  • Ensure secure disposal of shared data.

It is important to restate from the outset that, subject to the exceptions permitted under the Data Protection Acts 1988 – 2003 (the DPA), all processing of personal data must comply with the principles of data quality as set out in Section 2 and with one of the criteria for making data processing legitimate in Section 2(2A) (and Section 2(2B) if sensitive personal data is involved). In undertaking a review of all current and future data sharing arrangements, public sector bodies should ensure that the following best practice guidelines are considered and applied as appropriate.

Information Commissioner’s Office (ICO)

ICO launches new data protection self-assessment tool for SMEs

The ICO has today launched a self-assessment tool that will help small and medium sized organisations (SMEs) to assess their compliance with the Data Protection Act. The toolkit provides handy links to relevant guidance and further information, and will generate a rating based on responses.

Information Commissioner Christopher Graham said:

“Good data protection practice makes business sense. It can lead to better, more efficient customer service and help to protect and enhance your reputation. It could also help you avoid a fine from the ICO.”

The easy-to-use toolkit may be completed as one comprehensive assessment that embraces the key obligations that SMEs have in relation to processing their customers’ or clients’ personal information. Alternatively, it can be broken down into separate checklists so users can tailor it to their organisation’s particular needs and risks.

Data Protection Commissioner

Guidance on the Use of Drones

The Data Protection Commissioner (Ireland) has produced and issued new guidance on the use of drones in relation to the Data Protection Act. This supports regulations issued by the Irish Aviation Authority who are the primary regulator of Drones in Ireland. The guidance was issued concurrently with an update to the office’s guidance on CCTV and new guidance on the use of body worn cameras. Unless such systems are used with proper care and consideration, they can give rise to concern that the individual’s home or private life is being invaded. It is possible that use of such aircraft may cause privacy concerns among the public as a result of equipment which may be added to the drones. The guidance contains advice on what constitutes personal data, proportionality, transparency and notifying the public, data controllers and processors, storage and retention, security, access requests, and covert surveillance.