On data protection

Monday, October 20, 2014

BELGIUM (Dutch) - Voorbeelden van wetten die gegevensbescherming niet, onvolledig of verkeerd aanpakken #1: het aanwezigheidsregister in de bouw

Het aanwezigheidsregister in de bouw (ook gekend als de "whereabouts" regeling in de bouw) is bij programmawet van 27 december 2012 ingevoerd in Afdeling 4, Hoofdstuk V van de wet van 4 augustus 1996 betreffende het welzijn van de werknemers bij de uitvoering van hun werk.

Aan die regeling werd uitvoering gegeven in twee KB's van 11 februari 2014:

De privacycommissie wijdde hieraan al verschillende adviezen / beraadslagingen, nl.

advies 43/2013 en
beraadslagingen ASZ 031/2014, 031/2004_4 en 056/2014.

Uit de wet blijkt dat de FOD WASO de verantwoordelijke voor de verwerking is van het "standaard" registratiesysteem. Uit de KB's blijkt dat de FOD WASO die eigenlijke verwerking heeft uitbesteed aan de RSZ. Uit het advies van de privacycommissie leren we dat SMALS oorspronkelijk ook genoemd werd als verwerker, maar dat heeft de regering blijkbaar laten varen.

Het statuut van de aannemers en onderaannemers op de werf die aan de registratieplicht onderworpen is, is helemaal niet duidelijk. Diverse bepalingen (o.a. art. 12 KB 11 februari 2014) doen twijfel rijzen en lijken te laten uitschijnen dat de aannemers verwerkers zouden. Ook randnummer 53 van het advies van de privacycommissie lijkt daarvan uit te gaan.
Op zich is dat wat raar omdat de aannemer en de onderaannemers, minstens voor de gegevens van hun medewerkers, in de regel moeten worden beschouwd als "controllers" (verantwoordelijken voor de verwerking) die de persoonsgegevens die ze onder zich hebben op basis van een wettelijke verplichting moeten in het systeem brengen. Maar als we daarvan uitgaan zou dat betekenen dat er ook ergens een machtiging voor hen moet zijn om het Rijksregisternummer te gebruiken. En die is niet te vinden in de wet (toch niet expliciet) én er geen algemene machtiging beschikbaar is voor het aanwezigheidsregister. De interpretatie dat bouwdirectie, aannemers en onderaannemers controllers zijn, zou betekenen dat al die partijen om een machtiging moeten komen vragen en dat is dan weer onpraktisch. Bovendien brengt de classificatie als controller nog andere onduidelijkheden mee rond hoe zij hun verplichtingen onder de privacywet moeten invullen.
Zijn ze dan toch verwerkers? Misschien, maar dan zou je verwachten dat er vanuit de RSZ een reeks van verdere overeenkomsten wordt gesloten (art. 16 privacywet): met de bouwdirecties die aansluiten op het standaard systeem. En die moeten dan - op basis van bepalingen van artikel 16 en/of een kettingbeding in de overeenkomst met de RSZ - een overeenkomst hebben met de aannemers. En die moeten dan - op basis van bepalingen van artikel 16 en/of een kettingbeding in de overeenkomst met de bouwdirectie - een overeenkomst hebben met de onderaannemers. etc. En door die ganse structuur zouden de individuen die zich op de werf begeven en zich met hun registratiemiddel (bijv. een badge, een dongle, een code, een app op hun smartphone, etc.) via het registratieapparaat (bijv. een terminal, een computer, een "prikklok", etc.) registreren in de gegevensbank een rechstreekse relatie aangaan met de FOD WASO. Een behoorlijk opzet. En waarschijnlijk omdat het zo breed is, zag niemand nog het bos door de bomen.

Ook de transparantie over deze massieve gegevensverzameling door de overheid laat (alweer - dat zal blijken uit andere voorbeelden) nalaat om (duidelijke) communicatie over de gegevensverwerking op te zetten. De FOD WASO is verantwoordelijke voor de verwerking, dus die moet daar in de regel voor instaan (art. 9 / 10 privacywet). Het kan toch niet zijn dat bouwdirectie, aannemers en onderaannemers en anderen telkens ad hoc privacyverklaringen zullen moeten opstellen, die dan met zekerheid coherentie missen.

Het zou nuttig zijn mocht de regering en/of de privacycommissie hier zijn licht over laten schijnen. Want nu trappelen de spelers in het veld maar wat in het rond in de hoop niet door de sociale inspectie aangesproken te worden op deze strafrechtelijk gesanctioneerde norm. Maar goed... door deze onduidelijkheid lijkt het mij dat bijna eender wie voor een overtreding tegen deze regeling wordt aansproken, kan aanhalen dat strafbaarstelling vereist dat er een duidelijke regel is (nil poena sine lege).

Sunday, October 19, 2014

BELGIUM / FLANDERS - Cities and their data protection policy

Belgian cities need to have a data protection policy. So far however not that many have taken the required steps to even be compliant on paper.

That is why I have drafted a general questionnaire to come to a general, high-level strategy on data protection in the city. It is however in Dutch. Later on I will turn this into an English file that can apply to any organisation.

You can find the file here: http://www.slideshare.net/mactvdp/veiligheidsbeleid-steden-en-gemeenten-vragenlijst

To go along with that I made a presentation with the key elements of the questionnaire. You can find it here: http://www.slideshare.net/mactvdp/veiligheidsbeleid-gemeenten-dutch.

Any comments or suggestions are welcome.

Tuesday, October 7, 2014

What moves in the EU on the topic of Single Digital Market?

Well, yesterday Commissioner-designate for Single Ditigal Market Ansip's hearing in the EU Parliament took place.

A selection of relevant quotes from the EurActive website (http://www.euractiv.com/sections/innovation-enterprise/ansip…):

“We must protect everyone’s privacy. Data protection will be an important cornerstone of the Digital Internal Market. The citizens must have trust in this project,” Ansip said.

The 57-year-old said he plans to promote rapid implementation of the Data Protection Directive and put pressure on the 28 heads of state and government, to finally come to an agreement.

Ansip also said he would not rule out suspending the so-called Safe Harbour Agreement with the United States.

“Safe Harbour is not secure. The Agreement has yet to live up to its name,” Ansip criticised.

The Agreement regulates transmission of personal data from European to American companies. American firms can register with the U.S. Department of Commerce and commit to certain data protection guidelines.

3,246 firms have registered since September 2013, including giants like Facebook, Microsoft and Google. According to Ansip, the United States should provide more specific conditions in an escape clause allowing restrictions to data protection on the basis of national security.

“If the U.S. Government does not make a clear statement, we must consider suspending the Agreement,” said Ansip.

Justice Commissioner-designate Věra Jourová expressed a similar view during her hearing last Wednesday (1 October).

A significant majority in the European Parliament voted in May, to suspend the Safe Harbour Agreement as a reaction to the NSA revelations by whistleblower Edward Snowden.

For the full report: http://www.elections2014.eu/en/new-commission/hearing/201409…

Friday, August 8, 2014

DPO Stories #9 - Japanese Secret Drawer

ONCE UPON A TIME...

In Japan a man and a woman lived together. They knew each other since they were little. Now they were married.

They married when they both were young. On the day of their marriage the grandfather of the woman, a wise man, gave them a small but very beautiful heirloom, a chest of drawers. It came with an advice: they should make a special vow towards one another to leave one drawer the exclusive domain of the other. They should not share nor ask for its content, nor peek. Doing so would be the end of the marriage.

Years past, and both respected the vow they made. But the curiosity of the woman grew, little by little. She started to detect "things" in the behaviour of her husband. She could not put her finger on it, but there was "something". It grew to a real paranoia. But she remembered her vow and the warning of her grandfather.

At the age of 57 the man was really ill and had to stay in the town "hospital". The woman could not stay there all the time, but at home see went mad of worry. After a few days, while she was cleaning the house, the "secret drawer" crept in her mind again. This time she did not suppress the urge and opened the drawer. There was nothing in there. She checked it with her hand: nothing. Later that day she went to visit her husband. An awkward silence fell. The man noticed something was wrong.

He: What is it, honey?
She: I looked in your drawer. You know, the "secret drawer".
He: (no response)
She: There was nothing in there ?!
He: No.
She: But... ?!
He: I have no secrets from you. I love you.

She: Oh. ... I am sorry.
He: It is ok.

She: I can tell you...
He: No. I do no want to know. I trust you.

She went home that day. A bit embarassed.

He passed away that evening.

COMMENT

I am not really sure whether or not there is a good way the explain the wisdom of this story, or even if I get it all. I imagine that there are some elements in there to answer questions like:

What is the identity of a person?
What is trust?
Why do we need trust?
Why is there a human urge to know what is in the "secret drawer"?
What does the "secret drawer" represent?
Why does everyone have a different idea of what the "secret drawer" is good for?
Why is there (a need for) a "secret drawer", even if one does not use it?

THE POWER OF STORIES

(repetition of the intro of the series:) Stories are of all times, but lately organisational behaviorists and marketers have a renewed interest in them. DPOs have stories as well of their own experience or heared in there community. And they should use them to engage the organisation, at least to raise awareness, questions and/or discussions. Note that we keep some obscurity and that any reference to a name or situation you may know is likely to be based on coincidence. :-)

CALL TO ACTION

Do you have any good stories? Can you (pseudonomised) share them? (If so, please, do.)

Stories like these probably have numerous explanations or angles: what is your take on this story?

Friday, July 25, 2014

DPO Stories #7 - Dear Board of Directors...

ONCE UPON A TIME...

The secretary of the Board of Directors of a listed company questioned the current way of working.

Before the meetings he, the CEO, and the chairman would decide on the final agenda, draft it, assemble all the memos, reports, draft decisions, etc to be attached, print it out as many times as there are members of the Board, gather that information to a booklet, and mail the booklet to the individual members of the Board 15 days before the meeting, so everybody would get the information in time to be able to go through it in a reasonable amount of time.
After the meetings the minutes would be drafted by him. He would present them to the chairman for approval. The approved minutes along with any information requested by the members of the Board would be sent to them within a reasonable time after the meeting.
From the perspective of the members of the Board, there was even an additional element. Sometimes they would not be at home and the postman would deliver the package to the neighbours in the hope those would - in good faith - give the package to the member of the Board, unopened.

In this digital day and age that was outdated, right? Could we not just e-mail the Board of Directors this information? The secretary had all the "good" reasons:

It would position the company as up-to-date with the new digital normal.
That would pinch off a few days of the deadline to send the documents to the members.
It would be green.
It would save money on (not) printing.
It would avoid the potential leaking of the data to neighbours or interception by the mail order company, because remember, this was quite often insider information.

Luckily the secretary had the good sense to give the DPO a ring. He had a few critical questions:

Will we really tell the world that we send out Board of Director documents by e-mail? How will the public react? And the financial market supervisor?
Will shifting the deadline not only be a one-off advantage, as the company still has to maintain a deadline and procrastination is almost inherent to preparing documentation for the Board of Directors (often driven by the argument "we have to provide the latest information")?
Will the documentation's content be changed in such a way that it is easy to digitally consume? Otherwise most members will be inclined to print the documents received (and probably will want a cost reimbursement for that).
If the mail is not deliver or intercepted, it is likely that we will know that it is lost or intercepted. Will that really change for the better in case of e-mail distribution? It is true that you need to be quite technically savvy to hack into someone's e-mailbox, if there are no mistakes by the e-mail service provider or the recipient (in chosing a poor quality password), but... if the e-mailbox is hacked and the data is leaked we will not per se know that, let alone who has got a hold on the data.

The secretary and the DPO accepted that the current system was no longer of this age, but also that e-mail distribution would not be the solution. So they would look for other solutions. The DPO had already seen some information sharing systems like digital data rooms (for mergers and acquisitions or for syndicated debt negotiations). The secretary dreamt of something more "consumer friendly" like dropbox, skydrive, etc. They decided to each look up the pros and cons of their solutions and also include the IT and its information security team in the search.

Two weeks later three solutions were presented to the chairman of the Board of Directors each time joined with a risk scoring and a "convenience" scoring. All solutions presented were "acceptable" but some accepted a bigger residual risk than others. The chairman would present the solutions to the Board of Directors for decision. That way the risk would be decided upon in an informed way and at the appropriate level.

COMMENT

This again shows that awareness actions make a significant difference in the ability of the DPO to intervene at a useful moment in the process rather than running behind the facts. Here the awareness actions seem to have reached up to the level of the secretary of the Board of Directors. Admittedly the secretary was very likely informed by an "IT guy" because there was a constraint in the volume of outgoing constraints and the secretary had to contact IT for information on how to "bypass" that. Nevertheless, it worked.

The tone of the reaction by the DPO is important. The Socratic method of asking question so the requestor comes to the insights himself is a very gratifying one, as it is often perceived as non-agressive. Also, that is preferably used in a one-to-one conversation, at minimum to avoid any bystander effects like the requestor "losing face".

Acknowledging the need of the business to make some steps forward never hurts. If the DPO can - through his lateral experience and connections in the IT department or with contractors - help look for an acceptable solution that gives him credit in the organisation.

If possible, provide a few acceptable solutions, as the case may be, ranked in terms of security, convenience, etc. and let the appropriate bodies decide on the residual risk they want to take. That again builds credit for the DPO. If there is no acceptable solution available, make sure to firmly support that with concrete arguments. That was not the case here, but perhaps... in another story.

THE POWER OF STORIES

CALL TO ACTION

Do you have any good stories? Can you (pseudonomised) share them? (If so, please, do.)

Do you have experience with a good solution to distribute extremely confidential documents?

Wednesday, July 23, 2014

Periodic Awareness Tip #12 - Attune to Your Public

EMPATHY WITH YOUR PUBLIC

Good communication takes into account the public it is addressed to. That way you avoid communication mistakes like

bothering them with information they already know
starting your communication from a point they have not reached ("anchoring")
addressing them at the wrong tone
disregarding relevant cultural background
etc.

The Norwegian Data Protection Authority gives us a nice example thereof with its website dubestemmer.no ("you decide"), which has English pages and materials as well. It is directly addressed at education professionals that want to bring up the theme of privacy to kids (9-13) or youngsters (13-17), and even younger children. The materials include facts, examples, discussion topics, videos, etc.

You see that the materials are adapted to address the different types of public.

The Belgian Data Protection Authority made a similar effort with an "I DECIDE" campaign website www.ikbeslis.be (Dutch) / www.jedecide.be (French). This website has sub-sites for kids, youngsters, parents and education professionals. Unfortunately this does not give you an English version to work with.

INTRO (repeating for the series)

Raising awareness amongst your company's staff is key as the human factor is quite often cited as the weakest link in data protection and security "in the field". Raising awareness also is not a one-off thing. You have to keep hitting the same nail. Preferably though, you try out different angles every time again, as information overload and boredom settle in quite rapidly. So let me periodically and in no particular order share some awareness raising materials. Let's aim for once per week and we'll see where we can get.

CALL TO ACTION

Please do comment on these posts: is this useful? what have you used in your organisation to engage the colleagues? how do you measure success? etc.

Do you know of any other organisations that have made toolkits for specific audiences? Please, share.

Friday, July 18, 2014

DPO Stories #6 - Analyse This

ONCE UPON A TIME...

Our company wanted to set up a webanalytics tool. Different vendors from Gartner's golden quadrant were requested to provide information on their solution. SAP was one of them. They already delivered some other services for our company, a.o. a customer database application and a staffing database application. The SAP people played it very smart and fired up the potential users of a webanalytics tool, the marketing department and especially the data miners and analysts.

You can capture all kinds of data with it: structured and non-structured.
You can capture the data that is entered even if the webform has not been submitted. Amazingly useful to test and see where the users make mistakes in completing the form.
You can upload and search data that is publicly available on your customers.
You can install a cookie so it is possible to track the customer that has once been "hard authenticated" in the online webplatform you can identify the customer even if he is not logged in. You can give them a cross-platform experience they will never forget.

Marketers, data miners, data analysts,... they LOVE all those possibilities. WOW! And yes, they were SOLD.

Only... in the implementation phase is the project manager confronted with the privacy impact assessment (PIA) requirement and with the actual task to set the parameters for the tool. Anyone with experience in project implementation knows that a tool that "can do it all" means a tool that has to be fed so much data and parameters and sometimes even needs customisation that the project manager's hair color slowly shifts to grey.

The PIA quite quickly learned that:

keeping the tool purpose bound would be a challenge: webanalytics OK, identifying the customer even when not logged in - at least "in the grey zone", capturing data that is is a form that is not submitted - unacceptable, hoovering publicly available data for social media - only when we are sure the customer consented (is that even possible?), etc.
the legitimate basis for this kind of processing would have to be consent of the customer completed with a fair dose of self-discipline in processing the data in the background; the then upcoming cookies legislation would also make opt-in the standard to be met; also: how to ensure no special categories of data are captured in the unstructured data?; etc.
the company would have to be very transparant about this, especially about the fact that a customer could be identified even when not logged in;
accountantability in the organisation had to be very clear: so single person (function) at a significantly high level as first line gatekeeper with reporting duty and escalation power to top management
security, with the potential amount of data that would be stored, would have to be very high; so strict access management (basically a team of 5), access logs, etc.
confidentiality, people with access respecting the purpose of the data set and not sharing it with others, would have to be ensured: a manual, training with Q&A by the DPO himself, yearly renewal of the training and evaluation of the setup; etc.
rights of the data subject would be important: low treshold opt-out (right to object), contact line with the complaints handling department, etc.

After a few iterations the project manager was able to transfer most of the elements that came from the PIA into the project in a satisfactory way, but for the consent. How could that be well captured? The standard application at the time did not foresee in an opt-in functionality. There was an opt-out functionality. An opt-in functionality would require an extra cost to SAP of minimum 500k and additional work on the side of the company as well.

The project manager received clear signals that management would not accept that cost. On the other hand, the project manager was really keen on getting the tool as compliant as possible so the data could be used with a fair level of comfort for the company. So back to the drawing board for the consent.

After a lot of bouncing ideas the project manager and the DPO settled for what they called an actively promoted opt-out. There is no such thing in the legislation. Only opt-in (consent) and opt-out (right to object). But this concept would need to approximate an actual opt-in so close that it could be assimilated with it. The main elements:

before the start the existing customers that log in get a message in the inbox of the application that is very explicit on (1) the analytics and in particular the fact that the identification to a large extent is taken along even when not logged in and (2) where to find the opt-out;
periodic repetition (at least once per year) of that initial message, as the case may be adapted to the changed situation;
a lot of information to be found in permanently available locations: the general privacy statement and on the page where the opt-out button can be found;
a very low treshold opt-out, easy to find, lots of references to it, instructions to the "normal" channels (like the complaints handling department) to help requestors, etc.

Of all customers that received the active promotion for the opt-out only one customer "made it" to the complaints handling department. The accountable person did not yet feel comfortable enough to address that on his own, so the DPO helped out and called the customer. The customer complained for about 5 minutes and then the DPO got to explain the choice of the company. Very openly, it was explained how the choice came to be and that the company in fact excelled over its competitors that basically all did the same, but - due to a number of reasons - opted to keep those practices in the dark. The customer was positively surprised by such openness, even thanked the DPO, would use the opt-out and leave it at that.

A few years later the marketing department realised that even with a fair deployment of the application it did not provide what they were looking for and they chose to install google analytics (professional) to be able to compare the results. But that... is another story.

COMMENT

The lack of standard opt-in functionality is a sign that IT companies at the time did not take into account the data privacy constraints its customers had to deal with.

Asking single customers to pay for that to make a fit with their project is not commercial. There is an opportunity cost, but it is generally not that high as to support an extremely high premium to a single customer. Indeed, the lack of standard opt-in required quite some organisation, planning and self-discipline which would have been avoided where to standard tool to provide an opt-in. It would also mean that controls would have to be set up to ensure that the organisational setup did not fail. But all that did not way up to an extra fee of over 500k.
IT companies often, if not always, place the burden of compliance with regulations with their customers. That is in most cases only fair. However, in SaaS solutions and with more data privacy regulation and enforcement thereof in the (near future) it is expected that the selection of an application provider will need to be a solution provider, compliance included or at least in the parameter setting and NOT in customisation.

Privacy impact assessments are not a one off thing. They can and have to be reiterated at times. And the sooner you include them in the project stream, the more they are able to think along with the business towards reasonable solutions, acceptable by all stakeholders.

Budget constraints are real and have to be taken into account by the organsation, including by the DPO. The ideal situation where compliance is 99% certain can be very costly. So sometimes the DPO has to look at the overall picture and see what is feasible and still meets the requirements of the company and the law. In a company that wants to be compliant, there is often a solution to be found in looking at the overall picture of the end-to-end process.

Openness on the what is often seen as the "dark side" of marketing data processing (profiling etc.) does not have to turn out to be detrimental to the business. It keeps the company in check and increases the trust customers and data subjects have in the company.

THE POWER OF STORIES

CALL TO ACTION

Do you have any good stories? Can you (pseudonomised) share them? (If so, please, do.)

Do you have a story on how to creatively come to a reasonable solution meeting business requirements and compliance requirements?