On data protection: 2014

Monday, October 20, 2014

BELGIUM (Dutch) - Voorbeelden van wetten die gegevensbescherming niet, onvolledig of verkeerd aanpakken #1: het aanwezigheidsregister in de bouw

Het aanwezigheidsregister in de bouw (ook gekend als de "whereabouts" regeling in de bouw) is bij programmawet van 27 december 2012 ingevoerd in Afdeling 4, Hoofdstuk V van de wet van 4 augustus 1996 betreffende het welzijn van de werknemers bij de uitvoering van hun werk.

Aan die regeling werd uitvoering gegeven in twee KB's van 11 februari 2014:

De privacycommissie wijdde hieraan al verschillende adviezen / beraadslagingen, nl.

advies 43/2013 en
beraadslagingen ASZ 031/2014, 031/2004_4 en 056/2014.

Uit de wet blijkt dat de FOD WASO de verantwoordelijke voor de verwerking is van het "standaard" registratiesysteem. Uit de KB's blijkt dat de FOD WASO die eigenlijke verwerking heeft uitbesteed aan de RSZ. Uit het advies van de privacycommissie leren we dat SMALS oorspronkelijk ook genoemd werd als verwerker, maar dat heeft de regering blijkbaar laten varen.

Het statuut van de aannemers en onderaannemers op de werf die aan de registratieplicht onderworpen is, is helemaal niet duidelijk. Diverse bepalingen (o.a. art. 12 KB 11 februari 2014) doen twijfel rijzen en lijken te laten uitschijnen dat de aannemers verwerkers zouden. Ook randnummer 53 van het advies van de privacycommissie lijkt daarvan uit te gaan.
Op zich is dat wat raar omdat de aannemer en de onderaannemers, minstens voor de gegevens van hun medewerkers, in de regel moeten worden beschouwd als "controllers" (verantwoordelijken voor de verwerking) die de persoonsgegevens die ze onder zich hebben op basis van een wettelijke verplichting moeten in het systeem brengen. Maar als we daarvan uitgaan zou dat betekenen dat er ook ergens een machtiging voor hen moet zijn om het Rijksregisternummer te gebruiken. En die is niet te vinden in de wet (toch niet expliciet) én er geen algemene machtiging beschikbaar is voor het aanwezigheidsregister. De interpretatie dat bouwdirectie, aannemers en onderaannemers controllers zijn, zou betekenen dat al die partijen om een machtiging moeten komen vragen en dat is dan weer onpraktisch. Bovendien brengt de classificatie als controller nog andere onduidelijkheden mee rond hoe zij hun verplichtingen onder de privacywet moeten invullen.
Zijn ze dan toch verwerkers? Misschien, maar dan zou je verwachten dat er vanuit de RSZ een reeks van verdere overeenkomsten wordt gesloten (art. 16 privacywet): met de bouwdirecties die aansluiten op het standaard systeem. En die moeten dan - op basis van bepalingen van artikel 16 en/of een kettingbeding in de overeenkomst met de RSZ - een overeenkomst hebben met de aannemers. En die moeten dan - op basis van bepalingen van artikel 16 en/of een kettingbeding in de overeenkomst met de bouwdirectie - een overeenkomst hebben met de onderaannemers. etc. En door die ganse structuur zouden de individuen die zich op de werf begeven en zich met hun registratiemiddel (bijv. een badge, een dongle, een code, een app op hun smartphone, etc.) via het registratieapparaat (bijv. een terminal, een computer, een "prikklok", etc.) registreren in de gegevensbank een rechstreekse relatie aangaan met de FOD WASO. Een behoorlijk opzet. En waarschijnlijk omdat het zo breed is, zag niemand nog het bos door de bomen.

Ook de transparantie over deze massieve gegevensverzameling door de overheid laat (alweer - dat zal blijken uit andere voorbeelden) nalaat om (duidelijke) communicatie over de gegevensverwerking op te zetten. De FOD WASO is verantwoordelijke voor de verwerking, dus die moet daar in de regel voor instaan (art. 9 / 10 privacywet). Het kan toch niet zijn dat bouwdirectie, aannemers en onderaannemers en anderen telkens ad hoc privacyverklaringen zullen moeten opstellen, die dan met zekerheid coherentie missen.

Het zou nuttig zijn mocht de regering en/of de privacycommissie hier zijn licht over laten schijnen. Want nu trappelen de spelers in het veld maar wat in het rond in de hoop niet door de sociale inspectie aangesproken te worden op deze strafrechtelijk gesanctioneerde norm. Maar goed... door deze onduidelijkheid lijkt het mij dat bijna eender wie voor een overtreding tegen deze regeling wordt aansproken, kan aanhalen dat strafbaarstelling vereist dat er een duidelijke regel is (nil poena sine lege).

Sunday, October 19, 2014

BELGIUM / FLANDERS - Cities and their data protection policy

Belgian cities need to have a data protection policy. So far however not that many have taken the required steps to even be compliant on paper.

That is why I have drafted a general questionnaire to come to a general, high-level strategy on data protection in the city. It is however in Dutch. Later on I will turn this into an English file that can apply to any organisation.

You can find the file here: http://www.slideshare.net/mactvdp/veiligheidsbeleid-steden-en-gemeenten-vragenlijst

To go along with that I made a presentation with the key elements of the questionnaire. You can find it here: http://www.slideshare.net/mactvdp/veiligheidsbeleid-gemeenten-dutch.

Any comments or suggestions are welcome.

Tuesday, October 7, 2014

What moves in the EU on the topic of Single Digital Market?

Well, yesterday Commissioner-designate for Single Ditigal Market Ansip's hearing in the EU Parliament took place.

A selection of relevant quotes from the EurActive website (http://www.euractiv.com/sections/innovation-enterprise/ansip…):

“We must protect everyone’s privacy. Data protection will be an important cornerstone of the Digital Internal Market. The citizens must have trust in this project,” Ansip said.

The 57-year-old said he plans to promote rapid implementation of the Data Protection Directive and put pressure on the 28 heads of state and government, to finally come to an agreement.

Ansip also said he would not rule out suspending the so-called Safe Harbour Agreement with the United States.

“Safe Harbour is not secure. The Agreement has yet to live up to its name,” Ansip criticised.

The Agreement regulates transmission of personal data from European to American companies. American firms can register with the U.S. Department of Commerce and commit to certain data protection guidelines.

3,246 firms have registered since September 2013, including giants like Facebook, Microsoft and Google. According to Ansip, the United States should provide more specific conditions in an escape clause allowing restrictions to data protection on the basis of national security.

“If the U.S. Government does not make a clear statement, we must consider suspending the Agreement,” said Ansip.

Justice Commissioner-designate Věra Jourová expressed a similar view during her hearing last Wednesday (1 October).

A significant majority in the European Parliament voted in May, to suspend the Safe Harbour Agreement as a reaction to the NSA revelations by whistleblower Edward Snowden.

For the full report: http://www.elections2014.eu/en/new-commission/hearing/201409…

Friday, August 8, 2014

DPO Stories #9 - Japanese Secret Drawer

ONCE UPON A TIME...

In Japan a man and a woman lived together. They knew each other since they were little. Now they were married.

They married when they both were young. On the day of their marriage the grandfather of the woman, a wise man, gave them a small but very beautiful heirloom, a chest of drawers. It came with an advice: they should make a special vow towards one another to leave one drawer the exclusive domain of the other. They should not share nor ask for its content, nor peek. Doing so would be the end of the marriage.

Years past, and both respected the vow they made. But the curiosity of the woman grew, little by little. She started to detect "things" in the behaviour of her husband. She could not put her finger on it, but there was "something". It grew to a real paranoia. But she remembered her vow and the warning of her grandfather.

At the age of 57 the man was really ill and had to stay in the town "hospital". The woman could not stay there all the time, but at home see went mad of worry. After a few days, while she was cleaning the house, the "secret drawer" crept in her mind again. This time she did not suppress the urge and opened the drawer. There was nothing in there. She checked it with her hand: nothing. Later that day she went to visit her husband. An awkward silence fell. The man noticed something was wrong.

He: What is it, honey?
She: I looked in your drawer. You know, the "secret drawer".
He: (no response)
She: There was nothing in there ?!
He: No.
She: But... ?!
He: I have no secrets from you. I love you.

She: Oh. ... I am sorry.
He: It is ok.

She: I can tell you...
He: No. I do no want to know. I trust you.

She went home that day. A bit embarassed.

He passed away that evening.

COMMENT

I am not really sure whether or not there is a good way the explain the wisdom of this story, or even if I get it all. I imagine that there are some elements in there to answer questions like:

What is the identity of a person?
What is trust?
Why do we need trust?
Why is there a human urge to know what is in the "secret drawer"?
What does the "secret drawer" represent?
Why does everyone have a different idea of what the "secret drawer" is good for?
Why is there (a need for) a "secret drawer", even if one does not use it?

THE POWER OF STORIES

(repetition of the intro of the series:) Stories are of all times, but lately organisational behaviorists and marketers have a renewed interest in them. DPOs have stories as well of their own experience or heared in there community. And they should use them to engage the organisation, at least to raise awareness, questions and/or discussions. Note that we keep some obscurity and that any reference to a name or situation you may know is likely to be based on coincidence. :-)

CALL TO ACTION

Do you have any good stories? Can you (pseudonomised) share them? (If so, please, do.)

Stories like these probably have numerous explanations or angles: what is your take on this story?

Friday, July 25, 2014

DPO Stories #7 - Dear Board of Directors...

ONCE UPON A TIME...

The secretary of the Board of Directors of a listed company questioned the current way of working.

Before the meetings he, the CEO, and the chairman would decide on the final agenda, draft it, assemble all the memos, reports, draft decisions, etc to be attached, print it out as many times as there are members of the Board, gather that information to a booklet, and mail the booklet to the individual members of the Board 15 days before the meeting, so everybody would get the information in time to be able to go through it in a reasonable amount of time.
After the meetings the minutes would be drafted by him. He would present them to the chairman for approval. The approved minutes along with any information requested by the members of the Board would be sent to them within a reasonable time after the meeting.
From the perspective of the members of the Board, there was even an additional element. Sometimes they would not be at home and the postman would deliver the package to the neighbours in the hope those would - in good faith - give the package to the member of the Board, unopened.

In this digital day and age that was outdated, right? Could we not just e-mail the Board of Directors this information? The secretary had all the "good" reasons:

It would position the company as up-to-date with the new digital normal.
That would pinch off a few days of the deadline to send the documents to the members.
It would be green.
It would save money on (not) printing.
It would avoid the potential leaking of the data to neighbours or interception by the mail order company, because remember, this was quite often insider information.

Luckily the secretary had the good sense to give the DPO a ring. He had a few critical questions:

Will we really tell the world that we send out Board of Director documents by e-mail? How will the public react? And the financial market supervisor?
Will shifting the deadline not only be a one-off advantage, as the company still has to maintain a deadline and procrastination is almost inherent to preparing documentation for the Board of Directors (often driven by the argument "we have to provide the latest information")?
Will the documentation's content be changed in such a way that it is easy to digitally consume? Otherwise most members will be inclined to print the documents received (and probably will want a cost reimbursement for that).
If the mail is not deliver or intercepted, it is likely that we will know that it is lost or intercepted. Will that really change for the better in case of e-mail distribution? It is true that you need to be quite technically savvy to hack into someone's e-mailbox, if there are no mistakes by the e-mail service provider or the recipient (in chosing a poor quality password), but... if the e-mailbox is hacked and the data is leaked we will not per se know that, let alone who has got a hold on the data.

The secretary and the DPO accepted that the current system was no longer of this age, but also that e-mail distribution would not be the solution. So they would look for other solutions. The DPO had already seen some information sharing systems like digital data rooms (for mergers and acquisitions or for syndicated debt negotiations). The secretary dreamt of something more "consumer friendly" like dropbox, skydrive, etc. They decided to each look up the pros and cons of their solutions and also include the IT and its information security team in the search.

Two weeks later three solutions were presented to the chairman of the Board of Directors each time joined with a risk scoring and a "convenience" scoring. All solutions presented were "acceptable" but some accepted a bigger residual risk than others. The chairman would present the solutions to the Board of Directors for decision. That way the risk would be decided upon in an informed way and at the appropriate level.

COMMENT

This again shows that awareness actions make a significant difference in the ability of the DPO to intervene at a useful moment in the process rather than running behind the facts. Here the awareness actions seem to have reached up to the level of the secretary of the Board of Directors. Admittedly the secretary was very likely informed by an "IT guy" because there was a constraint in the volume of outgoing constraints and the secretary had to contact IT for information on how to "bypass" that. Nevertheless, it worked.

The tone of the reaction by the DPO is important. The Socratic method of asking question so the requestor comes to the insights himself is a very gratifying one, as it is often perceived as non-agressive. Also, that is preferably used in a one-to-one conversation, at minimum to avoid any bystander effects like the requestor "losing face".

Acknowledging the need of the business to make some steps forward never hurts. If the DPO can - through his lateral experience and connections in the IT department or with contractors - help look for an acceptable solution that gives him credit in the organisation.

If possible, provide a few acceptable solutions, as the case may be, ranked in terms of security, convenience, etc. and let the appropriate bodies decide on the residual risk they want to take. That again builds credit for the DPO. If there is no acceptable solution available, make sure to firmly support that with concrete arguments. That was not the case here, but perhaps... in another story.

THE POWER OF STORIES

CALL TO ACTION

Do you have any good stories? Can you (pseudonomised) share them? (If so, please, do.)

Do you have experience with a good solution to distribute extremely confidential documents?

Wednesday, July 23, 2014

Periodic Awareness Tip #12 - Attune to Your Public

EMPATHY WITH YOUR PUBLIC

Good communication takes into account the public it is addressed to. That way you avoid communication mistakes like

bothering them with information they already know
starting your communication from a point they have not reached ("anchoring")
addressing them at the wrong tone
disregarding relevant cultural background
etc.

The Norwegian Data Protection Authority gives us a nice example thereof with its website dubestemmer.no ("you decide"), which has English pages and materials as well. It is directly addressed at education professionals that want to bring up the theme of privacy to kids (9-13) or youngsters (13-17), and even younger children. The materials include facts, examples, discussion topics, videos, etc.

You see that the materials are adapted to address the different types of public.

The Belgian Data Protection Authority made a similar effort with an "I DECIDE" campaign website www.ikbeslis.be (Dutch) / www.jedecide.be (French). This website has sub-sites for kids, youngsters, parents and education professionals. Unfortunately this does not give you an English version to work with.

INTRO (repeating for the series)

Raising awareness amongst your company's staff is key as the human factor is quite often cited as the weakest link in data protection and security "in the field". Raising awareness also is not a one-off thing. You have to keep hitting the same nail. Preferably though, you try out different angles every time again, as information overload and boredom settle in quite rapidly. So let me periodically and in no particular order share some awareness raising materials. Let's aim for once per week and we'll see where we can get.

CALL TO ACTION

Please do comment on these posts: is this useful? what have you used in your organisation to engage the colleagues? how do you measure success? etc.

Do you know of any other organisations that have made toolkits for specific audiences? Please, share.

Friday, July 18, 2014

DPO Stories #6 - Analyse This

ONCE UPON A TIME...

Our company wanted to set up a webanalytics tool. Different vendors from Gartner's golden quadrant were requested to provide information on their solution. SAP was one of them. They already delivered some other services for our company, a.o. a customer database application and a staffing database application. The SAP people played it very smart and fired up the potential users of a webanalytics tool, the marketing department and especially the data miners and analysts.

You can capture all kinds of data with it: structured and non-structured.
You can capture the data that is entered even if the webform has not been submitted. Amazingly useful to test and see where the users make mistakes in completing the form.
You can upload and search data that is publicly available on your customers.
You can install a cookie so it is possible to track the customer that has once been "hard authenticated" in the online webplatform you can identify the customer even if he is not logged in. You can give them a cross-platform experience they will never forget.

Marketers, data miners, data analysts,... they LOVE all those possibilities. WOW! And yes, they were SOLD.

Only... in the implementation phase is the project manager confronted with the privacy impact assessment (PIA) requirement and with the actual task to set the parameters for the tool. Anyone with experience in project implementation knows that a tool that "can do it all" means a tool that has to be fed so much data and parameters and sometimes even needs customisation that the project manager's hair color slowly shifts to grey.

The PIA quite quickly learned that:

keeping the tool purpose bound would be a challenge: webanalytics OK, identifying the customer even when not logged in - at least "in the grey zone", capturing data that is is a form that is not submitted - unacceptable, hoovering publicly available data for social media - only when we are sure the customer consented (is that even possible?), etc.
the legitimate basis for this kind of processing would have to be consent of the customer completed with a fair dose of self-discipline in processing the data in the background; the then upcoming cookies legislation would also make opt-in the standard to be met; also: how to ensure no special categories of data are captured in the unstructured data?; etc.
the company would have to be very transparant about this, especially about the fact that a customer could be identified even when not logged in;
accountantability in the organisation had to be very clear: so single person (function) at a significantly high level as first line gatekeeper with reporting duty and escalation power to top management
security, with the potential amount of data that would be stored, would have to be very high; so strict access management (basically a team of 5), access logs, etc.
confidentiality, people with access respecting the purpose of the data set and not sharing it with others, would have to be ensured: a manual, training with Q&A by the DPO himself, yearly renewal of the training and evaluation of the setup; etc.
rights of the data subject would be important: low treshold opt-out (right to object), contact line with the complaints handling department, etc.

After a few iterations the project manager was able to transfer most of the elements that came from the PIA into the project in a satisfactory way, but for the consent. How could that be well captured? The standard application at the time did not foresee in an opt-in functionality. There was an opt-out functionality. An opt-in functionality would require an extra cost to SAP of minimum 500k and additional work on the side of the company as well.

The project manager received clear signals that management would not accept that cost. On the other hand, the project manager was really keen on getting the tool as compliant as possible so the data could be used with a fair level of comfort for the company. So back to the drawing board for the consent.

After a lot of bouncing ideas the project manager and the DPO settled for what they called an actively promoted opt-out. There is no such thing in the legislation. Only opt-in (consent) and opt-out (right to object). But this concept would need to approximate an actual opt-in so close that it could be assimilated with it. The main elements:

before the start the existing customers that log in get a message in the inbox of the application that is very explicit on (1) the analytics and in particular the fact that the identification to a large extent is taken along even when not logged in and (2) where to find the opt-out;
periodic repetition (at least once per year) of that initial message, as the case may be adapted to the changed situation;
a lot of information to be found in permanently available locations: the general privacy statement and on the page where the opt-out button can be found;
a very low treshold opt-out, easy to find, lots of references to it, instructions to the "normal" channels (like the complaints handling department) to help requestors, etc.

Of all customers that received the active promotion for the opt-out only one customer "made it" to the complaints handling department. The accountable person did not yet feel comfortable enough to address that on his own, so the DPO helped out and called the customer. The customer complained for about 5 minutes and then the DPO got to explain the choice of the company. Very openly, it was explained how the choice came to be and that the company in fact excelled over its competitors that basically all did the same, but - due to a number of reasons - opted to keep those practices in the dark. The customer was positively surprised by such openness, even thanked the DPO, would use the opt-out and leave it at that.

A few years later the marketing department realised that even with a fair deployment of the application it did not provide what they were looking for and they chose to install google analytics (professional) to be able to compare the results. But that... is another story.

COMMENT

The lack of standard opt-in functionality is a sign that IT companies at the time did not take into account the data privacy constraints its customers had to deal with.

Asking single customers to pay for that to make a fit with their project is not commercial. There is an opportunity cost, but it is generally not that high as to support an extremely high premium to a single customer. Indeed, the lack of standard opt-in required quite some organisation, planning and self-discipline which would have been avoided where to standard tool to provide an opt-in. It would also mean that controls would have to be set up to ensure that the organisational setup did not fail. But all that did not way up to an extra fee of over 500k.
IT companies often, if not always, place the burden of compliance with regulations with their customers. That is in most cases only fair. However, in SaaS solutions and with more data privacy regulation and enforcement thereof in the (near future) it is expected that the selection of an application provider will need to be a solution provider, compliance included or at least in the parameter setting and NOT in customisation.

Privacy impact assessments are not a one off thing. They can and have to be reiterated at times. And the sooner you include them in the project stream, the more they are able to think along with the business towards reasonable solutions, acceptable by all stakeholders.

Budget constraints are real and have to be taken into account by the organsation, including by the DPO. The ideal situation where compliance is 99% certain can be very costly. So sometimes the DPO has to look at the overall picture and see what is feasible and still meets the requirements of the company and the law. In a company that wants to be compliant, there is often a solution to be found in looking at the overall picture of the end-to-end process.

Openness on the what is often seen as the "dark side" of marketing data processing (profiling etc.) does not have to turn out to be detrimental to the business. It keeps the company in check and increases the trust customers and data subjects have in the company.

THE POWER OF STORIES

CALL TO ACTION

Do you have any good stories? Can you (pseudonomised) share them? (If so, please, do.)

Do you have a story on how to creatively come to a reasonable solution meeting business requirements and compliance requirements?

Wednesday, July 16, 2014

Periodic Awareness Tip #11 - Superheroes

TALK ABOUT SUPERHEROES

Superheroes are in. Books are written about it. The cast from The Big Bang Theory loves comics. Movies on superheroes often are make the box office ring.

Superheroes inspire people. They do things that seem beyond the possibilities of humans. And certainly in the past, heroes mostly were beyond the reach of most people: Hercules (a.o. cleaning out the Augian stables), Beowulf (o.a. killing Grendl with his bear hands), ... However that does not have to be so. Heroes can be ordinary people who - by being courageous - do something that seemed unattainable. Stories place them in legendary or mythical surroundings: David (the one who fought Goliath), Biblo and Frodo Baggings, Harry Potter, Katniss Everdeen,... But it can be more down to earth with heroes like Winston Smith (1984) who stands up against Big Brother. In fact, the present narrative is that everybody can be a hero.

Notice that superheroes also have to combine different lives or tasks: the normal activities and their extra-ordinary activities. That plays in the cards of the message you want to bring as a DPO: "data protection is part of your day-to-day activities".

So the use of some superhero story to overarch the awareness actions in your organisation can instill a sense of "I can do it" or even better "we can do it" among the staff. That collaborative part can be found in superhero stories amongst superheroes like the Avengers, the Justice League, Watchmen, ... but also in support of a superhero like Captain Planet.

I know, you should not overdo this. So you may want to limit the use of this theme. But... to reach a certain part of your audience, this may be a nice touch.

INTRO (repeating for the series)

CALL TO ACTION

Please do comment on these posts: is this useful? what have you used in your organisation to engage the colleagues? how do you measure success? etc.

Friday, July 11, 2014

DPO Stories #5 - You've Got Mail... From India With Love

ONCE UPON A TIME...

A CFO of a listed company forwards an e-mail to the data protection officer (DPO) with the following message:

Hi,

I received this e-mail receipt FROM INDIA that relates to an internal e-mail that was highly confidential as it included the preliminary numbers for this quarter of (subsidiary X). Could you have a look at this? We really need to know what happened here. I am not convinced that this is insider information, but even so, better be careful and prepared. Keep me up-to-date!

Best regards.

So the search began.

The e-mail-account of the receipt was a clear indication. It was an "Indian looking" name and the domain name of the e-mail maintenance contractor, who was established in the EU. So the DPO contacted the procurement department for the agreement.

A quick look at the agreement learnt that the contractor did not indicate any subcontractors to do the job, but on the other hand also was a bit fuzzy on whether or not the contractor had to get prior consent of the company to subcontract. It also mentioned an account manager for the company and an escalation path should it be necessary.

The DPO, with the procurement department manager in CC, contacted the account manager at the contractor. Simple question:

Dear Sir,

I am the Data Protection Officer of (Company C).

I attach a screenshot of an e-mail receipt our CFO received that indicates that somebody of of for your company that does not seem to reside in the European Union had access to this e-mail.

As I read the agreement between us (reference number xxx) I do not see any indication that the e-mails, which per se are personal data, are to exit the EU. As you know EU data protection legislation requires us to set up controls if and when our personal data is transferred outside the EU. This receipt therefore worries us. Could you, please, provide us as soon as possible with the context of the e-mail receipt.

Thanks in advance.

The same day the account manager could already confirm that there was a subcontracting agreement to an Indian company. But normally accounts would only be handled in that offshore location after having agreed upon an addendum to the agreement regulation the transfer outside the EU. Apparently we had not yet signed that addendum so something went wrong. As for the specific "peek" he committed firmly to immediately get to the bottom of this. He must have felt this might turn into a big issue, so he immediately CC'ed his legal department in the discussion.

The day after my e-mail to the account manager the DPO already knew more about the person mentioned in the e-mail receipt. It was someone who "no longer worked for the Indian company". The DPO never asked, but very likely this inciden led to the termination of that employee's agreement. In any case, there was no further explanation why the e-mail receipt was sent out and why the employee had access to that information.

During the investigation on the contractor's side, the DPO also got a glance at the information in the original e-mail : on-screen, in the CFO's office. It could be determined that the information clearly was not insider information (too vague, too small an impact on the overall numbers,...), so the financial supervisor did not have to be notified. This supported the decision not to panic over this individual case, but to focus on a solution for the future with the contractor. The classification of highly confidential was however upheld, as it was considered a good thing not to get people confused on the notion and skewing to the save side was preferred over the alternative.

So, not really wiser on the specific incident, negotiations started with the contractor to amend the agreement. Luckily the legal department of the contractor had in depth knowledge of data protection regulation and so the solution for the transfer, even if it was first to an EU contractor and then to a non-EU subcontractor, although not foreseen in the solution of standard contractual clauses, went rather fast. Within a month a final draft was reached and ready for execution.

(We will not go into the details of the solution, as we will pick that up in another section.)

COMMENT

This is a great story to show that a DPO often learns of issues through small signs.

The small signs have to be captured by people "in the field". They have to be open for anomalies and capture them. That is why awareness traning is so important. The entire staff being the DPO's eyes and ears is the equivalent of being Argus Panoptes, the guardian with 100 eyes.

The staff needs to be comfortable in reaching out to the DPO. The treshold has to be low. There are a number of requirements to get that relationship with the staff: speed and tone of response, openness, consistency in policy and anwsers, etc. We will go into that in another series.

The DPO has to be able to triage whether a sign is just a small symptom or a small sign of a (potentially) bigger issue. Here knowing the organisation really well and experience through reading, contacts with colleagues, etc. are a big help.

Finding out more about what happened of premises at a contractor can be done in several ways, ultimately by an on premise audit as should be provided in the agreement, but... one has to choose wisely what path to take. Quite often the contractor has an interest in finding things out as well. So cooperation and open communication is often a good starting point to find a solid solution quickly. Immediately going for the escalation will in most cases close a number of doors even before the investigation is properly started.

There are a few other lessons on the agreement as well, but we will leave that for another story.

THE POWER OF STORIES

CALL TO ACTION

Do you have any good stories? Can you (pseudonomised) share them? (If so, please, do.)

Wednesday, July 9, 2014

Periodic Awareness Tip #10 - Passwords

PASSWORDS - MOVIE EXCERPT

Passwords - or broader authentication systems and use thereof - are a nail we have to hit quite often as convenience often trumps the best of intentions in that area.

This is a clip from an old, say vintage, movie on the dangers of computers: War Games (1983). The interesting part is that the dangers depicted in the movie are plentifold. They range from the high stakes "game" during the cold war, but also - as is shown in this excerpt - the small things, like how (not) to treat your passwords.

INTRO (REPEATED FOR THE SERIES)

CALL TO ACTION

Please do comment on these posts: is this useful? what have you used in your organisation to engage the colleagues? how do you measure success? etc.

Monday, July 7, 2014

DPCC Templates - Outsourcing #2 - Relationship Controller-Processor

One of the tasks of a Data Protection Officer (DPO) is to perform checks on how the organisation complies to the law and the internal rules and procedures. Let us call that Data Protection Compliance Checks or DPCCs. They differ from privacy impact assessments (PIAs) in that they are post factum (after the facts) rather than a priori (before implementation).

It always comes in handy to have some guidance and/or template to perform such DPCCs as there are quite a number of things to take into consideration. It also improves the self-discipline of the DPO performing the check and the coherence of the checks over time and different scopes.

Today we published a template on outsourcing.

Outsourcing data processing operations entails specific risks and requirements under the law and under sound risk management.

Therefore a set of three templates is developed to look at outsourcing of data processing operations:

the (internal) organisation of the controller including policies and procedures,
the relationship between the controller and the processor, mainly via the agreement and
the (internal) organisation of the processor.

The published template aims to give guidance to a check on a specific relationship between a controller and a processor, thus limiting the scope.This template addresses that relationship looking at several stages from the controller side

in the selection,
in the agreement and
in (the follow-up of) the performance.

This template should be used in a risk-based fashion. Therefore it is expected that critical, key, and/or high-risk outsourced data processing operations of the controller are submitted to a check with priority.

The result of this check hopefully is a certain comfort in the application of the controller’s procedures and rules with regard to outsourcing data processing operations. If such comfort is not found, it should be determined whether amends can be made, through an amendment to the agreement or the follow-up mechanisms, or a better discipline in applying them. Also, lessons may be learnt with regard to the effectiveness of the controller’s procedures and rules.

Friday, July 4, 2014

Fait divers - Discussions enrich knowledge, most of the time :-)

Earlier today I was in a "tweet" discussion with @BrusselsGeek. I try to present it at the bottom of this post, so you can analyse the back-and-forth yourself.

Discussions are always enriching as they force you to think about your message (and how it came across) and the other's message (and how you interpreted it). On a topic like data protection, my conclusion is that twitter is perhaps not the best forum. A table in the sun with something fresh is to be preferred in more than one way. :-)

Distrust in the private sector

The starting point was the statement that (relating to the right to be forgotten) private profit-making companies shouldn't be in charge of decisions. A silent reference to the debate whether or not it should be up to Google to determine if and when they actually remove a search result or not after being requested to do so by a data subject (via the installed procedure or otherwise).

The regulation actually empowers all controllers

My knee jerk reaction to such statements is always : private companies take similar decisions on data processing all the time, e.g.

do we use the email-adresses in our database for direct marketing even if we do not have the consent (opt-in) of the data subject?
do we transfer or even sell this personal data to third parties even if the reference to such possibility is tucked away deeply in our general terms and conditions?
do we (re-)use this information (e.g. banks transactional data or posts to friends only on facebook) for a purpose that is not really that close to the original one?
do we enrich our data on our customers with data they have published online by hoovering it and matching it to our database?
etc.

Yes, indeed, if you are a controller of personal data, you can and have to make those decisions yourself. The EU data protection legislation has "only" set the (minimum) bar for controllers to be allowed to process personal data. To be a controller the legislation does not make a distinction between a private or public body. They both can be a controller, if and when they “alone or jointly with others determine() the purposes and means of the processing of personal data”.

The "guidance" controllers get there is embedded in the EU Personal Data Protection Directive. And yes, that text leaves room for a lot of interpretation room, especially, but not only with regard to the bases for legitimate processing (see art. 7 of the Directive for the correct wording) with concepts like:

consent (the Art. 29 WP text hereon is not binding)
duty under the law (which - in the interpretion of the authorities - than can not be a law of another country and especially not a law of a non-EEA country and which is all too often badly drafted)
when the balance between the controller's interest and the data subjects interest is not broken (the "balance test")

And no, there is no hand holding or oversight by the data protection authorities. At the very least, they do not have the resources for that.

The control on the controllers is ad hoc. The data subject that suspects something or has discovered misbehaviour can exercise its rights, including the right on access, the right to rectify and the right to block. The data subject can also ask for support by the data protection authorities or the courts. There is no or barely (pro-)active control by data protection authorities.

The system fails (?)

This way things in reality do not result in the behaviour wanted of the controllers. From time to time a case surfaces above the water that covers of day-to-day practice.

Facebook, as well as Google, has become a scapegoat for such cases:

they change their privacy statement and especially the purposes for which the personal data can be used
they use personal data in the background for all kinds of "creepy" stuff: know what people type and don't post, see how they react to skewing the posts they actually see, etc.

But Facebook is far from alone. My impression is that hardly a single controller is compliant. Some really and honestly try, but being fully compliant on all accounts of the data protection legislation is near impossible in an age where (personal) data is one of the key resources in the economy, omnipresent (the so-called datafication) and under the de facto control of anybody with access to it (and with a smart phone).

One high-profile specific "fail": Google reacting to the right to block

Now, The European Court of Justice in its recent decision in the Gonzalez case applied the rules and stated that Google had no case in rejecting the request to block by Mr. Gonzalez. This came to be known as a de facto right to be forgotten, a concept that has emerged from doctrine, but is also enscribed in the new draft EU Data Protection Regulation.

So Google set up procedures to comply to this interpretation of the law. Organising itself to reasonably follow the "guidance" the ECJ gave. One can imagine that is not easy, as the ECJ did not aim to give full guidance. It only ruled in that particular case and gave some comment on the side ("obiter dictum"), which is non-binding and not complete.

So comments role in.

"Google acts as if it is God."
"Google shouldn't be deciding on this."
"Google is doing a bad job."

But is it really?

Google had or should have had an internal procedure to respond to data subjects exercising their rights under the PDP legislation. All they did after the ECJ ruling was to adapt it to the new situation, make it more uniform to be able to process them easier and faster (like any operations manager would do) and put a spotlight on it whereas before it was dug in deep in the Terms of Service / Privacy Statement.
Requests of data subjects exercising their rights under the PDP law have to be assess on a case by case basis. But obviously you want to insert some consistency in the system, so you look at new types of request more in depth, "rule" on them with your privacy A-team, and then instruct your B-team to act the same, unless there is a relevant distinction to be made. Basically, how the stare decisis system of precendent in the US and UK judiciary system works.
The decisions by the A-team are guided by the law and the law for some requests give latitude to the decision maker. The main example is where the basis for the legitimate processing is the balance test of art. 7 f of the European PDP Directive.

The next step : Outcry for Oversight

The consequence of the negative comments is an outcry for oversight. Google, or in general search engines, should be supervised in their assessment of situations where the legislator has given latitude to the controllers. Why did the legislator do that? Very likely for multiple reasons, they wanted a catch all, they didn't know themselves, they wanted to be futureproof / technology neutral, they accepted some suggestions by lobbyists, etc. That is politics.

So the legislator should turn that around, and install oversight that goes beyond the current controls (see higher)? That is a polically valid request.

My question then is, is that better and can you validly and reasonably organise that?

First, oversight by whom?

(a) By the government? Do we really trust the government? Remember that privacy more or less started of as a "shield" against people we per se have to trust (like doctors, lawyers,...) and the government (e.g. the 4th Amendment in the US Bill of Rights). Now with multinational companies that are bigger than x% of the countries in the world (in terms of market cap or turnover v GDP), they seem to be the leviathan to be feared and fended off. So governnment has turned the lesser of two evils? That argument sets of the alarm in my head that referes to abuses of data in government environment:

do we want a system like the one that was set up for the NSA: an independent FISA court? Hmm, that failed. See Snowden.
do we want a system like the one that was set up for SWIFT after the debacle in 2006? Hmm, that failed. See the follow-up report on that.
do we want a system like the one that was set up for the DPOs in the EU instances: the EDPS? Hmm, not in the scope of their mandate. And it de facto is really close to the current controls (see higher) on other controllers (see e.g. the contribution of Renaudière in the CPDP panel - start somewhere at 33' if you want to focus).
do we want a system where the Data Protection Authorities have to oversight? Hmm, then you at least have the general problem of who oversees the overseeers. Moreover, from the experience in the financial sector, authorities do not want to carry that first line burden. I makes them "liable" (even if the law exonerates them). Just look at the fate of quite a number of supervisory structures in countries hit by the economic and finacial crisis. "They did not see it coming."

I personally am not convinced. You?

(b) By another non-governmental body? Does that give us more comfort? Oversight is human, just as the actual assessment is. It is subject to perspectives, bias, prejudices, etc. But yes, you could install privacy advocates, but won't they skew towards blocking. Or you could install free speech advocates, but won't they skew towards not blocking. We can put both in to balance eachother, but does not not bring us back to the starting point, where it is Google's responsibility to try to strike that balance.

Let me add some personal experience here, and I think any compliance officer in a financial institution will in whole or in part relate: after setting up policies with departments in a company, after advising in specific cases, after controling the implementation of the policies, ... for years you become biased yourself. The thing is, that you have to know it, be aware of it. So in cases were I knew the stakes were high, I consulted with third parties, gave them my arguments and explicitly asked them to chop them down, forcefully. I call that the House-approach, after Dr. Greg House, yes from the TV series. You may think you have the answer and be sure 99% that you are, but you want to do the good thing, so you have it challenged by the best people you can find.

I have no inside information on how Google does it, but I can imagine, with the eyes of quite a lot of groups with different angles, that they are very aware of their responsibility and do apply the House-approach or something similar. In any case, I am prepared to give them the benefit of the doubt. And yes, they will make mistakes. If the number of files runs up in the ten of thousand, statistically, they are bound to. But if you tackle that by any type of oversight, the law of big numbers gives me a hunch that that oversight will fail at times as well.

So my question remains, as I do not have the answer, is there a solid way of oversight that is better than the current system:

the controller is responsible "in the front line"
the data subject has options to challenge further, before DPAs and courts

I am open to suggestions.

The last step : ... but only for search engines, they are special

Search engines are special in the sense that they have the specific added value to retrieve things on the internet, that is basically just a giant haystack. So they should have that oversight over them.

I refer to my general argument that oversight that goes beyond what is installed now is in my opinion not really value adding.
But I dare to add the question: but are they really that special? What about social platforms, where things get picked up and spread by the virtual word of mouth? What about banks and payment institutions that have info on your transaction that are at time more "valuable" than metadata of phone calls? What about cloud providers that at least in theory have access to so much data that big data solutions can spin quite a lot of derivatives out of them? Where does it stop.

And all of the above (and more) was, tweet-wise condensed to the reply

A bit short sighted. All "controllers" make such decisions in assessing a request by data subjects, setting up data processes

So I end where I began: this is an interesting discussion that should have taken place on a terras in the sun with a fresh drink. Perhaps an idea to engage in... after the world cup, of course. ;-)

THE END

... for now

Jennifer Baker ‏@BrusselsGeek 4 uur

Whether or not you agree with the principle of a right to be forgotten, private profit-making companies shouldn't be in charge of decisions.
Tommy Vandepitte ‏@TommyVandepitte 3 uur

@BrusselsGeek A bit short sighted. All "controllers" make such decisions in assessing a request by data subjects, setting up data processes
Jennifer Baker ‏@BrusselsGeek 3 uur

@TommyVandepitte Search engines are in a category of their own in relation to the recent ruling.

‏@TommyVandepitte

@BrusselsGeek Not really: see my analysis of the court's ruling right after it was published: http://ondataprotection.blogspot.be/2014/05/today-13-may-2014-european-court-of.html …

Jennifer Baker ‏@BrusselsGeek 2 uur

@TommyVandepitte That's precisely what I meant- the ruling clarifies that a search engine is a controller. It doesn't change my general view
Tommy Vandepitte ‏@TommyVandepitte 2 uur

@BrusselsGeek But then you challenge the foundation of the DP legislation, namely that complying corporations can decide to process data
Jennifer Baker ‏@BrusselsGeek 2 uur

@TommyVandepitte 2/2 that they shouldn't be unilaterally removing links to (perfectly accurate) information Need external oversight at least
Jennifer Baker ‏@BrusselsGeek 2 uur

@TommyVandepitte Which bit of DP legislation? The current draft Reg, or the old Dir that the ruling was based on?
Tommy Vandepitte ‏@TommyVandepitte 2 uur

@BrusselsGeek all controllers make similar assessments all the time, you can't have oversight on all those decisions
Jennifer Baker ‏@BrusselsGeek 2 uur

@TommyVandepitte Either way,"processing" certainly should be more narrowly defined.
Tommy Vandepitte ‏@TommyVandepitte 2 uur

@BrusselsGeek that would narrow the scope of the legislation which would lower the protection offered by law http://ondataprotection.blogspot.be/2014/05/eu-data-protection-on-one-slide.html …
Jennifer Baker ‏@BrusselsGeek 2 uur

@TommyVandepitte There you're only looking at *personal* data willingly given by the data subject. Totally not the case with RTBF requests.
Tommy Vandepitte ‏@TommyVandepitte 2 uur

@BrusselsGeek info gathered without consent and elsewhere is in as well, art 7f and 11 PDP Directive (basis for ECJ) http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML …
Jennifer Baker ‏@BrusselsGeek 2 uur

@TommyVandepitte Then why on earth did you post a link to an irrelevant blog? None of this makes any difference to the underlying problem.
Tommy Vandepitte ‏@TommyVandepitte 2 uur

@BrusselsGeek You want oversight, I say then you should install that for all controller as all decide on "fluffy" grounds (ao7f) #impossible
Jennifer Baker ‏@BrusselsGeek 2 uur

@TommyVandepitte You're forgetting the issue of scope. Search engines aren't like other controllers.
Tommy Vandepitte ‏@TommyVandepitte 2 uur

@BrusselsGeek That's my point, they are not. The ECJ does not say that. "RTFB" was exercised against the newspaper also and denied.