Ei dian otsikkoa
Download
Report
Transcript Ei dian otsikkoa
Friday, november 14th 2008
12:00 – 14:30 hrs.
PANEL:
Protection of personal data in the present times
PANELIST:
Mr. Reijo Aarnio, Data Protection Ombudsman, Finland
OFFICE OF THE DATA PROTECTION OMBUDSMAN
The development and history of data protection. What
is data protection?
1. The oath of Hippokrate
2. Great revolutions
3. World War II
4. The development of the ICT
5. Trust in the information society
OFFICE OF THE DATA PROTECTION OMBUDSMAN/Finland/R. Aarnio
I Pillar
data protection legislation has expanded
and the rights of data subjects have
improved over the past few decades. The
figure describes the umbrella of data
protection, although not exhaustively.
III Pillar
- LISBON TREATY
- FRAMEWORK DECISION
OFFICE OF THE DATA PROTECTION OMBUDSMAN/Finland/R. Aarnio
BASIC QUESTION
”legal dispute”
HAVE FUN WITH THE
BOYS ON THE TOWN,
DARLING!
??
OFFICE OF THE DATA PROTECTION OMBUDSMAN/Finland/R. Aarnio
The Constitution of Finland (731/1999)
Section 10 - The right to privacy
”Everyone's private life, honour and the sanctity of the home
are guaranteed. More detailed provisions on the
protection of personal data are laid down by an Act.
The secrecy of correspondence, telephony and other
confidential communications is inviolable.
Measures encroaching on the sanctity of the home, and
which are necessary for the purpose of guaranteeing basic
rights and liberties or for the investigation of crime, may be
laid down by an Act. In addition, provisions concerning
limitations of the secrecy of communications which are
necessary in the investigation of crimes that jeopardise the
security of the individual or society or the sanctity of the
home, at trials and security checks, as well as during the
deprivation of liberty may be laid down by an Act”.
OFFICE OF THE DATA PROTECTION OMBUDSMAN/Finland/R. Aarnio
PRIVACY
PROTECTION OF
PRIVATE LIFE
CRIMINAL CODE,
CHAPTER 24
COMMUNICATION
Protection
of the:
FREEDOM OF SPEECH
SECRECY
REGULATIONS
content
traffic data
DATA PROTECTION
PERSONAL DATA ACT
right to know and to
affect/impact
right to organise one’s
private life
Automatic processing of
personal data and keeping
of register
CONSTITUTION/FUNDAMENTAL LAW 12 §
ACT ON THE OPENNESS OF GOVERNMENT
ACTIVITIES
OFFICE OF THE DATA PROTECTION OMBUDSMAN/Finland/R. Aarnio
self-determination
remoteness
isolation
secrecy
PRIVACY
social connections
accessibility
publicity
community
OFFICE OF THE DATA PROTECTION OMBUDSMAN/Finland/R. Aarnio
What does “data protection” mean?
the right to control and decide how (autonomy)
the right to know who
the right to live your life without undue interference
(confidentiality in all communications, regulated by law)
the right to be evaluated on the basis of correct
and relevant information
the right to know what criteria automatic decisionmaking systems are based on
the right to trust data security = secures other rights
the right to receive assistance from independent
authorities
the right to be treated in accordance with all other
basic rights (democracy)
the right to have access to public documents
freedom of speech
OFFICE OF THE DATA PROTECTION OMBUDSMAN/Finland/R. Aarnio
!
Why all these rights?
We need these rights so that:
WE CAN DEFEND OUR RIGHTS
our human dignity is respected
our autonomy is respected
our honour is respected
we will not be discriminated against
our equality as citizens is secured.
!!!!!
?
GOOD QUALITY OF LIFE
OFFICE OF THE DATA PROTECTION OMBUDSMAN/Finland/R. Aarnio
Framework for the regulation (information society)
GLOBAL ENVIRONMENT AND NATIONAL STATES
DIRECT AND INDIRECT IMPACTS
- OECD,
- UNITED
NATIONS
- OTHER
SUPRANATIONAL
ORG.
COUNCIL OF EUROPE
EU
NATIONAL STATES
LEGISLATION/
DATA PROT.
AND PUBLICITY FUNCTIONS
(COMMUNICATION)
LEGISLATION
OFFICE OF THE DATA PROTECTION OMBUDSMAN/Finland/R. Aarnio
LEGISLATION/
SECTORS
CODES OF
CONDUCT
Directive 95/46/EC of the European Parliament and of the
Council of 24 October 1995 on the protection of
individuals with regard to the processing of personal data and
on the free movement of such data
Resital 72:
”Whereas this Directive allows the principle of public
access to official documents to be taken into account
when implementing the principles set out in this
Directive”
OFFICE OF THE DATA PROTECTION OMBUDSMAN/Finland/R. Aarnio
Act on the Openness of Government Activities (621/1999)
”Section 18 — Good practice on information management
In order to create and realise good practice on information
management, the authorities shall see to the appropriate availability,
usability, protection, integrity and other matters of quality pertaining
to documents and information management systems and, for this
purpose, especially:
(1.1) maintain an index of any matters submitted and taken up for
consideration and any matters considered and decided, or otherwise
make sure that their public documents can be easily located;
(1.2) draw up and make available specifications on their information
management systems and the public information contained therein,
unless granting access to such information would be contrary to the
provisions in section 24 or in some other Act;
(1.3) when the introduction of information management systems or
administrative or legislative reforms are being prepared, analyse the
effect of the proposed reform on the publicity, secrecy and protection
of documents and on the quality of the information contained therein,
as well as undertake the necessary measures for the safeguarding of
the rights pertaining to the information and its quality, and for the
arrangement of the protection of the documents, the information
management systems and the information contained therein;
Act on the Openness of Government Activities (621/1999)
”Section 18 — Good practice on information management
(1.4) plan and realise their document and information administration
and the information management systems and computer systems they
maintain in a manner allowing for the effortless realisation of access
to the documents and for the appropriate archiving or destruction of
the documents, the information management systems and the
information contained therein, as well as for the appropriate
safeguarding and data security arrangements for the protection,
integrity and quality of the documents, the information management
systems and the information contained therein, paying due attention to
the significance of the information and the uses to which it is to be
put, to the risks to the documents and the information management
systems and to the costs incurred by the data security arrangements;
(1.5) see to it that their personnel are adequately informed of the right
of access to the documents they deal with and the procedures, data
security arrangements and division of tasks relating to the provision of
access and the management of information, as well as to the
safeguarding of information, documents and information management
systems, and that compliance with the provisions, orders and
guidelines issued for the realisation of good practice on information
management is properly monitored.
Act on the Openness of Government Activities (621/1999)
”Section 18 — Good practice on information management
(2) More detailed provisions on the measures necessary for the
realisation of the obligations provided in paragraph (1) shall be issued
by Decree. However, more detailed provisions on the diaries of the
courts and prosecutors shall be issued by the Ministry of Justice.
Provisions may be issued by Decree on the powers of the Government
to issue more detailed orders and guidelines on the technical
specifications for data security arrangements and procedures for the
safeguarding of information management systems and the information
contained therein, ensuring the integrity and quality of the information
and the transfer of information by way of data networks, as well as on
the classification, within the State administration, of the pertinent
documents, information management systems and the information
contained therein.
(3) The provisions in the Archives Act (831/1994) and the provisions
and orders issued on the basis of that Act apply to the duties of the
archive service.
OFFICE OF THE DATA PROTECTION OMBUDSMAN/Finland/R. Aarnio
Act on the Openness of Government Activities (621/1999)
Section 16.3. — Modes of access
Access may be granted to a personal data filing system controlled by
an authority in the form of a copy or a printout, or an electronic-format
copy of the contents of the system, unless specifically otherwise
provided in an Act, if the person requesting access has the right to
record and use such data according to the legislation on the protection
of personal data. However, access to personal data for purposes of
direct marketing, polls or market research shall not be granted unless
specifically otherwise provided or unless the data subject has
consented to the same.
OFFICE OF THE DATA PROTECTION OMBUDSMAN/Finland/R. Aarnio
Directive 95/46/EC of the European Parliament and of the
Council of 24 October 1995 on the protection of
individuals with regard to the processing of personal data and
on the free movement of such data
Resital 2:
”Whereas data-processing systems are designed to serve
man; whereas they must, whatever the nationality or
residence of natural persons, respect their fundamental
rights and freedoms, notably the right to privacy, and
contribute to economic and social progress, trade
expansion and the well-being of individuals;”
OFFICE OF THE DATA PROTECTION OMBUDSMAN/Finland/R. Aarnio
PERSONAL DATA ACT
Description of the processing of personal data and the evaluation of lawfulness
Act on Access to Public Documents
PERSONAL DATA FILE
Analyse Your
business
5§,6§
Start
Purpose of
processing
3§ paragraph 3, 6§
Planning,
Carefulness
5§,6§
Right to use
8§,12§,13§
4th Chapter
Use only for the
original purpose
7§
Where from the
information is
collected
9§
Information
9§,13§
Where to
the information
is given
8§, 12§, 13§
4th Chapter
Destroy!
Put into archive!
34§
Informing
the data subject 24§
The other rights
of the
data subject
24§,25-29§
Data security
32§
Using external
service providers
8.1§ paragraph 7
Administration of
use
5§
Transferring
to abroad
22§,23§
Name
the person
in charge!
5§
Description of
the file
10§
Keep
available!
10§
Instruct!
Guide!
5§
Notifications to
authorities
36§,37§
OFFICE OF THE DATA PROTECTION OMBUDSMAN/Finland/R. Aarnio
According to Bennett (2002):
The main duties/roles of Data Protection Ombudsmen
1. Public counsel, ombudsman
2. Inspector
3. Consult
4. Educator
5. Political adviser
6. Negotiant
7. Executor
8. International emissary
OFFICE OF THE DATA PROTECTION OMBUDSMAN/Finland/R. Aarnio
Operation Environment and Duties
Guidance
Follow-up
Legal protection
International legal protection
Statements
Initiatives
CITIZENS
LEGISLATION
Direction
Support
Public relations
Follow-up
MINISTRY OF
JUSTICE
MEDIA ETC.
STAFF
OFFICE OF THE DATA
PROTECTION OMBUDSMAN
INTERNATIONAL
ISSUES
SYSTEMS
Objective:
Good data processing practises
Development
Human resources
Internal communications
CONTROLLERS
Codes of conduct
Inspection
Guidance, rectifications
Education
Reports to the Data
Protection Ombudsman
International issues
OFFICE OF THE DATA PROTECTION OMBUDSMAN/Finland/R. Aarnio
EU co-operation
- WP 29
- Schengen
- Europol
- Others
The interest groups related to the Office of the Data Protection Ombudsman (DPO) / Finland
Cooperation: DPO + CONSUMER OMBUDSMAN +
FINNISH COMMUNICATIONS REGULATORY AUTHORITY(Ficora)
Ministry of Justice
Parliament
Other ministries
(§)
Performance
management
Information
Society Council
Telecommunications Advisory
Board
National
Information
Security Strategy
Ministry of Social
Affairs and Health
working group on
labour issues
EXPERTS,
CONSULTANTS
DATA PROTECTION BOARD
SUPREME ADMIN.
COURT
ADMINISTRATIVE
COURTS
= operational
= statutory
MAIN
HEADQUARTERS
SECURITY
POLICE
Finnish News Agency
POLICE
Press corps (juridic)
PROSECUTING
AUTHORITY
LAW-MAKING
(LEGISLATION)
MINISTRY OF
JUSTICE
CITIZENS
Office of the
DataProtection
Ombudsman
(DPO)
ESTABLISHMENT
CONTROLLERS
Work groups
initiated by DPO
Steering Group
of Information
Security in State
Government
Ficora / CERT
Advertising agencies
THE MEDIA
(etc.)
Staff (Human
resources)
INTERNATIONAL
ISSUES
Publishing house
(Stellatum)
Safety delegate
Ministry for Foreign
Affairs
WP 29
The fields of activities (org.)
Personal Data Act 42 §
European
Commission
TRAINING
Europol, Schengen,
Eurodac, Customs
(datasystems)
Association of finnish Local
and Regional Authorities
Center for Research and Development of Welfare and Health
National Archive
Prime Minister’s
Office / public
relations department
Executive assistance/
member states of EU/
authorities
”LUOTI” project /POSITIVE CIRCULAR EFFECT
(www.luoti.fi)
DEVELOPMENT
OF THE
INFORMATION
SOCIETY
ENHANCING
CONFIDENCE
OFFICE OF THE DATA PROTECTION OMBUDSMAN/Finland/R. Aarnio
NATIONAL
COMPETITIVENESS
MORE EFFECTIVE
USE OF ICTTECHNOLOGY
”LUOTI” project /LAUNCHED IN FINLAND/ spring 2005
(www.luoti.fi)
aims to enhance the information security of multi-channel
digital services and to improve the consumer’s trust in new
electronic services.
part of the National Data Protection Strategy.
Goal: to identify future risks endangering data protection and
information security as well as to find ways to counteract these
risks.
During 2006, a guide for service developers on data security
issues concerning digital services will be published.
investigates the need to develop the legislation on data
protection issues in digital services
investigates the need for research and education on the subject
develops a new concept where information security and data
protection is included in the digital services from the very
beginning of their development phase.
OFFICE OF THE DATA PROTECTION OMBUDSMAN/Finland/R. Aarnio
Changing forces
= The factors that prime us to move on to the
ubiquitous computing society (combined effect)
Telecommunications trunk networks will be replaced with optical
networks, which have a higher data transmission capacity
Simultaneously, the basic technology of wireless local and shortrange networks has been developed and their adoption has begun,
or has already partly happened
Various remote-sensing devices and positioning technologies
already familiar to us are also part of our world today
All data transmission will shift to Internet-based technology. With
the adoption of the new IP address system we will no longer talk
about “connecting people” but about “connecting all things and
people”.
Open component-based software architecture will increasingly
support many important functions, such as identification, identity
management, session management, positioning and information
management. Perhaps even confidence (PET).
XML-based languages enable the compatibility of technologies
used by various application areas
Small terminal devices will become more common and converge
Hidden functions related to technology.
OFFICE OF THE DATA PROTECTION OMBUDSMAN/Finland/R. Aarnio
UBIQUITOUS SOCIETY
Our role as users of technology is rapidly changing:
readers
storytellers
viewers
active players
passive listeners
active talkers
users
developers
consumers
producers
subjects
participants
OFFICE OF THE DATA PROTECTION OMBUDSMAN/Finland/R. Aarnio
CONCLUSION
Data protection is a value associated with
democracy. Its roots lie deep in human rights and the
European values based on them.
Ubiquitous computing can, at its worst, or almost
certainly, threaten these values.
we need a value debate penetrating through all of
society.
OFFICE OF THE DATA PROTECTION OMBUDSMAN/Finland/R. Aarnio
TRADITIONAL DP-MODEL
LAW ENFORCEMENT
AUTHORITIES
DATA PROTECTION
PRINCIPLES:
DATA
SUBJECT
-
FINALITY
QUALITY
PROPORTIONALITY
ACCURACY
OFFICE OF THE DATA PROTECTION OMBUDSMAN/Finland/R. Aarnio
PERSONAL DATA
FILES
DATA
CONTROLLER
”NEW DP-MODEL”
DATA
SUBJECT
PARLIAMENT
COMPETENCIES
LAW ENFORCEMENT
AUTHORITIES
LICENSE
THE
COURT
OFFICE OF THE DATA PROTECTION OMBUDSMAN/Finland/R. Aarnio
DATA PROTECTION
SHOULD BE
INTEGRATED!
- PRINCIPLES
*
*
*
*
FINALITY
QUALITY
PROPORTIONALITY
ACCURACY
FILES
DATA
CONTROLLER
Friday, november 14th 2008
12:00 – 14:30 hrs.
PANEL:
Protection of personal data in the present times
PANELIST:
Mr. Reijo Aarnio, Data Protection Ombudsman, Finland
THANK YOU FOR LISTENING!
OFFICE OF THE DATA PROTECTION OMBUDSMAN