Transcript Slajd 1

SOCIAL SECURITY DATABASES AS PUBLIC REGISTERS.
PRIVACY AND CONFIDENTIALITY ISSUES
OF THE INTEROPERABLE E-ADMINISTRATION
” Efficient e-Services In Social Security”
organised by ISSA European Network
& Zakład Ubezpieczeń Społecznych
WOJCIECH WIEWIÓROWSKI PhD
Inspector General for Personal Data Protection, Poland
Laboratory of Legal Informatics, Faculty of Law and Administration, University of Gdansk
Warsaw, May 24-25th, 2012
Generalny Inspektor
Ochrony Danych Osobowych
ul. Stawki 2, 00-193 Warszawa
www.giodo.gov.pl
[email protected]
© M. Narojek for GIODO 2011
www.giodo.gov.pl
EUROPEAN DATA PROTECTIONA LAW
•
•
•
•
•
Convention no. 108, Council of Europe
Directive 95/46/EC
Directive 2002/58/EC
Charter of Fundamental Rights of the European Union (Article 8)
Article 16 of the Treaty on the Functioning of the European Union
Warsaw, May 24-25th, 2012
www.giodo.gov.pl
POLISH DATA PROTECTION LEGISLATION
• The Act on Personal Data Protection – passed on 29 August 1997,
entered into force on 30 April 1998
• Three law enforcement provisions (Regulations)
Warsaw, May 24-25th, 2012
www.giodo.gov.pl
POLISH CONSTITUTIONAL RULES ON PRIVACY
AND DATA PROTECTION LEGISLATION
Article 31
1. Freedom of the person shall receive legal protection.
2. Everyone shall respect the freedoms and rights of others. No one
shall be compelled to do that which is not required by law.
3. Any limitation upon the exercise of constitutional freedoms and
rights may be imposed only by statute, and only when necessary in
a democratic state for the protection of its security or public order,
or to protect the natural environment, health or public morals, or
the freedoms and rights of other persons. Such limitations shall not
violate the essence of freedoms and rights.
Warsaw, May 24-25th, 2012
www.giodo.gov.pl
POLISH CONSTITUTIONAL RULES ON PRIVACY
AND DATA PROTECTION LEGISLATION
Article 47
Everyone shall have the right to legal protection of his private and family life,
of his honour and good reputation and to make decisions about his
personal life.
Article 49
The freedom and privacy of communication shall be ensured. Any limitations
thereon may be imposed only in cases and in a manner specified by
statute.
Warsaw, May 24-25th, 2012
www.giodo.gov.pl
POLISH CONSTITUTIONAL RULES ON PRIVACY
AND DATA PROTECTION LEGISLATION
Article 51
1. No one may be obliged, except on the basis of statute, to disclose
information concerning his person.
2. Public authorities shall not acquire, collect nor make accessible
information on citizens other than that which is necessary in a democratic
state ruled by law.
3. Everyone shall have a right of access to official documents and data
collections concerning himself. Limitations upon such rights may be
established by statute.
4. Everyone shall have the right to demand the correction or deletion of
untrue or incomplete information, or information acquired by means
contrary to statute.
5. Principles and procedures for collection of and access to information
shall be specified by statute.
Warsaw, May 24-25th, 2012
www.giodo.gov.pl
DIGITAL AGENDA ON E-GOVERNMENT
2.7.4. eGovernment
The Commission will:
• Key Action 16: Propose by 2012 a Council and Parliament Decision to
ensure mutual recognition of e-identification and e-authentication across
the EU based on online 'authentication services' to be offered in all
Member States (which may use the most appropriate official citizen
documents – issued by the public or the private sector);
Other actions:
• Support seamless cross-border eGovernment services in the single market
through the Competitiveness and Innovation Programme (CIP) and
Interoperability Solutions for European Public Administrations (ISA)
Programme;
Warsaw, May 24-25th, 2012
www.giodo.gov.pl
DIGITAL AGENDA ON E-GOVERNMENT
2.7.4. eGovernment
Member States should:
• Make eGovernment services fully interoperable, overcoming
organisational, technical or semantic barriers and supporting IPv6;
• Ensure that the Points of Single contact function as fully fledged
eGovernment centres beyond requirements and areas covered by the
Services Directive;
• Agree by 2011 on a common list of key cross-border public services that
correspond to well defined needs – enabling entrepreneurs to set up and
run a business anywhere in Europe independently of their original location,
and allowing citizens to study, work, reside and retire anywhere in the
European Union. These key services should be available online by 2015.
Warsaw, May 24-25th, 2012
www.giodo.gov.pl
PUBLIC RESOURCES
Information is gathered by public sector entities for the purposes which are
inline with the constitutional principle of Article 7: ”The organs of public
authority shall function on the basis of, and within the limits of, the law”.
This information is transfered to the entities who can use the same
information to the purposes they were not collected for.
Do we need to agree that our personal data will become public sector
information and they will be „re-usable” according to EU law ?
Can they be used in order to create our peronal profile.
Warsaw, May 24-25th, 2012
www.giodo.gov.pl
PROFILING
“Profile” refers to a set of data characterising a category
of individuals that is intended to be applied to an
individual.
“Profiling” means an automatic data processing
technique that consists of applying a “profile” to an
individual, namely in order to take decisions concerning
him or her; or for analysing or predicting personal
preferences, behaviours and attitudes.
Warsaw, May 24-25th, 2012
www.giodo.gov.pl
www.giodo.gov.pl
www.giodo.gov.pl
PROFILING
“Profile” refers to a set of data characterising
a category of individuals that is intended
to be applied to an individual.
“Profiling” means an automatic data
processing technique that consists of
applying a “profile” to an individual,
namely in order to take decisions
concerning him or her; or for analysing
or predicting personal preferences,
behaviours and attitudes.
Warsaw, May 24-25th, 2012
www.giodo.gov.pl
PROFILING
Building profiles according to Group of Art. 29
There are two main approaches to building user profiles:
i) Predictive profiles are
established by inference from observing individual and collective user behaviour over
time, particularly by monitoring visited pages and ads viewed or clicked on.
ii) Explicit profiles
are created from personal data that data subjects themselves provide to a web
service, such as by registering. Both approaches can be combined. Additionally,
predictive profiles may be made explicit at a later time, when a data subject creates
login credentials for a website.
Opinion of Art. 29 WP, 2/2010 on behavioural advertising adopted on June 22 , 2010,
page 8
Warsaw, May 24-25th, 2012
www.giodo.gov.pl
PROFILING
Profiling is generaly used in order to
1. get a sociologic and psycologic assessment of the client
2. discover material and social status of the client
3. create sugestions and strategies to be used in marketing activities
I would accept such explanation of profiling for marketing purposes
…. but …..
….. This is a thesis of FBI experts on criminal profiling.
I have just exchanged notions ”ofender” v. ”client” and ”investigation” v. ”marketing
activites” 
R. M. Holmes, S.T. Holmes: Profiling Violent Crimes: An Investigative Tool , 4th
Ed.,Thousand Oaks: Sage Publications, Inc. 2008
Warsaw, May 24-25th, 2012
www.giodo.gov.pl
PUBLIC RESOURCES
Taking in to consideration that data from public registers can be treated as
the public sector information, we should be used to the fact, that data from
formally public land and mortgage register can be re-used and combined
with:
- INSPIRE registers and databases,
- physical and urban planning documents,
- registers of legal persons, associations etc.,
- statistical registers (REGON, TERYT in Poland),
- public offers for debt trading purposes,
- property statements of state officers (not only politicians but also public
kindergarten and library managers)
- client data possessed by profiling entity
Warsaw, May 24-25th, 2012
www.giodo.gov.pl
INFORMATION INFRASTRUCTURE OF THE STATE
Classic definition of state by Georg Jellinek (1851-1911),
The state shell have:
• teritory,
• citizens
• powers (today – law ).
Information infrastructure of the state:
1) The resources explaining how the state looks like (geospatial information),
who resides in the state and which organisations (eg. legal persons) exist,
as well as the information what are the authorities and which law is in force.
GIS + registers + legal information-retriaval systems
2) The system consisting of institutions, entities, resources and ICT systems and technologies
which are the basis for the existing social (including legal), political and economic relations.
J. Oleński, Infrastruktura informacyjna państwa w globalnej gospodarce,
Warsaw 2006 p. 270-272.
Warsaw, May 24-25th, 2012
www.giodo.gov.pl
RE-USE IN THE NEW STYLE
2. This Directive shall not apply to:
[…]
(c) documents which are excluded from access by virtue of the access regimes in the
Member States, including on the grounds of:
– the protection of national security (i.e. State security), defence, or public security,
– statistical or commercial confidentiality;
(d) documents held by public service broadcasters and their subsidiaries, and by
other bodies or their subsidiaries for the fulfilment of a public service broadcasting
remit;
(e) documents held by educational and research establishments, such as [schools,
universities, archives, libraries and] research facilities including, where relevant,
organisations established for the transfer of research results, schools and
universities (except university libraries in respect of documents other than research
documents protected by third party intellectual property rights) and
(f) documents held by cultural establishments other than libraries, museums and
archives.
Warsaw, May 24-25th, 2012
www.giodo.gov.pl
RE-USE IN THE NEW STYLE
Article 3 General principle
1. Subject to paragraph (2) Member States shall ensure that documents
referred to in Article 1 shall be re-usable for commercial or non-commercial
purposes in accordance with the conditions set out in Chapters III and IV.
2. For documents for which libraries (including university libraries),
museums and archives have intellectual property rights, Member States
shall ensure that, where the re-use of documents is allowed, these
documents shall be re-usable for commercial or non-commercial purposes
in accordance with the conditions set out in Chapters III and IV.
Warsaw, May 24-25th, 2012
www.giodo.gov.pl
DOCUMENT
• This Directive lays down a generic definition of the term
"document", in line with developments in the information society.
• It covers any representation of acts, facts or information – and any
compilation of such acts, facts or information – whatever its
medium (written on paper, or stored in electronic form or as a
sound, visual or audiovisual recording), held by public sector
bodies. A document held by a public sector body is a document
where the public sector body has the right to authorise re-use.
Warsaw, May 24-25th, 2012
www.giodo.gov.pl
DATA PORTABILITY IN THE DRAFT
GENERAL DATA PROTECTION REGULATION
Article 18
Right to data portability
1. The data subject shall have the right, where personal data are processed by
electronic means and in a structured and commonly used format, to obtain from the
controller a copy of data undergoing processing in an electronic and structured
format which is commonly used and allows for further use by the data subject.
2. Where the data subject has provided the personal data and the processing is
based on consent or on a contract, the data subject shall have the right to transmit
those personal data and any other information provided by the data subject and
retained by an automated processing system, into another one, in an electronic
format which is commonly used, without hindrance from the controller from whom the
personal data are withdrawn.
3. The Commission may specify the electronic format referred to in paragraph 1 and
the technical standards, modalities and procedures for the transmission of personal
data pursuant to paragraph 2. Those implementing acts shall be adopted in
accordance with the examination procedure referred to in Article 87(2).
Warsaw, May 24-25th, 2012
www.giodo.gov.pl
EUROPEAN INTEROPEARABILITY STRATEGY
The Commission proposes to combine two approaches to drive European
interoperability activities within the three clusters and the two accompanying
measures mentioned above:
14.1. Top-down (or global) approach:
The political context and its evolution are taken into account: the Europe 2020
strategy and the Digital Agenda for Europe.
Development of various frameworks such as the EIS, the European Interoperability
Framework (EIF), architecture guidelines and other methods and guidelines.
Assessment of the ICT implications of new EU legislation proposed.
14.2. Bottom-up (or sectoral) approach:
Working via sectoral projects on relevant specific topics (e.g. semantics, trust and
privacy or architecture) providing an opportunity to tackle real interoperability
challenges. This approach will allow existing frameworks and guidelines to be tested
against concrete needs and will furthermore ensure that new services and tools are
developed based on clearly defined needs.
When developing new services and tools in a specific sector, the potential for reusing
such solutions in other sectors should be kept in mind.
Warsaw, May 24-25th, 2012
www.giodo.gov.pl
EUROPEAN INTEROPEARABILITY STRATEGY
14.3. For the cluster ‘Trusted Information Exchange’:
To work via a limited number of politically relevant and concrete sectoral
projects at EU and Member State levels;
To continue supporting, at EU level, efforts towards the interoperability of
key enablers such as eID, eSignature, etc.;
To continue the SEMIC approach and its methodology;
To work towards opening up base registers, taking into account associated
best practices, the possible related risks and opportunities, as well as the
various needs and expectations of the main stakeholders.
To work towards the establishment of a federated catalogue of services
offered by public administrations in the EU.
Warsaw, May 24-25th, 2012
www.giodo.gov.pl
EUROPEAN INTEROPEARABILITY STRATEGY
14.4. For the cluster ‘Interoperability Architecture’:
To develop a joint vision on interoperability architecture by first defining its
scope and the needs for common infrastructure services and common
interface standards;
To provide guidance on architecture domains where Member States share a
common interest;
To ensure the systematic reuse of architectural building blocks by the
Commission when developing services to be used by the Member States.
Here, existing infrastructure service components (EIIS) along with generic
applications (IMI6, early alert systems, grant management, etc.) could be
reused and rationalised. Additionally, a catalogue of architectural building
blocks available for reuse by the Member States and the Commission
could be set up with contributions from the EU and Member States.
Warsaw, May 24-25th, 2012
www.giodo.gov.pl
EUROPEAN INTEROPEARABILITY STRATEGY
14.5. For the cluster ‘Assessment of the ICT implications of new EU
Legislation’:
To develop guidelines and methodologies at Commission and Member State
level;
To test the usefulness of these guidelines by applying them to concrete
cases involving policymakers and legal and ICT experts;
To ensure continuous improvement of the guidelines and methodologies
based on the lessons learned from experience;
To ensure general application of the practice of assessing ICT implications
towards a more systematic approach whenever changes occur in
legislation (e.g. amendments or additions to ICT-related legislation).
Warsaw, May 24-25th, 2012
www.giodo.gov.pl
EUROPEAN INTEROPEARABILITY STRATEGY
‘Interoperability, within the context of European public service delivery, is the
ability of disparate and diverse organisations to interact towards mutually
beneficial and agreed common goals, involving the sharing of information
and knowledge between the organisations, through the business
processes they support, by means of the exchange of data between their
respective ICT systems.’
Interoperability is multilateral by nature and is best understood as a shared
value of a community
Warsaw, May 24-25th, 2012
www.giodo.gov.pl
EUROPEAN INTEROPEARABILITY STRATEGY
European
Interoperability
Framework For
European Public
Services - Annex 2
to the Communication
from the Commission
to the European
Parliament,
the Council, the
European Economic
and Social Committee
and the Committee of
Regions 'Towards
interoperability for
European public
services‘, p 8
Warsaw, May 24-25th, 2012
www.giodo.gov.pl
EUROPEAN INTEROPEARABILITY STRATEGY
European
Interoperability
Framework For
European Public
Services - Annex 2
to the Communication
from the Commission
to the European
Parliament,
the Council, the
European Economic
and Social Committee
and the Committee of
Regions 'Towards
interoperability for
European public
services‘, p 19
Warsaw, May 24-25th, 2012
www.giodo.gov.pl
EUROPEAN INTEROPEARABILITY STRATEGY
2.5 Underlying principle 4: Security and privacy
Citizens and businesses must be assured that they interact with public
administrations in an environment of trust and in full compliance with
the relevant regulations, e.g. on privacy and data protection. This means
that public administrations must guarantee the privacy of citizens and
the confidentiality of information provided by businesses.
Subject to security constraints, citizens and businesses should have
the right to verify the information that administrations have collected about
them and to be consulted whether this information may be used for
purposes other than those for which it was originally supplied.
Recommendation 3. Public administrations should consider the
specific needs of each European public service, within the context of
a common security and privacy policy.
Warsaw, May 24-25th, 2012
www.giodo.gov.pl
MANY MODELS OF DATA PROTECTION
AUTHORITIES
Warsaw, May 24-25th, 2012
www.giodo.gov.pl
© M. Narojek dla GIODO 2011
www.giodo.gov.pl
THANK YOU FOR YOUR
ATTENTION !
[email protected]
http://edugiodo.giodo.gov.pl
www.giodo.gov.pl