Using AWS in the Context of Australian Privacy Considerations
Overview of privacy and data protection considerations for DEVELOP
-
Upload
trilateral-research -
Category
Technology
-
view
8.654 -
download
0
Transcript of Overview of privacy and data protection considerations for DEVELOP
ETHICAL, PRIVACY & DATA PROTECTION CONSIDERATIONS
Joanna Simon & Rachel FinnTrilateral Research Ltd
PRIVACY, DATA PROTECTION & ETHICAL CONSIDERATIONS
Ethical considerations Privacy challenges Data protection legislation
Ethical values and principles underpin and inform privacy and data protection considerations.
The concepts are intertwined.Not simply about legislative compliance.
ETHICAL VALUES – RESPECT FOR AUTONOMY & DIGNITY
Autonomy (equated with liberty) – Art 6 European Charter of Fundamental Rights, Art 3 UN Universal Declaration of Human Rights QUESTIONS:
o Does DEVELOP curtail a person’s liberty in any way?o Does DEVELOP have implications for a person’s freedom of movement or association?o Is there a meaningful choice? I.e., what are the implications of not participating?
Dignity – Art 1 Charter, Art 1 Universal Declaration Should be able to participate actively in formation and implementation of policies that affect their well-being. Treated fairly regardless of age, gender, racial or ethic background, disability or other status. QUESTIONS:
o Does DEVELOP violate dignity? o Does DEVELOP mark users as cognitively or physically disabled (perhaps via non-participation?)?
PRIVACY is an essential component of autonomy and dignity
OTHER ETHICAL VALUES Various other relevant ethical values: e.g. inclusion/exclusion, isolation, discrimination,
beneficence, accessibility
Does DEVELOP have any effect on the inclusion or exclusion of any groups? Will DEVELOP replace human contact? Could DEVELOP be seen as stigmatising for any particular group, including those who do not use the
system? Could DEVELOP be perceived as discriminating against any groups? Who benefits and in what way? Employer, user, etc.? Is a certain level of technological knowledge or physical capability required? What are the consequences of not participating?
RIGHT AND EXPECTATION OF PRIVACY
Article 8 European Convention of Human Rights Protects private life of individuals against arbitrary interference by public authorities and private
organisations covers 4 areas
o private life o family life o home o correspondence
Article 7 Charter of Fundamental Rights of the European Union
EU DATA PROTECTION LAW
Legal Framework
Charter of Fundamental Rights of the European Union enshrines data protection as a fundamental right
An individual’s personal data must be adequately protected Article 8 Charter – “everyone has the right to the protection of personal data”
Principal EU legal instrument regulating data protection – Data Protection Directive (95/46/EC) Regulates processing of data and free movement of such data Designed to give substance to the principles in the right to privacy
Draft General Data Protection Regulation – to supersede the Data Protection Directive
DATA PROTECTION DIRECTIVE 95/46/EC
Article 6 – principles relating to data quality
Personal data must be: Processed fairly and lawfully Collected for specified, explicit and legitimate purposes Adequate, relevant and not excessive in relation to purpose for which collected/ processed Accurate, kept up to date. Where inaccurate or incomplete reasonable steps must be taken to rectify or erase Identification of data subjects for no longer than is necessary
DATA PROTECTION DIRECTIVE 95/46/EC
Article 7 – Criteria for making data processing legitimate
Personal data may be processed only if: Data subject gives unambiguous consent, or Processing is necessary for:
o performance of a contract, oro compliance with a legal obligation, or o protecting vital interests of the data subject, oro performing task in the public interest/ exercise of official authorityo legitimate interests of data controller
DATA PROTECTION DIRECTIVE 95/46/EC
Article 8 – Special categories of data Prohibition on processing personal data revealing:
Racial or ethnic origin Political opinions Religious or philosophical beliefs Trade-union membership Data concerning health or sex life
Exception – explicit consent
DATA PROTECTION DIRECTIVE 95/46/EC
Articles 10 & 11 – Information to be given to the data subject Data controller must provide data subject with at least the following information:
Identity of the controller The purposes of the processing Any further information, such as
o Recipients or categories of recipients of the datao Whether replies to questions are obligatory or voluntary, consequences of failure to answer (where data collected from data
subject)o Categories of datao Existence of right of access and right to rectify data
DATA PROTECTION DIRECTIVE 95/46/EC
Article 12 – Right of access Outlines individual’s rights of access to their data
Article 17 – Security of processing Individual’s data should be protected from misuse and unauthorised disclosure or access
GENERAL DATA PROTECTION REGULATION – WHAT’S NEW?
Article 17 – Right to erasure (“right to be forgotten”)
Article 19 – Right to object – on grounds including profiling
Article 20 – Right not to be subject to a decision based solely on automated processing, including profiling
GENERAL DATA PROTECTION REGULATION – WHAT’S NEW?
Article 23 – Data protection by design and by default Implement appropriate technical and organisational measures designed to
implement data protection principles
Article 30 – Security of processing Implement appropriate technical and organisation measures to ensure
level of security appropriate for risk, including:o pseudonymisation and encryption of personal data o ability to ensure the ongoing confidentiality, integrity, availability and resilience
of systems and services processing personal data; o the ability to restore the availability and access to data in a timely manner in the
event of a physical or technical incident; o a process for regularly testing, assessing and evaluating the effectiveness of
technical and organisational measures for ensuring the security of the processing.
PRIVACY AND DATA PROTECTION CONSIDERATIONS
Various privacy and data considerations flow from the ethical and legal constraints and values, e.g.: Informed consent Data minimisation Data quality Purpose specifications Use limitation Confidentiality Transparency Individual participation and access to data Anonymity Privacy of personal communications
INFORMED CONSENT
Art 7 EU Data Protection Directive – personal data can only be processed if data subject has unambiguously given consent
Consent must be meaningful: Given freely after person informed of nature, significance, implications and risks
Questions: How will DEVELOP obtain free and informed consent? Informed of nature, significance, implications and risks of product? Evidence in writing, dated, signed, marked in some way? Does consent outline use for which data is collected, how it is collected, how to obtain copy of data, mechanism to correct
erroneous data, who has access to data? Right to withdraw? Truly voluntary? i.e. consequences of not consenting? Employer/employee relationship is significant here.
DATA MINIMISATION How will the project determine what constitutes the minimum amount of personal data to be collected? Will any data be collected which is not necessary for fulfilling the stated purpose of the project? Is information collected in ways of which the data subject is unaware? Is information collected against the wishes of the person? For how long will the information be retained? Will the information be deleted when it is no longer needed for the purpose for which it was
collected?
DATA QUALITY
What measures will be put in place to ensure quality of information gathered? What assurances that data is true and accurate? Has information been collected from others than the person to whom it pertains? What are the implications of data inaccuracies? What measures are there to correct data inaccuracies?
CONFIDENTIALITY
What measure to ensure protection of personal data? E.g., encryption, access control etc. Who will have access to personal data? What safeguards will be put in place to ensure those who have access treat the information in confidence?
ANONYMITY
Have steps been taken to ensure that person cannot be identified from the data collected? Have pseudonyms or codes been use to replace data that could identify the individual? Could data from different sources be aggregated or matched in a way that undermines
anonymity?
ACTION PLAN FOR UPCOMING DELIVERABLE
T4.1 – legal and social considerations – due M09
Review legal frameworks at EU and national level
Review social norms and background for each participating country – drawing on ethical principles
Draft framework of legal and social/ethical considerations for design of DEVELOP
Framework to be fed into design principles for DEVELOP, in consultation with other partners
CONSULT WITH CONSORTIUM
Partners to help us understand architecture
Describe information flows
Who will collect what information?• From whom?• For what purpose?
How will the collected information be used?
How will information be stored, secured, processed and distributed• (i.e. to whom might the
organisation pass the information)
• for what purpose
How well will secondary users (e.g. the
organisation’s service providers, apps
developers) protect that information?
CONTACT US
Joanna Simon – [email protected] Rachel Finn – [email protected] Website: www.trilateralresearch.com Twitter: @Trilateral_UK E-mail: [email protected] Phone: +44 (0)207 559 3550 Address: Crown House
72 Hammersmith RoadLondon United Kingdom