Déclaration conjointe du GPA Comité Exécutif sur l’utilisation des données de santé à des fins de voyage national ou international

Les autorités chargées de la protection des données personnelles et de la vie privée soulignent l’importance du respect de la vie privée dès la conception dans la communication des données relatives à la santé aux fins de voyages nationaux ou internationaux pendant la pandémie de COVID-19.

Contexte

Les gouvernements du monde entier mettent en œuvre des mesures pour freiner la propagation de la COVID-19 tout en planifiant la pleine reprise des activités économiques et sociales au-delà des frontières. Pour de nombreux passagers nationaux ou internationaux, cela signifie qu’ils doivent communiquer des renseignements sur leur santé, tels qu’un résultat négatif au test de dépistage de la COVID-19 ou leur statut de vaccination, comme condition préalable au voyage. Des « passeports sanitaires » et des « codes sanitaires » numériques ont également été proposés.

La communication potentielle de ces données personnelles relatives à la santé, à une vaste échelle, au-delà des frontières et entre diverses entités, est sans précédent. La technologie numérique permet de le faire rapidement et à grande échelle. Si de telles mesures peuvent se justifier pour des raisons de santé publique, la communication de ces renseignements sensibles peut et devrait se faire dans le respect de la vie privée. La technologie présentera des risques mais aussi la possibilité de mettre en place des mesures de protection pour les personnes. L’innovation peut aller de pair avec la protection de la vie privée.

Depuis le début de la pandémie, les membres de l’Assemblée mondiale pour la protection de la vie privée ont conseillé des gouvernements, des entreprises privées, des organisations caritatives et des organisations non gouvernementales sur la conception et l’élaboration de systèmes permettant de traiter les données personnelles relatives à la santé de manière à protéger au mieux la vie privée. La présente déclaration vise à compléter les efforts déployés à l’échelle nationale ou régionale et à contribuer à un résultat concret et coordonné en matière de protection de la vie privée à l’échelle internationale. Elle reflète les principes communs de protection des données et de la vie privée à l’échelle mondiale, dont la protection de la vie privée dès la conception et par défaut.

Renforcer la confiance du public en protégeant la vie privée

Pour instaurer un climat de confiance en ce qui concerne le traitement des données personnelles relatives à la santé aux fins de voyage, il faut que les personnes aient l’assurance que leurs données sont traitées de manière sécurisée; que les données qui leur sont demandées ne sont pas excessives; que des informations claires et accessibles sont mises à leur disposition pour comprendre comment leurs données seront utilisées; que le traitement a une finalité bien précise; et que leurs données ne seront pas conservées plus longtemps que nécessaire.

Le comité exécutif de l’Assemblée mondiale pour la protection de la vie privée rappelle que si les données et la technologie peuvent être des outils importants pour mieux lutter contre la pandémie de COVID-19, elles ont des limites intrinsèques et ne peuvent que tirer parti de l’efficacité d’autres mesures de santé publique. En outre, elles doivent s’inscrire dans une stratégie globale de santé publique pour lutter contre la pandémie. Les principes d’efficacité, de nécessité et de proportionnalité doivent guider toute mesure adoptée par les gouvernements et les autorités qui implique le traitement de données personnelles pour lutter contre la COVID-19[1].

Le comité exécutif de l’Assemblée mondiale sur la protection de la vie privée invite donc instamment les gouvernements et les autres organisations responsables du traitement des données personnelles relatives à la santé aux fins de voyages internationaux à prendre en considération les principes suivants, qui reflètent les pratiques et les principes communs de protection des données à l’échelle mondiale, et à leur accorder toute l’attention requise :

  • Le traitement des données personnelles relatives à la santé comme condition préalable à un voyage international peut se justifier pour des raisons de santé publique, mais il est indispensable de prendre en compte les risques pour la vie privée dès le départ.
  • Les principes de « protection de la vie privée dès la conception et par défaut » devraient être intégrés à tout système, application ou accord d’échange de données concernant le traitement des données personnelles relatives à la santé aux fins de voyages internationaux. Une évaluation formelle et complète de l’impact sur la vie privée des personnes avant le début de tout traitement est la meilleure méthode pour veiller à ce que les principes de protection des données dès la conception soient mis en œuvre dans la pratique et à ce que les risques sous-jacents soient atténués de manière appropriée. Les organisations devraient demander conseil auprès des autorités chargées de la protection des données personnelles et de la vie privée sur cette question ou encore consulter les orientations de ces dernières.
  • Les données personnelles recueillies, utilisées ou communiquées pour atténuer les effets de la COVID-19 sur la santé publique doivent avoir une finalité clairement définie. La finalité devrait être précise, dans le contexte général de la mesure de santé publique. Les données personnelles ne doivent pas être utilisées d’une manière incompatible avec cette finalité.
  • Toutes les organisations doivent agir en vertu d’une autorité légale compétente et appropriée, en veillant à ce qu’elles ne traitent les données personnelles relatives à la santé que lorsque cela est nécessaire et proportionné.
  • Les droits des personnes vulnérables, qui ne sont pas en mesure d’utiliser des appareils électroniques ou qui n’y ont pas accès, doivent être protégés, et des solutions de rechange devraient être envisagées pour veiller à ce que ces personnes ne soient pas victimes de discrimination. De même, les droits des personnes qui, en raison de leur âge, de risques éventuels pour leur santé ou d’autres conditions sous-jacentes, ne peuvent pas être vaccinées, devraient également être protégés.
  • Les personnes devraient être informées de la manière dont leurs données sont utilisées, par qui et dans quel but, et recevoir des informations claires et accessibles.  La diversité géographique, culturelle et linguistique des personnes désireuses de voyager doit être reconnue.
  • Les organisations ne devraient recueillir auprès des individus ou d’autres sources que la quantité minimale de renseignements sur la santé qui est nécessaire à leur contribution à la protection de la santé publique.
  • Des mesures devraient être prises pour faire face aux risques liés à la communication directe de renseignements provenant de dossiers médicaux aux fins de voyage – parmi les stratégies de protection de la vie privée dès la conception, pensons aux systèmes fédérés de gestion de l’identité et au niveau de traitement effectué par les dispositifs utilisés.
  • Les risques relatifs à la cybersécurité de tout système ou application numérique doivent être pleinement évalués, en tenant compte des dangers qui peuvent émaner de divers acteurs dans un contexte de menace mondiale.
  • Les organisations devraient réfléchir soigneusement à la durée de conservation des données et établir un calendrier de conservation prévoyant la suppression sûre des renseignements lorsqu’ils ne sont plus nécessaires.
  • Des clauses de temporisation devraient être intégrées dans la conception de ces systèmes, prévoyant la suppression permanente de ces données ou bases de données, et reconnaissant que le traitement courant des renseignements sur la santé en lien avec la COVID-19 aux frontières peut devenir inutile une fois la pandémie terminée. Les systèmes devraient également être revus périodiquement pour veiller à ce que le traitement reste nécessaire et proportionné pendant la pandémie.

[1] https://globalprivacyassembly.org/wp-content/uploads/2021/01/FINAL-RESOLUTION-COVID-19-VERSION-FINALE-ADOPTEE-FR.pdf

GPA Executive Committee joint statement on the use of health data for domestic or international travel purposes

The Global Privacy Assembly (GPA) Executive Committee has today published a joint statement on the importance of privacy by design in the sharing of health data for domestic or international travel requirements during the COVID-19 pandemic.

Data protection and privacy authorities highlight the importance of privacy by design in the sharing of health data for domestic or international travel requirements during the COVID-19 pandemic

 

Background
Governments around the world are implementing measures to stop the spread of COVID-19 whilst also planning for a return to full economic and social activity across borders. For many domestic or international passengers, this has meant sharing health information such as a negative COVID-19 test result or vaccination status as a prerequisite of travel. Digital ‘health passports’ and ‘health codes’ have also been proposed.

The potential sharing of these elements of health data, on a mass scale across borders, and across a range of entities, is unprecedented. Digital technology provides the opportunity to do this at speed and scale. Whilst such steps may potentially be justifiable on public health grounds, the sharing of this sensitive information can and should be done in a privacy protective manner. Technology will offer both risks and opportunities to build protections for individuals. Innovation can go hand in hand with privacy.

Since the start of the pandemic, members of the Global Privacy Assembly have advised governments, private enterprises, charities and non-governmental organisations on the design and development of systems that allow the processing of personal health data in a manner that best protects privacy. This statement seeks to complement efforts made at a national or regional level, and contribute to a positive, co-ordinated privacy outcome internationally, reflecting common global principles of data protection and privacy, including privacy by design and default.

Building public trust by protecting privacy

In order to build trust and confidence in the way in which health data is processed for travel purposes, individuals need to be assured that: their data is handled securely; the data
demanded of them is not excessive; they have clear and accessible information to understand how their data will be used; there is a specific purpose for the processing; their data will be
retained for no longer than is necessary.

The Global Privacy Assembly Executive Committee recalls that while data and technology can be important tools to help fight the COVID-19 pandemic, they have intrinsic limitations and can merely leverage the effectiveness of other public health measures and need to be part of a comprehensive public health strategy to fight the pandemic. The principles of effectiveness, necessity, and proportionality must guide any measure adopted by government and authorities that involve processing of personal data to fight COVID-19. 1

The Global Privacy Assembly Executive Committee therefore urges governments, and other organisations responsible for processing health data for the purposes of international travel,
to consider and pay due regard to the following principles, which reflect common global data protection principles and practice:

  •  The processing of health data as a prerequisite of international travel may be justifiable on the grounds of protecting public health, but considering privacy risks at the outset is vital.
  • ‘Privacy by design and default’ principles should be embedded into the design of any system, app or data sharing arrangements regarding the processing of health data for the purposes of international travel. A formal and comprehensive assessment of the privacy impact on individuals before the commencement of any processing is the best method of ensuring data protection by design principles are implemented in practice and underlying risks are mitigated appropriately. Organisations should seek advice or consult guidance from data protection and privacy authorities on this issue.
  • Personal data collected, used or disclosed to alleviate the public health effects of COVID-19 require a clearly defined purpose. The purpose should be specific within the broad context of the public health measure. Personal data must not be used in a manner incompatible with this purpose.
  • All organizations must operate under relevant and appropriate lawful authority, ensuring that they only process health data when it is necessary and proportionate to do so.
  • The data protection rights of vulnerable individuals, who may not be able to use, or may not have access to, electronic devices, must be protected, and alternative solutions should be considered to ensure that such individuals do not suffer discrimination. Similarly, the data protection rights of those who due to their age, possible health risks or other underlying conditions cannot be vaccinated should also be protected.
  • Individuals should be informed of how their data is being utilised, by whom and for what purpose, providing clear and accessible information, recognising the geographical, cultural and linguistic diversity of the people of society who will wish to travel.
  • Organisations should collect the minimum health information from individuals or other sources that is necessary for their contribution to protection of public health.
  • Measures should be used to address the risks of directly sharing information from health records for travel purposes – privacy by design approaches can include federated identity systems and device level processing.
  • The cyber security risk of any digital systems or apps must be fully assessed, taking full account of the risks that can emerge from different actors in a global threat context.
  • Organisations should consider carefully for how long data should be retained, and design a retention schedule for the safe deletion of information once it is no longer
    required.
  • Sunset clauses should be built into the design of such schemes, foreseeing permanent deletion of such data or databases, recognising that the routine processing of COVID 19 health information at borders may become unnecessary once the pandemic ends.

The schemes should also be reviewed periodically to ensure that the processing remains necessary and proportionate whilst the pandemic is ongoing.

1  https://globalprivacyassembly.org/wp-content/uploads/2020/10/FINAL-GPA-Resolution-on-Privacy-Data-Protection-Challenges-Arising-in-the-Context-of-Covid-19-Pandemic-EN.pdf

 

 

The Digital Education Working Group (DEWG) adopts a joint contribution regarding the United Nations General Observation on the rights of the child in the digital environment

Children are particularly vulnerable to the risks associated with the digital environment. For this reason, protecting children’s privacy online is a priority action for the Global Privacy Assembly (GPA) of data protection and privacy authorities and its Digital Education Working Group (DEWG) conducted by Marie-Laure DENIS as Chair, and the French CNIL.

In 2020, the UN Committee on the Rights of the Child has prepared a draft General Comment (GC) No. 25 (202x) on the rights of the child in relation to the digital environment and invited all interested parties to provide comments. The goal of this GC is to support the realisation of the United Nations Convention on the Rights of the Child (UNCRC) in the digital environment and provide guidance on measures to ensure full compliance by government, business and industry with their obligations to fully support children’s right in the digital environment.  In this context, the DEWG has adopted a contribution to support the project’s orientations, made proposals with regard to the right to protection of children’s personal data. In particular, the contribution focuses on the exercise of the rights of children, profiling and automated decision making, commercial exploitation of children’s data, the consideration of child-related specificities by public authorities and the private sector and digital education. This contribution, which was unanimously supported by some 74 DEWG’s member Authorities, is made available in English and French (in Spanish-tbc), and has been be published on the website of the Committee of the Rights of the child (n°35 in the list).

As a matter of fact, the core of the DEWG’s mandate aims to promote digital education that respects the rights and freedoms of all, and raise awareness on the exercise of digital rights by children. The overarching objective is to allow children to develop the competences and skills needed to grow into responsible digital citizens. For this purpose, the DEWG has adopted several GPA resolutions over the years and conducted in 2019-2020 an international study regarding the legal frameworks applying to children and the exercise of the rights of minors, including an overview of various national initiatives by Data Protection Authorities on children’s rights online.

Any question related to this issue can be addressed to Pascale Raulin-Serrier at pserrier@cnil.fr as the DEWG Coordinator.

GPA January 2021 Newsletter marks International Data Protection Day 2021

Happy International Data Protection Day from the Global Privacy Assembly (GPA)!

The GPA January 2021 Newsletter is now published and available on the GPA website, featuring articles from leading representatives of some of the key data protection and privacy organisations worldwide for your interest and enjoyment.

View Newsletter

Elizabeth Denham, UK Information Commissioner and GPA Chair, has been featured on Council of Europe’s video together with 40 members of the Data Protection Community in the world. They shared Happy Anniversary messages, emphasising how Convention 108 is important for their respective country or organisation and their work.

Ms Denham said: “As Chair of the Global Privacy Assembly I see the Convention as playing an important role, a bridge between countries, between jurisdictions to encourage international regulatory cooperation.”

Watch the video on Vimeo

The Reference Panel application window is now closed

The GPA Reference Panel welcomed applications between 22 January 2021 and 19 February 2021, these applications are now being assessed and we will be in touch with all applicants as soon as we can.

What is the Global Privacy Assembly?

Established in 1979, the GPA is an international forum of data protection and privacy authorities which seeks to provide leadership at the international level by connecting the efforts of more than 130 data protection and privacy authorities from across the globe. If you wish to know more about the GPA’s current priorities, please refer to our Strategic Plan (2019 – 2020) and Policy Strategy.

What is the GPA Reference Panel?

The GPA Reference Panel will be a contact group involving a variety of external stakeholders which the GPA is seeking to establish in order to provide expert knowledge and practical expertise on data protection and privacy, as well as on data protection related issues and developments in information technology.

Who can respond to the call?

The call for interest is aimed at representatives of relevant civil society organisations, academic institutions, think tanks, non-privacy supervisory authorities, representatives of public authorities such as law enforcement authorities, and representatives of the private sector who have an interest in the vision and mission of the GPA.

If you have any questions regarding the application process and the GPA Reference Panel, please contact the GPA Secretariat email.

GPA application process for new members and observers now open

The Global Privacy Assembly’s (GPA) application process for new members and observers is now open for the 2021 cycle.

The GPA’s vision is to be an environment in which privacy and data protection authorities around the world are able effectively to act to fulfil their mandates, both individual and in concert, through diffusion of knowledge and supportive connections.

Since its foundation in 1979, the GPA has been continually growing and now includes more than 130 authorities from across the globe. Each year, the GPA welcomes new applications from authorities who wish to become members and from public entities or international organisations that wish to participate in the GPA as observers.

If you wish to apply for membership to the GPA, you may do so by filling in the online application form. Applications for membership will remain open until end of day, Sunday, 18 July 2021.

International organisations and public entities who wish to join as observers may do so by filling in the appropriate online application form. Applications for observer status will remain open until end of day, Sunday, 22 August 2021.

However, aspiring applicants are encouraged to submit their application as early as possible to ensure their applications are in a timely manner. Applicants are also strongly encouraged to read the information available on the Become a Member page or the Become an Observer page before submitting their application.

If you are an existing Observer whose status is due to expire in 2021, please renew your status by filling in the renewal form.

If you have any questions concerning any of the above, please contact the GPA Secretariat at secretariat@globalprivacyassembly.org.

GPA Census is now live

The 2020 Census is open from the 1st December 2020 – 12th February 2021, and we look forward to your responses. The link to complete the Census has been provided to the membership for completion, if you have any queries please contact the secretariat@globalprivacyassembly.org.

The Global Privacy Assembly Census is designed to give a detailed ‘snapshot’ of privacy and data protection authorities across the globe, as well as contributing to the aims of the Resolution on developing new metrics of data protection regulation which include to:

  • Develop internationally comparable metrics in relation to data protection and privacy; and
  • Support the efforts of other international partners to make progress in this area.

This is the second time we have run a census in our membership, the last one taking place in 2017. We plan on presenting the full results at the latest at the 2021 annual global conference next October and several Working Groups will be invited to contribute to the analysis.

The text of the survey form used in the 2020 census (in PDF form) is available in English, Spanish and French.

The Census Privacy statement can be found here.

Information on the 2017 Census can be found here.

Global Privacy Assembly 2020: Raising international data protection and privacy standards through a modern, collaborative global community

https://globalprivacyassembly.org/gpa2020/The 42nd Global Privacy Assembly Closed Session took place virtually on 13-15 October, with more than 100 members and observers joining together to consider key data protection and privacy challenges.

Opening the session, Elizabeth Denham, GPA Chair and UK Information Commissioner, highlighted the value of the Global Privacy Assembly’s work in raising data protection and privacy standards around the world through regulatory co-operation, and how the GPA work continued despite the COVID-19 pandemic.

Ms Denham said: “It is important that the GPA continues to modernise. It is important we continue to find ways to collaborate, so our collective wisdom can help us take better action individually. We are outward looking and have found new ways to connect with the outside world – from partnering with key international organisations such as OECD to engaging with tech companies on data protection by design. Our approach to engagement is modern and dynamic, making new ground this year.”

That theme ran through the three-day conference.

Resolutions were discussed and agreed, giving a shared view on topics including:

  • Facial recognition technology, recognising the importance of acting now, with a commitment to finding a common GPA position on a technology that can be privacy intrusive and discriminatory;
  • Artificial Intelligence (AI), where GPA members are encouraged to work with organisations in their jurisdictions that develop or use AI systems to implement accountability measures; and
  • Humanitarian aid, where the group committed to a renewed focus on safeguards to protect personal data in this area of international activity.

Resolutions were also agreed on the GPA’s voice – a modernisation of the rules and procedures that will allow the GPA to work as a ‘year-round’ organisation and make statements at the right time, and with greater impact. Commissioner Angelene Falk, Office of the Australian Information Commissioner (OAIC), introduced the resolution noting this “initiative is another way in which the GPA is pivoting to ensure that we are actively engaging on issues in a pragmatic and relevant way. It is the next step in our continued modernisation.”

The resolutions are published on the GPA website.

Commissioner Raymund Liboro, Philippines National Privacy Commission, led a detailed session on the work of the GPA COVID-19 Taskforce. Colleagues from PCPD Hong Kong, Dubai IFC, ICO (UK), and OAIC (Australia), updated members on shared best practices, capacity building activities, and common privacy risks and challenges during the pandemic. This included a Compendium of Best Practices in Response to COVID-19.

As the Chair of the Taskforce, Mr Liboro presented a resolution that proposed the creation of a temporary working group to continue the work of the Taskforce in building and strengthening the GPA’s collective capacity in responding to challenges arising from pandemic.

Mr Liboro said: “We have maximized the GPA’s voice and influence during this pandemic – this time when the world needed our guidance. In a short span of time, with all the other pressing matters that we had to deal with individually, in our own homes, our own organizations, our own jurisdictions, we found time to come together and collaborate with our GPA community.”

Commissioner Angelene Falk, OAIC and chair of the GPA Strategic Direction Sub-Committee, updated members on the progress on the GPA’s strategic plan and policy strategy. The GPA Working Groups, which make practical progress towards that strategy, shared their achievements and their plans for 2021.

Ms Denham extended her warm welcome to the following new GPA members and observer:

  • Office of the Privacy Commissioner of Bermuda, Bermuda
  • Cayman Islands Ombudsman, Cayman Islands
  • Data Protection Commissioner, Dubai International Financial Centre
  • Canton of Bern: Data Protection Commissioner (Datenschutzbeauftragter des Kantons Bern), Switzerland
  • European Consumer Organisation (BEUC) – Observer

The results of the GPA Executive Committee election were announced:

  • Raymund Liboro, Privacy Commissioner and Chairman, Philippines National Privacy Commission, stood down having completed his full two-year term;
  • Angelene Falk, Australian Information Commissioner and Privacy Commissioner, Office of the Australian Information Commissioner, was re-elected for a further two years; and
  • Ulrich Kelber, Federal Commissioner for Data Protection and Freedom of Information (BfDI), Federal Republic of Germany, was elected to the Executive Committee for a two-year term.

Closing the online conference, Ms Denham said: “We needed to hold this year’s closed session for two reasons. Firstly, we simply could not lose our momentum on important work. Secondly, we needed to hold this year’s closed session because our community has never been more important.

“The adoption of digital technologies and innovations has accelerated faster than any of us could have predicted. And with this acceleration comes an enormous appetite for personal data. As data protection and privacy authorities, we must respond. We must respond to this growth in data gathering, and more sophisticated data processing. We must respond to state use of data in response to the pandemic. And we must respond to changing attitudes to data. We do so best as a modern, collaborative community.”

For more information on the GPA’s main achievements this past year, see the Annual Report of the GPA Executive Committee 2019-2020.

Looking ahead, the 43rd Global Privacy Assembly will be hosted by the National Institute for Transparency, Access to Information and Personal Data Protection (INAI Mexico), and will take place in Mexico City on 18-22 October 2021.

More information available at globalprivacyassembly.org