All posts by icdppc-update

Do you have a resolution idea to table at the GPA 2021 Conference?

Are you looking to co-sponsor or contribute as a GPA member to this year’s Conference resolutions?

The GPA Executive Committee is aware that many members want to get as much as possible out of their membership of the GPA. Engaging with the development of the Conference Resolutions is a great way to get involved. As we start to prepare for this year’s Closed Session, members are reminded of the GPA approach, including the deadlines for submission, relating to resolutions.

Submission of Resolutions for the GPA 2021 Closed Session

• Resolutions for 2021 will be adopted at the hybrid online and in-person Closed Session. Members considering submitting a resolution, please note that resolutions should:
• • be clear and concise;

• • address matters sufficiently related to the purposes of the GPA and invoke action on matters relating to data protection and privacy;

• • focus on a current strategic need of the GPA – In other words, resolution main sponsors should be able to easily explain how the resolution text contributes to the delivery of the GPA Strategic Direction adopted in Tirana, 2019.

• Proposed resolutions must have at least four other co-sponsors (apart from the main sponsor), representing, insofar as possible, different cultural, geographic and legal backgrounds. Please note: it is the main sponsor’s responsibility to ensure that these four other co-sponsors have been obtained by the time of final submission of the resolution to the conference on 4 October at the latest, otherwise the Resolution may risk not to be considered valid.
• It is the main sponsor’s responsibility to negotiate member amendments to a resolution. The Secretariat can receive amendments directly to the Secretariat central inbox to forward onto the main sponsor, but many main sponsors prefer to be contacted directly. In any case, please indicate which email address and name of official responsible for answering questions about the resolution the Secretariat should use for directing all resolution-related enquiries and amendments.
• Proposed resolutions should be submitted either in English, or if the original is in another language, then please submit a copy in English simultaneously.

Proposed resolutions are subject to the following timelines in 2021: 

For your information, please see the link to the GPA Rules and Procedures and for all enquiries regarding the above and the upcoming Closed Session, please contact the GPA Secretariat: secretariat@globalprivacyassembly.org.

The Chair of the Global Privacy Assembly (GPA), its Executive Committee and conference hosts the National Institute for Transparency, Access to Information and Personal Data Protection (INAI), Mexico, are pleased to announce the 43rd Global Privacy Assembly 2021 will take place between 18-21 October 2021 in Mexico City, Mexico, as a hybrid event, available both in-person and online.

Registrations will open soon! With more details to follow.

Visit this year’s conference website, Twitter and LinkedIn for the latest information.

The GPA May 2021 Newsletter is now published and available on the GPA website.

Featuring editorial from some of the leading representatives of the GPA community, get the latest insight and updates on important issues impacting the international data protection and privacy landscape today.

View Newsletter here.

The GPA Executive Committee is pleased to announce that this year’s Global Privacy and Data Protection Awards nomination process is now open!

Now in its fourth year, the Awards celebrate the achievements of the GPA community and shine a light on good practice.

Any member can apply. Submit your entry form no later than Wednesday 16 June 2021.

The award categories are:

• Education and public awareness
• Accountability
• Dispute resolution and enforcement
• Innovation
• People’s Choice (shortlisted entries in all categories will automatically be entered for this Award)

Find out more information on how to apply.

30 April 2021 Update

The Working Group on Digital Education (DEWG)

Benefit from explanations of a short video recording about the CIRCABC platform.

You will be able to view a tutorial video to better understand how to join the CIRCABC platform, access the 170 documents indexed by target groups, upload and present in a few words the educational materials produced by your own DPA. Please request the video’s password from the CIRCABC Leaders. You can view the PowerPoint presentation here.

In addition to these live demonstrations, two videos less than a few minutes long will explain the contents of this online library and the DEWG’s priorities.

Take advantage of the tutorial now and do not hesitate to contact its leader if you have any questions!

Pascale, Marc and Vincent – CIRCABC Leaders

at pserrier@cnil.fr ; Marc.Lemmer@cnpd.lu; vincent.legeleux@cnpd.lu

**********

Le Groupe Education au numérique (DEWG)

Des explications réalisées dans un format vidéo court sur la plateforme de ressources pédagogiques CIRCABC.

Vous pourrez visionner une vidéo-tutoriel pour mieux comprendre comment accéder à la plateforme CIRCABC, consulter les 170 documents classés par groupes cibles, ajouter et référencer des contenus pédagogiques réalisés par votre APD. Veuillez demander le mot de passe de la vidéo aux CIRCABC Leaders. Vous pouvez voir la présentation PowerPoint ici.

En complément de ces démonstrations en direct, deux capsules vidéo de quelques minutes viennent exposer les contenus de cette bibliothèque en ligne, et les priorités du Groupe international.

Profitez dès à présent du tutoriel et n’hésitez pas à nous contacter pour toutes les questions !

Pascale, Marc and Vincent – CIRCABC Leaders

at pserrier@cnil.fr ; Marc.Lemmer@cnpd.lu; vincent.legeleux@cnpd.lu

11 February 2020 Update

The Global Privacy Assembly (GPA) membership is organised into Working Groups that concentrate on the most significant GPA initiatives identified by the membership, deriving their mandate and direction from the annual conference, typically leading from Resolutions. Learn more about the GPA Working Groups.

In this video, Ms Marie-Laure Denis, President of the Commission Nationale de l’Informatique et des Libertés (CNIL), gives an update on the work of the Working Group on Digital Education.

The Global Privacy Assembly (GPA) has appointed its first Reference Panel, a contact group of varied external stakeholders who will support the Assembly and its members by providing expert knowledge and practical expertise on data protection and privacy, as well as on data protection related issues and developments in information technology.

The independent panel of 16 members was drawn from a very strong applicant pool and provides expertise from around the world from relevant civil society organisations, academic institutions and think tanks who have an interest in the vision and mission of the GPA. Its membership has been endorsed by the GPA membership and Executive Committee.

The Reference Panel is chaired by Ulrich Kelber, member of the GPA Executive Committee, and Germany’s Federal Commissioner for Data Protection and Freedom of Information.

Ulrich Kelber has launched this new stream of work, providing personal invitations to the first Reference Panel. He said:

“I am glad we could bring together all these experts from different cultural and professional backgrounds. They will provide new perspectives on privacy related topics for the GPA. I am honoured to be the chair of the Reference Panel and I look forward to our first official meeting.”

The work to establish the Panel was an extensive process. An Assessment Group consisting of representatives from 14 GPA member authorities from all global regions assessed a high number of applications. The calibre of applicants was exceedingly high, and each Assessment Group member played a vital part in finalising the shortlist of candidates.

The GPA Assessment Group was chaired by Paula Hothersall, ICO Director of Regulatory Strategy (International), who said:

“The Assessment Group’s work was no easy task given the high calibre of candidates, but the success of having the panel endorsed by the membership and the Executive Committee echoes its strength. We look forward to the promising contributions of the Panel in the coming months.”

The Reference Panel met for the first time on 29 April 2021, and over the next few months the GPA will work to establish their work plan and contributions both to the work groups and the yearly conference.

Find out more about the GPA Reference Panel members.

Les autorités chargées de la protection des données personnelles et de la vie privée soulignent l’importance du respect de la vie privée dès la conception dans la communication des données relatives à la santé aux fins de voyages nationaux ou internationaux pendant la pandémie de COVID-19.

Contexte

Les gouvernements du monde entier mettent en œuvre des mesures pour freiner la propagation de la COVID-19 tout en planifiant la pleine reprise des activités économiques et sociales au-delà des frontières. Pour de nombreux passagers nationaux ou internationaux, cela signifie qu’ils doivent communiquer des renseignements sur leur santé, tels qu’un résultat négatif au test de dépistage de la COVID-19 ou leur statut de vaccination, comme condition préalable au voyage. Des « passeports sanitaires » et des « codes sanitaires » numériques ont également été proposés.

La communication potentielle de ces données personnelles relatives à la santé, à une vaste échelle, au-delà des frontières et entre diverses entités, est sans précédent. La technologie numérique permet de le faire rapidement et à grande échelle. Si de telles mesures peuvent se justifier pour des raisons de santé publique, la communication de ces renseignements sensibles peut et devrait se faire dans le respect de la vie privée. La technologie présentera des risques mais aussi la possibilité de mettre en place des mesures de protection pour les personnes. L’innovation peut aller de pair avec la protection de la vie privée.

Depuis le début de la pandémie, les membres de l’Assemblée mondiale pour la protection de la vie privée ont conseillé des gouvernements, des entreprises privées, des organisations caritatives et des organisations non gouvernementales sur la conception et l’élaboration de systèmes permettant de traiter les données personnelles relatives à la santé de manière à protéger au mieux la vie privée. La présente déclaration vise à compléter les efforts déployés à l’échelle nationale ou régionale et à contribuer à un résultat concret et coordonné en matière de protection de la vie privée à l’échelle internationale. Elle reflète les principes communs de protection des données et de la vie privée à l’échelle mondiale, dont la protection de la vie privée dès la conception et par défaut.

Renforcer la confiance du public en protégeant la vie privée

Pour instaurer un climat de confiance en ce qui concerne le traitement des données personnelles relatives à la santé aux fins de voyage, il faut que les personnes aient l’assurance que leurs données sont traitées de manière sécurisée; que les données qui leur sont demandées ne sont pas excessives; que des informations claires et accessibles sont mises à leur disposition pour comprendre comment leurs données seront utilisées; que le traitement a une finalité bien précise; et que leurs données ne seront pas conservées plus longtemps que nécessaire.

Le comité exécutif de l’Assemblée mondiale pour la protection de la vie privée rappelle que si les données et la technologie peuvent être des outils importants pour mieux lutter contre la pandémie de COVID-19, elles ont des limites intrinsèques et ne peuvent que tirer parti de l’efficacité d’autres mesures de santé publique. En outre, elles doivent s’inscrire dans une stratégie globale de santé publique pour lutter contre la pandémie. Les principes d’efficacité, de nécessité et de proportionnalité doivent guider toute mesure adoptée par les gouvernements et les autorités qui implique le traitement de données personnelles pour lutter contre la COVID-19[1].

Le comité exécutif de l’Assemblée mondiale sur la protection de la vie privée invite donc instamment les gouvernements et les autres organisations responsables du traitement des données personnelles relatives à la santé aux fins de voyages internationaux à prendre en considération les principes suivants, qui reflètent les pratiques et les principes communs de protection des données à l’échelle mondiale, et à leur accorder toute l’attention requise :

• Le traitement des données personnelles relatives à la santé comme condition préalable à un voyage international peut se justifier pour des raisons de santé publique, mais il est indispensable de prendre en compte les risques pour la vie privée dès le départ.
• Les principes de « protection de la vie privée dès la conception et par défaut » devraient être intégrés à tout système, application ou accord d’échange de données concernant le traitement des données personnelles relatives à la santé aux fins de voyages internationaux. Une évaluation formelle et complète de l’impact sur la vie privée des personnes avant le début de tout traitement est la meilleure méthode pour veiller à ce que les principes de protection des données dès la conception soient mis en œuvre dans la pratique et à ce que les risques sous-jacents soient atténués de manière appropriée. Les organisations devraient demander conseil auprès des autorités chargées de la protection des données personnelles et de la vie privée sur cette question ou encore consulter les orientations de ces dernières.
• Les données personnelles recueillies, utilisées ou communiquées pour atténuer les effets de la COVID-19 sur la santé publique doivent avoir une finalité clairement définie. La finalité devrait être précise, dans le contexte général de la mesure de santé publique. Les données personnelles ne doivent pas être utilisées d’une manière incompatible avec cette finalité.
• Toutes les organisations doivent agir en vertu d’une autorité légale compétente et appropriée, en veillant à ce qu’elles ne traitent les données personnelles relatives à la santé que lorsque cela est nécessaire et proportionné.
• Les droits des personnes vulnérables, qui ne sont pas en mesure d’utiliser des appareils électroniques ou qui n’y ont pas accès, doivent être protégés, et des solutions de rechange devraient être envisagées pour veiller à ce que ces personnes ne soient pas victimes de discrimination. De même, les droits des personnes qui, en raison de leur âge, de risques éventuels pour leur santé ou d’autres conditions sous-jacentes, ne peuvent pas être vaccinées, devraient également être protégés.
• Les personnes devraient être informées de la manière dont leurs données sont utilisées, par qui et dans quel but, et recevoir des informations claires et accessibles.  La diversité géographique, culturelle et linguistique des personnes désireuses de voyager doit être reconnue.
• Les organisations ne devraient recueillir auprès des individus ou d’autres sources que la quantité minimale de renseignements sur la santé qui est nécessaire à leur contribution à la protection de la santé publique.
• Des mesures devraient être prises pour faire face aux risques liés à la communication directe de renseignements provenant de dossiers médicaux aux fins de voyage – parmi les stratégies de protection de la vie privée dès la conception, pensons aux systèmes fédérés de gestion de l’identité et au niveau de traitement effectué par les dispositifs utilisés.
• Les risques relatifs à la cybersécurité de tout système ou application numérique doivent être pleinement évalués, en tenant compte des dangers qui peuvent émaner de divers acteurs dans un contexte de menace mondiale.
• Les organisations devraient réfléchir soigneusement à la durée de conservation des données et établir un calendrier de conservation prévoyant la suppression sûre des renseignements lorsqu’ils ne sont plus nécessaires.
• Des clauses de temporisation devraient être intégrées dans la conception de ces systèmes, prévoyant la suppression permanente de ces données ou bases de données, et reconnaissant que le traitement courant des renseignements sur la santé en lien avec la COVID-19 aux frontières peut devenir inutile une fois la pandémie terminée. Les systèmes devraient également être revus périodiquement pour veiller à ce que le traitement reste nécessaire et proportionné pendant la pandémie.

[1] https://globalprivacyassembly.org/wp-content/uploads/2021/01/FINAL-RESOLUTION-COVID-19-VERSION-FINALE-ADOPTEE-FR.pdf

The Global Privacy Assembly (GPA) Executive Committee has today published a joint statement on the importance of privacy by design in the sharing of health data for domestic or international travel requirements during the COVID-19 pandemic.

Data protection and privacy authorities highlight the importance of privacy by design in the sharing of health data for domestic or international travel requirements during the COVID-19 pandemic

Background
Governments around the world are implementing measures to stop the spread of COVID-19 whilst also planning for a return to full economic and social activity across borders. For many domestic or international passengers, this has meant sharing health information such as a negative COVID-19 test result or vaccination status as a prerequisite of travel. Digital ‘health passports’ and ‘health codes’ have also been proposed.

The potential sharing of these elements of health data, on a mass scale across borders, and across a range of entities, is unprecedented. Digital technology provides the opportunity to do this at speed and scale. Whilst such steps may potentially be justifiable on public health grounds, the sharing of this sensitive information can and should be done in a privacy protective manner. Technology will offer both risks and opportunities to build protections for individuals. Innovation can go hand in hand with privacy.

Since the start of the pandemic, members of the Global Privacy Assembly have advised governments, private enterprises, charities and non-governmental organisations on the design and development of systems that allow the processing of personal health data in a manner that best protects privacy. This statement seeks to complement efforts made at a national or regional level, and contribute to a positive, co-ordinated privacy outcome internationally, reflecting common global principles of data protection and privacy, including privacy by design and default.

Building public trust by protecting privacy

In order to build trust and confidence in the way in which health data is processed for travel purposes, individuals need to be assured that: their data is handled securely; the data
demanded of them is not excessive; they have clear and accessible information to understand how their data will be used; there is a specific purpose for the processing; their data will be
retained for no longer than is necessary.

The Global Privacy Assembly Executive Committee recalls that while data and technology can be important tools to help fight the COVID-19 pandemic, they have intrinsic limitations and can merely leverage the effectiveness of other public health measures and need to be part of a comprehensive public health strategy to fight the pandemic. The principles of effectiveness, necessity, and proportionality must guide any measure adopted by government and authorities that involve processing of personal data to fight COVID-19. ¹

The Global Privacy Assembly Executive Committee therefore urges governments, and other organisations responsible for processing health data for the purposes of international travel,
to consider and pay due regard to the following principles, which reflect common global data protection principles and practice:

•  The processing of health data as a prerequisite of international travel may be justifiable on the grounds of protecting public health, but considering privacy risks at the outset is vital.
• ‘Privacy by design and default’ principles should be embedded into the design of any system, app or data sharing arrangements regarding the processing of health data for the purposes of international travel. A formal and comprehensive assessment of the privacy impact on individuals before the commencement of any processing is the best method of ensuring data protection by design principles are implemented in practice and underlying risks are mitigated appropriately. Organisations should seek advice or consult guidance from data protection and privacy authorities on this issue.
• Personal data collected, used or disclosed to alleviate the public health effects of COVID-19 require a clearly defined purpose. The purpose should be specific within the broad context of the public health measure. Personal data must not be used in a manner incompatible with this purpose.
• All organizations must operate under relevant and appropriate lawful authority, ensuring that they only process health data when it is necessary and proportionate to do so.
• The data protection rights of vulnerable individuals, who may not be able to use, or may not have access to, electronic devices, must be protected, and alternative solutions should be considered to ensure that such individuals do not suffer discrimination. Similarly, the data protection rights of those who due to their age, possible health risks or other underlying conditions cannot be vaccinated should also be protected.
• Individuals should be informed of how their data is being utilised, by whom and for what purpose, providing clear and accessible information, recognising the geographical, cultural and linguistic diversity of the people of society who will wish to travel.
• Organisations should collect the minimum health information from individuals or other sources that is necessary for their contribution to protection of public health.
• Measures should be used to address the risks of directly sharing information from health records for travel purposes – privacy by design approaches can include federated identity systems and device level processing.
• The cyber security risk of any digital systems or apps must be fully assessed, taking full account of the risks that can emerge from different actors in a global threat context.
• Organisations should consider carefully for how long data should be retained, and design a retention schedule for the safe deletion of information once it is no longer
  required.
• Sunset clauses should be built into the design of such schemes, foreseeing permanent deletion of such data or databases, recognising that the routine processing of COVID 19 health information at borders may become unnecessary once the pandemic ends.

The schemes should also be reviewed periodically to ensure that the processing remains necessary and proportionate whilst the pandemic is ongoing.

¹  https://globalprivacyassembly.org/wp-content/uploads/2020/10/FINAL-GPA-Resolution-on-Privacy-Data-Protection-Challenges-Arising-in-the-Context-of-Covid-19-Pandemic-EN.pdf

We are calling for proposals to host the Global Privacy Assembly’s annual meeting in 2023.

The deadline for submissions is end of day, Friday, 23 April 2021.

Please read the Guidance for Authorities for more details and contact the GPA Secretariat if you have any questions.

Children are particularly vulnerable to the risks associated with the digital environment. For this reason, protecting children’s privacy online is a priority action for the Global Privacy Assembly (GPA) of data protection and privacy authorities and its Digital Education Working Group (DEWG) conducted by Marie-Laure DENIS as Chair, and the French CNIL.

In 2020, the UN Committee on the Rights of the Child has prepared a draft General Comment (GC) No. 25 (202x) on the rights of the child in relation to the digital environment and invited all interested parties to provide comments. The goal of this GC is to support the realisation of the United Nations Convention on the Rights of the Child (UNCRC) in the digital environment and provide guidance on measures to ensure full compliance by government, business and industry with their obligations to fully support children’s right in the digital environment.  In this context, the DEWG has adopted a contribution to support the project’s orientations, made proposals with regard to the right to protection of children’s personal data. In particular, the contribution focuses on the exercise of the rights of children, profiling and automated decision making, commercial exploitation of children’s data, the consideration of child-related specificities by public authorities and the private sector and digital education. This contribution, which was unanimously supported by some 74 DEWG’s member Authorities, is made available in English and French (in Spanish-tbc), and has been be published on the website of the Committee of the Rights of the child (n°35 in the list).

As a matter of fact, the core of the DEWG’s mandate aims to promote digital education that respects the rights and freedoms of all, and raise awareness on the exercise of digital rights by children. The overarching objective is to allow children to develop the competences and skills needed to grow into responsible digital citizens. For this purpose, the DEWG has adopted several GPA resolutions over the years and conducted in 2019-2020 an international study regarding the legal frameworks applying to children and the exercise of the rights of minors, including an overview of various national initiatives by Data Protection Authorities on children’s rights online.

Any question related to this issue can be addressed to Pascale Raulin-Serrier at pserrier@cnil.fr as the DEWG Coordinator.