Update from the Working Group on Digital Education

30 April 2021 Update

The Working Group on Digital Education (DEWG)

Benefit from explanations of a short video recording about the CIRCABC platform.

You will be able to view a tutorial video to better understand how to join the CIRCABC platform, access the 170 documents indexed by target groups, upload and present in a few words the educational materials produced by your own DPA. Please request the video’s password from the CIRCABC Leaders. You can view the PowerPoint presentation here.

In addition to these live demonstrations, two videos less than a few minutes long will explain the contents of this online library and the DEWG’s priorities.

Take advantage of the tutorial now and do not hesitate to contact its leader if you have any questions!

Pascale, Marc and Vincent – CIRCABC Leaders

at pserrier@cnil.fr ; Marc.Lemmer@cnpd.lu; vincent.legeleux@cnpd.lu

**********

Le Groupe Education au numérique (DEWG)

Des explications réalisées dans un format vidéo court sur la plateforme de ressources pédagogiques CIRCABC.

Vous pourrez visionner une vidéo-tutoriel pour mieux comprendre comment accéder à la plateforme CIRCABC, consulter les 170 documents classés par groupes cibles, ajouter et référencer des contenus pédagogiques réalisés par votre APD. Veuillez demander le mot de passe de la vidéo aux CIRCABC Leaders. Vous pouvez voir la présentation PowerPoint ici.

En complément de ces démonstrations en direct, deux capsules vidéo de quelques minutes viennent exposer les contenus de cette bibliothèque en ligne, et les priorités du Groupe international.

Profitez dès à présent du tutoriel et n’hésitez pas à nous contacter pour toutes les questions !

Pascale, Marc and Vincent – CIRCABC Leaders

at pserrier@cnil.fr ; Marc.Lemmer@cnpd.lu; vincent.legeleux@cnpd.lu

 

11 February 2020 Update

The Global Privacy Assembly (GPA) membership is organised into Working Groups that concentrate on the most significant GPA initiatives identified by the membership, deriving their mandate and direction from the annual conference, typically leading from Resolutions. Learn more about the GPA Working Groups.

In this video, Ms Marie-Laure Denis, President of the Commission Nationale de l’Informatique et des Libertés (CNIL), gives an update on the work of the Working Group on Digital Education.

GPA welcomes its first Reference Panel

The Global Privacy Assembly (GPA) has appointed its first Reference Panel, a contact group of varied external stakeholders who will support the Assembly and its members by providing expert knowledge and practical expertise on data protection and privacy, as well as on data protection related issues and developments in information technology.

The independent panel of 16 members was drawn from a very strong applicant pool and provides expertise from around the world from relevant civil society organisations, academic institutions and think tanks who have an interest in the vision and mission of the GPA. Its membership has been endorsed by the GPA membership and Executive Committee.

The Reference Panel is chaired by Ulrich Kelber, member of the GPA Executive Committee, and Germany’s Federal Commissioner for Data Protection and Freedom of Information.

Ulrich Kelber has launched this new stream of work, providing personal invitations to the first Reference Panel. He said:

“I am glad we could bring together all these experts from different cultural and professional backgrounds. They will provide new perspectives on privacy related topics for the GPA. I am honoured to be the chair of the Reference Panel and I look forward to our first official meeting.”

The work to establish the Panel was an extensive process. An Assessment Group consisting of representatives from 14 GPA member authorities from all global regions assessed a high number of applications. The calibre of applicants was exceedingly high, and each Assessment Group member played a vital part in finalising the shortlist of candidates.

The GPA Assessment Group was chaired by Paula Hothersall, ICO Director of Regulatory Strategy (International), who said:

“The Assessment Group’s work was no easy task given the high calibre of candidates, but the success of having the panel endorsed by the membership and the Executive Committee echoes its strength. We look forward to the promising contributions of the Panel in the coming months.”

The Reference Panel met for the first time on 29 April 2021, and over the next few months the GPA will work to establish their work plan and contributions both to the work groups and the yearly conference.

Find out more about the GPA Reference Panel members.

Déclaration conjointe du GPA Comité Exécutif sur l’utilisation des données de santé à des fins de voyage national ou international

Les autorités chargées de la protection des données personnelles et de la vie privée soulignent l’importance du respect de la vie privée dès la conception dans la communication des données relatives à la santé aux fins de voyages nationaux ou internationaux pendant la pandémie de COVID-19.

Contexte

Les gouvernements du monde entier mettent en œuvre des mesures pour freiner la propagation de la COVID-19 tout en planifiant la pleine reprise des activités économiques et sociales au-delà des frontières. Pour de nombreux passagers nationaux ou internationaux, cela signifie qu’ils doivent communiquer des renseignements sur leur santé, tels qu’un résultat négatif au test de dépistage de la COVID-19 ou leur statut de vaccination, comme condition préalable au voyage. Des « passeports sanitaires » et des « codes sanitaires » numériques ont également été proposés.

La communication potentielle de ces données personnelles relatives à la santé, à une vaste échelle, au-delà des frontières et entre diverses entités, est sans précédent. La technologie numérique permet de le faire rapidement et à grande échelle. Si de telles mesures peuvent se justifier pour des raisons de santé publique, la communication de ces renseignements sensibles peut et devrait se faire dans le respect de la vie privée. La technologie présentera des risques mais aussi la possibilité de mettre en place des mesures de protection pour les personnes. L’innovation peut aller de pair avec la protection de la vie privée.

Depuis le début de la pandémie, les membres de l’Assemblée mondiale pour la protection de la vie privée ont conseillé des gouvernements, des entreprises privées, des organisations caritatives et des organisations non gouvernementales sur la conception et l’élaboration de systèmes permettant de traiter les données personnelles relatives à la santé de manière à protéger au mieux la vie privée. La présente déclaration vise à compléter les efforts déployés à l’échelle nationale ou régionale et à contribuer à un résultat concret et coordonné en matière de protection de la vie privée à l’échelle internationale. Elle reflète les principes communs de protection des données et de la vie privée à l’échelle mondiale, dont la protection de la vie privée dès la conception et par défaut.

Renforcer la confiance du public en protégeant la vie privée

Pour instaurer un climat de confiance en ce qui concerne le traitement des données personnelles relatives à la santé aux fins de voyage, il faut que les personnes aient l’assurance que leurs données sont traitées de manière sécurisée; que les données qui leur sont demandées ne sont pas excessives; que des informations claires et accessibles sont mises à leur disposition pour comprendre comment leurs données seront utilisées; que le traitement a une finalité bien précise; et que leurs données ne seront pas conservées plus longtemps que nécessaire.

Le comité exécutif de l’Assemblée mondiale pour la protection de la vie privée rappelle que si les données et la technologie peuvent être des outils importants pour mieux lutter contre la pandémie de COVID-19, elles ont des limites intrinsèques et ne peuvent que tirer parti de l’efficacité d’autres mesures de santé publique. En outre, elles doivent s’inscrire dans une stratégie globale de santé publique pour lutter contre la pandémie. Les principes d’efficacité, de nécessité et de proportionnalité doivent guider toute mesure adoptée par les gouvernements et les autorités qui implique le traitement de données personnelles pour lutter contre la COVID-19[1].

Le comité exécutif de l’Assemblée mondiale sur la protection de la vie privée invite donc instamment les gouvernements et les autres organisations responsables du traitement des données personnelles relatives à la santé aux fins de voyages internationaux à prendre en considération les principes suivants, qui reflètent les pratiques et les principes communs de protection des données à l’échelle mondiale, et à leur accorder toute l’attention requise :

  • Le traitement des données personnelles relatives à la santé comme condition préalable à un voyage international peut se justifier pour des raisons de santé publique, mais il est indispensable de prendre en compte les risques pour la vie privée dès le départ.
  • Les principes de « protection de la vie privée dès la conception et par défaut » devraient être intégrés à tout système, application ou accord d’échange de données concernant le traitement des données personnelles relatives à la santé aux fins de voyages internationaux. Une évaluation formelle et complète de l’impact sur la vie privée des personnes avant le début de tout traitement est la meilleure méthode pour veiller à ce que les principes de protection des données dès la conception soient mis en œuvre dans la pratique et à ce que les risques sous-jacents soient atténués de manière appropriée. Les organisations devraient demander conseil auprès des autorités chargées de la protection des données personnelles et de la vie privée sur cette question ou encore consulter les orientations de ces dernières.
  • Les données personnelles recueillies, utilisées ou communiquées pour atténuer les effets de la COVID-19 sur la santé publique doivent avoir une finalité clairement définie. La finalité devrait être précise, dans le contexte général de la mesure de santé publique. Les données personnelles ne doivent pas être utilisées d’une manière incompatible avec cette finalité.
  • Toutes les organisations doivent agir en vertu d’une autorité légale compétente et appropriée, en veillant à ce qu’elles ne traitent les données personnelles relatives à la santé que lorsque cela est nécessaire et proportionné.
  • Les droits des personnes vulnérables, qui ne sont pas en mesure d’utiliser des appareils électroniques ou qui n’y ont pas accès, doivent être protégés, et des solutions de rechange devraient être envisagées pour veiller à ce que ces personnes ne soient pas victimes de discrimination. De même, les droits des personnes qui, en raison de leur âge, de risques éventuels pour leur santé ou d’autres conditions sous-jacentes, ne peuvent pas être vaccinées, devraient également être protégés.
  • Les personnes devraient être informées de la manière dont leurs données sont utilisées, par qui et dans quel but, et recevoir des informations claires et accessibles.  La diversité géographique, culturelle et linguistique des personnes désireuses de voyager doit être reconnue.
  • Les organisations ne devraient recueillir auprès des individus ou d’autres sources que la quantité minimale de renseignements sur la santé qui est nécessaire à leur contribution à la protection de la santé publique.
  • Des mesures devraient être prises pour faire face aux risques liés à la communication directe de renseignements provenant de dossiers médicaux aux fins de voyage – parmi les stratégies de protection de la vie privée dès la conception, pensons aux systèmes fédérés de gestion de l’identité et au niveau de traitement effectué par les dispositifs utilisés.
  • Les risques relatifs à la cybersécurité de tout système ou application numérique doivent être pleinement évalués, en tenant compte des dangers qui peuvent émaner de divers acteurs dans un contexte de menace mondiale.
  • Les organisations devraient réfléchir soigneusement à la durée de conservation des données et établir un calendrier de conservation prévoyant la suppression sûre des renseignements lorsqu’ils ne sont plus nécessaires.
  • Des clauses de temporisation devraient être intégrées dans la conception de ces systèmes, prévoyant la suppression permanente de ces données ou bases de données, et reconnaissant que le traitement courant des renseignements sur la santé en lien avec la COVID-19 aux frontières peut devenir inutile une fois la pandémie terminée. Les systèmes devraient également être revus périodiquement pour veiller à ce que le traitement reste nécessaire et proportionné pendant la pandémie.

[1] https://globalprivacyassembly.org/wp-content/uploads/2021/01/FINAL-RESOLUTION-COVID-19-VERSION-FINALE-ADOPTEE-FR.pdf

GPA Executive Committee joint statement on the use of health data for domestic or international travel purposes

The Global Privacy Assembly (GPA) Executive Committee has today published a joint statement on the importance of privacy by design in the sharing of health data for domestic or international travel requirements during the COVID-19 pandemic.

Data protection and privacy authorities highlight the importance of privacy by design in the sharing of health data for domestic or international travel requirements during the COVID-19 pandemic

 

Background
Governments around the world are implementing measures to stop the spread of COVID-19 whilst also planning for a return to full economic and social activity across borders. For many domestic or international passengers, this has meant sharing health information such as a negative COVID-19 test result or vaccination status as a prerequisite of travel. Digital ‘health passports’ and ‘health codes’ have also been proposed.

The potential sharing of these elements of health data, on a mass scale across borders, and across a range of entities, is unprecedented. Digital technology provides the opportunity to do this at speed and scale. Whilst such steps may potentially be justifiable on public health grounds, the sharing of this sensitive information can and should be done in a privacy protective manner. Technology will offer both risks and opportunities to build protections for individuals. Innovation can go hand in hand with privacy.

Since the start of the pandemic, members of the Global Privacy Assembly have advised governments, private enterprises, charities and non-governmental organisations on the design and development of systems that allow the processing of personal health data in a manner that best protects privacy. This statement seeks to complement efforts made at a national or regional level, and contribute to a positive, co-ordinated privacy outcome internationally, reflecting common global principles of data protection and privacy, including privacy by design and default.

Building public trust by protecting privacy

In order to build trust and confidence in the way in which health data is processed for travel purposes, individuals need to be assured that: their data is handled securely; the data
demanded of them is not excessive; they have clear and accessible information to understand how their data will be used; there is a specific purpose for the processing; their data will be
retained for no longer than is necessary.

The Global Privacy Assembly Executive Committee recalls that while data and technology can be important tools to help fight the COVID-19 pandemic, they have intrinsic limitations and can merely leverage the effectiveness of other public health measures and need to be part of a comprehensive public health strategy to fight the pandemic. The principles of effectiveness, necessity, and proportionality must guide any measure adopted by government and authorities that involve processing of personal data to fight COVID-19. 1

The Global Privacy Assembly Executive Committee therefore urges governments, and other organisations responsible for processing health data for the purposes of international travel,
to consider and pay due regard to the following principles, which reflect common global data protection principles and practice:

  •  The processing of health data as a prerequisite of international travel may be justifiable on the grounds of protecting public health, but considering privacy risks at the outset is vital.
  • ‘Privacy by design and default’ principles should be embedded into the design of any system, app or data sharing arrangements regarding the processing of health data for the purposes of international travel. A formal and comprehensive assessment of the privacy impact on individuals before the commencement of any processing is the best method of ensuring data protection by design principles are implemented in practice and underlying risks are mitigated appropriately. Organisations should seek advice or consult guidance from data protection and privacy authorities on this issue.
  • Personal data collected, used or disclosed to alleviate the public health effects of COVID-19 require a clearly defined purpose. The purpose should be specific within the broad context of the public health measure. Personal data must not be used in a manner incompatible with this purpose.
  • All organizations must operate under relevant and appropriate lawful authority, ensuring that they only process health data when it is necessary and proportionate to do so.
  • The data protection rights of vulnerable individuals, who may not be able to use, or may not have access to, electronic devices, must be protected, and alternative solutions should be considered to ensure that such individuals do not suffer discrimination. Similarly, the data protection rights of those who due to their age, possible health risks or other underlying conditions cannot be vaccinated should also be protected.
  • Individuals should be informed of how their data is being utilised, by whom and for what purpose, providing clear and accessible information, recognising the geographical, cultural and linguistic diversity of the people of society who will wish to travel.
  • Organisations should collect the minimum health information from individuals or other sources that is necessary for their contribution to protection of public health.
  • Measures should be used to address the risks of directly sharing information from health records for travel purposes – privacy by design approaches can include federated identity systems and device level processing.
  • The cyber security risk of any digital systems or apps must be fully assessed, taking full account of the risks that can emerge from different actors in a global threat context.
  • Organisations should consider carefully for how long data should be retained, and design a retention schedule for the safe deletion of information once it is no longer
    required.
  • Sunset clauses should be built into the design of such schemes, foreseeing permanent deletion of such data or databases, recognising that the routine processing of COVID 19 health information at borders may become unnecessary once the pandemic ends.

The schemes should also be reviewed periodically to ensure that the processing remains necessary and proportionate whilst the pandemic is ongoing.

1  https://globalprivacyassembly.org/wp-content/uploads/2020/10/FINAL-GPA-Resolution-on-Privacy-Data-Protection-Challenges-Arising-in-the-Context-of-Covid-19-Pandemic-EN.pdf

 

 

The Digital Education Working Group (DEWG) adopts a joint contribution regarding the United Nations General Observation on the rights of the child in the digital environment

Children are particularly vulnerable to the risks associated with the digital environment. For this reason, protecting children’s privacy online is a priority action for the Global Privacy Assembly (GPA) of data protection and privacy authorities and its Digital Education Working Group (DEWG) conducted by Marie-Laure DENIS as Chair, and the French CNIL.

In 2020, the UN Committee on the Rights of the Child has prepared a draft General Comment (GC) No. 25 (202x) on the rights of the child in relation to the digital environment and invited all interested parties to provide comments. The goal of this GC is to support the realisation of the United Nations Convention on the Rights of the Child (UNCRC) in the digital environment and provide guidance on measures to ensure full compliance by government, business and industry with their obligations to fully support children’s right in the digital environment.  In this context, the DEWG has adopted a contribution to support the project’s orientations, made proposals with regard to the right to protection of children’s personal data. In particular, the contribution focuses on the exercise of the rights of children, profiling and automated decision making, commercial exploitation of children’s data, the consideration of child-related specificities by public authorities and the private sector and digital education. This contribution, which was unanimously supported by some 74 DEWG’s member Authorities, is made available in English and French (in Spanish-tbc), and has been be published on the website of the Committee of the Rights of the child (n°35 in the list).

As a matter of fact, the core of the DEWG’s mandate aims to promote digital education that respects the rights and freedoms of all, and raise awareness on the exercise of digital rights by children. The overarching objective is to allow children to develop the competences and skills needed to grow into responsible digital citizens. For this purpose, the DEWG has adopted several GPA resolutions over the years and conducted in 2019-2020 an international study regarding the legal frameworks applying to children and the exercise of the rights of minors, including an overview of various national initiatives by Data Protection Authorities on children’s rights online.

Any question related to this issue can be addressed to Pascale Raulin-Serrier at pserrier@cnil.fr as the DEWG Coordinator.

GPA January 2021 Newsletter marks International Data Protection Day 2021

Happy International Data Protection Day from the Global Privacy Assembly (GPA)!

The GPA January 2021 Newsletter is now published and available on the GPA website, featuring articles from leading representatives of some of the key data protection and privacy organisations worldwide for your interest and enjoyment.

View Newsletter

Elizabeth Denham, UK Information Commissioner and GPA Chair, has been featured on Council of Europe’s video together with 40 members of the Data Protection Community in the world. They shared Happy Anniversary messages, emphasising how Convention 108 is important for their respective country or organisation and their work.

Ms Denham said: “As Chair of the Global Privacy Assembly I see the Convention as playing an important role, a bridge between countries, between jurisdictions to encourage international regulatory cooperation.”

Watch the video on Vimeo

The Reference Panel application window is now closed

The GPA Reference Panel welcomed applications between 22 January 2021 and 19 February 2021, these applications are now being assessed and we will be in touch with all applicants as soon as we can.

What is the Global Privacy Assembly?

Established in 1979, the GPA is an international forum of data protection and privacy authorities which seeks to provide leadership at the international level by connecting the efforts of more than 130 data protection and privacy authorities from across the globe. If you wish to know more about the GPA’s current priorities, please refer to our Strategic Plan (2019 – 2020) and Policy Strategy.

What is the GPA Reference Panel?

The GPA Reference Panel will be a contact group involving a variety of external stakeholders which the GPA is seeking to establish in order to provide expert knowledge and practical expertise on data protection and privacy, as well as on data protection related issues and developments in information technology.

Who can respond to the call?

The call for interest is aimed at representatives of relevant civil society organisations, academic institutions, think tanks, non-privacy supervisory authorities, representatives of public authorities such as law enforcement authorities, and representatives of the private sector who have an interest in the vision and mission of the GPA.

If you have any questions regarding the application process and the GPA Reference Panel, please contact the GPA Secretariat email.

GPA application process for new members and observers now open

The Global Privacy Assembly’s (GPA) application process for new members and observers is now open for the 2021 cycle.

The GPA’s vision is to be an environment in which privacy and data protection authorities around the world are able effectively to act to fulfil their mandates, both individual and in concert, through diffusion of knowledge and supportive connections.

Since its foundation in 1979, the GPA has been continually growing and now includes more than 130 authorities from across the globe. Each year, the GPA welcomes new applications from authorities who wish to become members and from public entities or international organisations that wish to participate in the GPA as observers.

If you wish to apply for membership to the GPA, you may do so by filling in the online application form. Applications for membership will remain open until end of day, Sunday, 18 July 2021.

International organisations and public entities who wish to join as observers may do so by filling in the appropriate online application form. Applications for observer status will remain open until end of day, Sunday, 22 August 2021.

However, aspiring applicants are encouraged to submit their application as early as possible to ensure their applications are in a timely manner. Applicants are also strongly encouraged to read the information available on the Become a Member page or the Become an Observer page before submitting their application.

If you are an existing Observer whose status is due to expire in 2021, please renew your status by filling in the renewal form.

If you have any questions concerning any of the above, please contact the GPA Secretariat at secretariat@globalprivacyassembly.org.

GPA Census is now live

The 2020 Census is open from the 1st December 2020 – 12th February 2021, and we look forward to your responses. The link to complete the Census has been provided to the membership for completion, if you have any queries please contact the secretariat@globalprivacyassembly.org.

The Global Privacy Assembly Census is designed to give a detailed ‘snapshot’ of privacy and data protection authorities across the globe, as well as contributing to the aims of the Resolution on developing new metrics of data protection regulation which include to:

  • Develop internationally comparable metrics in relation to data protection and privacy; and
  • Support the efforts of other international partners to make progress in this area.

This is the second time we have run a census in our membership, the last one taking place in 2017. We plan on presenting the full results at the latest at the 2021 annual global conference next October and several Working Groups will be invited to contribute to the analysis.

The text of the survey form used in the 2020 census (in PDF form) is available in English, Spanish and French.

The Census Privacy statement can be found here.

Information on the 2017 Census can be found here.