Category Archives: Other

As countries begin to ease their coronavirus (COVID-19) restrictions, data protection and privacy authorities across the world are faced with a fundamental question: how can we enable governments’ responses to the pandemic and subsequent recovery whilst continuing to protect  citizens’ personal data and privacy? 

Recognising this challenge, the Global Privacy Assembly (GPA) has launched a COVID-19 Taskforce to drive practical responses to privacy issues emerging from the pandemic, as well to assist its membership with insight and best practices. 

Raymund Liboro, Privacy Commissioner of the Philippines National Privacy Commission and GPA’s Executive Committee member, will chair the GPA COVID-19 Taskforce. 

Mr Liboro said: “We have seen that personal data and technology have become essential in helping governments respond to the COVID-19 pandemic. From contact tracing and location tracking applications, to COVID-19 testing as people start going back to the workplace, data protection and privacy have never been more important. 

“Our aim for this taskforce is to examine current privacy concerns, while finding the right balance between supporting innovation to combat the pandemic and ensuring people’s personal data and information rights are respected. We will draw on the expertise of our membership and stakeholders to provide useful insight on common challenges.” 

The GPA COVID-19 Taskforce, representing more than 30 organisations across all global regions, first met on 26 May 2020, coinciding with Privacy Awareness Week in the Asia-Pacific region.  

During its first meeting, the Taskforce discussed the most strategic and pressing privacy issues that will require in-depth examination over the next few months. Members agreed on an initial workplan, with a view to communicate regularly on progress and information on initiatives to the GPA membership community and wider audience.  

For more information and resources on data protection and COVID-19 visit globalprivacyassembly.org/covid19 

A statement by the Global Privacy Assembly’s Executive Committee.

Background

Data protection and privacy authorities around the world are working together with public bodies and commercial organisations to respond to and manage the global COVID-19 pandemic.  Our March 17, 2020 statement observed that GPA member authorities operate under data protection and privacy laws that enable the use of data to protect public health, while also protecting the public’s personal data in a way that the public expects.

GPA authorities are working to assist public bodies and organisations to understand what good practice looks like in a pandemic. We are therefore encouraged to hear that many member authorities have, since our March statement, been engaged by organisations and public bodies in a common effort to overcome COVID-19. This acknowledges the need to work constructively to ensure privacy is protected as we seek solutions to this public health crisis.

COVID-19 contact tracing and public trust

Many authorities are at this time advising, reviewing and consulting on contact tracing measures. The issues being considered around the world are similar and revolve around universal data protection and privacy principles.

Contact tracing has historically been a vital pandemic response tool. Many governments around the world wish to harness technology to automate traditional contact tracing methods, which may be labour-intensive.  Smart phone contact tracing apps are therefore being designed and rolled out globally.

We are issuing this statement about contact tracing measures being implemented around the globe because we recognise that public trust and confidence in the way personal information is handled and protected is a necessary precondition for their success. Whilst the public interest case is strong, protecting privacy and acting in accordance with public expectations is part of achieving the solution.

The success of contact tracing apps will depend on the trust of individual members of the public that their privacy will be protected appropriately and wider ethical considerations have been addressed.  Uptake may be higher if governments and organisations transparently demonstrate that privacy risks have been adequately addressed.  Authorities are playing their part in achieving fit-for purpose privacy protections, and wherever possible are prioritising consultation requests about COVID-related measures.

Privacy considerations in contact tracing design, implementation and operation

The value of privacy by design lies in  ensuring privacy is carefully considered when developing new technologies in the interests of protecting public health. The data and privacy protection work of GPA authorities not stand in the way of innovation, rather privacy by design is a key enabler for both ethical and lawful innovation and the protection of personal data.

Privacy and data protection impact assessments (DPIAs) help ensure public bodies and organisations take a privacy by design approach by documenting in advance what their intended use of data is and how this can inform limitation in data collection, identifying the risks that their use of data could create, and developing strategies to mitigate those risks to inform the design. In conducting this impact assessment, organisations may need to consult and engage with their intended user base and with regulators. DPIAs should also be clear about other possible current and future uses of the data, such as for research in the public interest.  A DPIA can also be iterative, updated as needed, and provide opportunities for further engagement and public debate when it is made available for wider scrutiny.

In the current circumstances of the pandemic, measures are being developed as a direct response to these extraordinary circumstances. Time limitation is therefore also critical in establishing public trust in these responsive measures.

The following questions are addressed to organisations and governments engaged in contact tracing measures and can inform the development of contact tracing apps to ensure personal information is protected and the impact on privacy is minimised:

• Have you adopted a privacy by design approach?
• Have you conducted an assessment of the privacy risks? Is this assessment up to date?
• Have you addressed the security, safeguards, and necessity of both centralised and decentralised models?
• Have you had open and constructive engagement with your data protection authority?
• Are you being transparent with users, including providing a clear privacy statement or notice where required by law?
• Are you being transparent in a way that facilitates public debate?
• Is your contact tracing app temporary and will data be deleted when no longer required?
• Do you intend to retain data for research in the public interest? If so, what privacy protections have been adopted and is anonymisation envisaged at design stage?
• Do you have a process in place to revisit privacy implications if features are proposed to change?

Looking ahead to other COVID-19 measures and privacy

Some governments around the world are contemplating other pandemic responses involving personal information such as immunity passports, temperature checks and customer identification requirements. The principles set out in this statement also apply to these and other measures that may be considered, and further clarifying statements on those measures will be issued as required. The GPA will continue to listen to concerns from its member authorities to ensure our efforts address the most pressing issues being brought to the attention of GPA authorities by those working on COVID-19 measures.

– GPA Executive Committee

For more information and resources visit the GPA COVID-19 Response Repository.

The Executive Committee of the Global Privacy Assembly (GPA) recognises the significant impact the COVID-19 pandemic has had on our lives and in our membership’s jurisdictions in the past few weeks.

We would like to thank our membership for contributing positively in this extraordinary time by supporting Authorities with their expertise and guidance, which can be found on our website.

Building on our collective efforts, the Executive Committee met earlier this week to discuss the ongoing work of the GPA, including this year’s conference.

After careful consideration of the unprecedented global circumstances we are experiencing in 2020, the Executive Committee has accepted the INAI Mexico’s decision to postpone this year’s conference in Mexico. This means the GPA’s annual conference will be held in Mexico in 2021.

The Office of the Privacy Commissioner of New Zealand has also agreed to postpone its planned hosting of the GPA until 2022. This means the host bid process for 2022 will be suspended. As for the 2023 conference, we will be launching the host bid process in due course.

But 2020 must not be a lost year for the GPA. We should continue shaping the future of our Assembly, working on our Policy Strategy objectives and learning from the fantastic work already completed by our Working Groups. In that respect, both our annual forum and our continued work throughout the year have never been more important.

That’s why we have tasked the GPA Secretariat to explore options on how to carry out the essential elements of our annual conference this year, including finding a suitable, secure digital platform where members and observers will be able to meet virtually. More information will be available in due couse.

We are disappointed that we won’t see you in Mexico this year, but we must make the health and wellbeing of our membership a priority.

– GPA Executive Committee

The Executive Committee of the Global Privacy Assembly (GPA) recognises the unprecedented challenges being faced to address the spread of Coronavirus (COVID-19).

Addressing these challenges requires coordinated responses at national and global levels, including the sharing of personal information as necessary by organisations and governments, as well as across borders.

We are confident that data protection requirements will not stop the critical sharing of information to support efforts to tackle this global pandemic. The universal data protection principles in all our laws will enable the use of data in the public interest and still provide the protections the public expects. Data protection authorities stand ready to help facilitate swift and safe data sharing to fight COVID-19.

Health data is considered sensitive across many jurisdictions, but work between data protection authorities and governments means we have already seen many examples of national approaches to sharing public health messages; of using the latest technology to facilitate safe and speedy consultations and diagnoses; and of creating linkages between public data systems to facilitate identification of the spread of the virus.

We issue this statement today to set out our support for public bodies and health practitioners to be able to communicate directly with people, and scientific and government bodies to coordinate nationally and globally, to tackle the current COVID-19 pandemic.

Our data protection and COVID-19 resources page provides the latest guidance and information from GPA members.

– GPA Executive Committee

Elizabeth Denham CBE, GPA Chair and UK Information Commissioner

Marguerite Ouédraogo Bonané, President of CIL, Burkina Faso

Angelene Falk, Information Commissioner and Privacy Commissioner, Office of the Australian Information Commissioner

Raymund Enriquez Liboro, Privacy Commissioner and Chairman, Philippines National Privacy Commission

Eduardo Bertoni, Director of the National Access to Public Information Agency, Argentina

Besnik Dervishi, Information and Data Protection Commissioner, IDP Albania

Francisco Javier Acuña Llamas, President Commissioner, National Institute for Transparency, Access to Information and Protection of Personal Data (INAI), Mexico

John Edwards, Privacy Commissioner, Office of the Privacy Commissioner, New Zealand

The Global Privacy Assembly (GPA) membership is organised into Working Groups that concentrate on the most significant GPA initiatives identified by the membership, deriving their mandate and direction from the annual conference, typically leading from Resolutions. Learn more about the GPA Working Groups.

In this video, Privacy Commissioner John Edwards (Office of the Privacy Commissioner, New Zealand) gives an update on the GPA Working Group on Data Protection Metrics.

Happy International Data Protection Day from the Global Privacy Assembly!

Elizabeth Denham CBE, Chair of GPA and UK Information Commissioner, is speaking by video today at the International Data Protection Day 2020 event hosted by the National Institute of Transparency, Access to Information and Protection of Personal Data (INAI) in Mexico City.

In her speech, Ms Denham says that the data protection world has perhaps never been a more challenging one. But that our international partnerships can bring solutions, with the GPA moving towards stronger regulatory co-operation, paving the way not only to sharing best practice but potentially sharing lines of enquiry – view the GPA Strategic Plan 2019-2021.

Ms Denham also says that one of the emerging areas of data protection right now is considering the human values that underpin privacy. And it’s welcome that our GPA conference in Mexico City later this year will take this emphasis on human values as a starting point for its theme, of ‘Privacy and Data Protection: A human-centric approach’.

You can read more about the GPA 2020 in Mexico City in our latest newsletter.

The Global Privacy Assembly (GPA) has re-opened the application process to welcome new members and observers into its community.

Established in 1979, the GPA community has continued to grow ever since, currently comprising more than 100 member authorities across the globe.

Each year, the GPA welcomes new applications for data protection authorities wishing to join as members, as well as for other public entities and international organisations having an interest to become GPA observers.

If you wish to become a Member, please complete the online application form. Membership applications will close on 10 July 2020, although prospective applicants are strongly encouraged to submit their application as early as possible to allow the Executive Committee to carefully examine the evidence submitted.

If you wish to join the GPA community as an Observer, please complete the relevant application form. Applications for observer status will close on 9 August 2020, although prospective applicants are strongly encouraged to submit their application at an early stage.

For any questions related to the GPA Accreditation process for membership and observer status please get in touch with the GPA Secretariat at secretariat@globalprivacyassembly.org

Today the International Conference of Data Protection and Privacy Commissioners has launched a new logo and a new name: Global Privacy Assembly (GPA).

Building on our 40-year history, the new logo and name represent the evolution of the conference and the current work to modernise it, including a new policy strategy which sets out a clear vision for the organisation.

Elizabeth Denham, GPA Chair and UK Information Commissioner, said: “Our new name feels hugely significant. Data protection and privacy is now too great an issue for this community to only have a role once a year. That’s why we took a step forward at last month’s conference in Tirana, when we agreed a set of strategic priorities that strengthen the group’s position as an effective and influential international forum. The new name reflects a group that supports one another year round, sharing knowledge and building stronger cooperation.”

Our colleagues from the Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales (INAI), México undertook the challenge to design options for our new logo and name, with the membership having the final say by voting for their preferred option. INAI is also hosting the next Global Privacy Assembly conference in Mexico City in October 2020.

Francisco Javier Acuña Llamas, President Commissioner of the Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales (INAI), México, said: “Thanks to the collaboration of our colleagues, we created a logo which represents the organisation’s main attributes: international cooperation, knowledge sharing, independence and leadership.

“These four concepts emerged from a consultation with the membership, and they were used as guiding concepts for the design of the logo and were translated into organic and iconic forms, in complementary and harmonious colours.

“The implementation of elements that point towards progress, such as the arrow, indicates the leadership of the representatives of each country, and the circular forms aspires to reflect the exchange of knowledge and the capacity for cooperation among the international authorities involved.

“For the name of the Conference, it was sought to recall, in an easy and short way, the nature of the Conference itself, but not with less strength. And with the intention of expressing modernity and balance together with the other elements of the logo, Global Privacy Assembly (GPA) was created.”

Over the next few weeks, the Assembly’s visual identity will start to align around its new direction. You’ll see changes on the website, social media and on stationery. It’s an evolution of our 40-year-old history. It’s a Global Privacy Assembly of data protection and privacy commissioners.

For protecting personal data today and in the future, accountability is key. There is no doubt about that. The International Conference has rightly placed the principle of accountability in the spotlight.

In the terms of the General Data Protection Regulation, accountability means two things: first, an accountable organisation must have appropriate measures in place to ensure compliance. And secondly, an accountable organisation must be able to demonstrate its compliance.

This might seem straightforward, but it actually is an important evolution. The incorporation of the accountability principle in the GDPR is a key change compared to the Data Protection Directive and is a fundamental shift in approach. It is a move away from red-tape and box-ticking exercises, such as the requirement to obtain authorisation from the regulator before launching a processing operation. Instead, organisations must now pro-actively define their approach to data protection and create a culture of commitment to this fundamental right. Organisations must understand the risks that they create for others with their data processing operations, and mitigate those risks by introducing internal measures, such as privacy management programmes.

It is important to remember that accountability is a process and not just a toolbox.  Demonstrating compliance is more than just a snapshot of processing operations during a certain moment in time. It is rather an increasing awareness and understanding of how an organisation processes data.

Can accountability contribute to overcoming differences between data protection regimes in various parts of the world?

It can certainly play a significant role. However, organisations must:

1. assess local jurisdictions carefully;
2. adapt their privacy management programmes accordingly and
3. use the highest standard as a common denominator across all jurisdictions.

This is a tall order, but organisations are not alone on this journey. Regulators worldwide have been leading and supporting the discussion on how to reach consensus on accountability across jurisdictions.

For more information about ICDPPC 2019 visit www.privacyconference2019.info

Dr Andrea Jelinek, Chair of the European Data Protection Board, is the moderator of ‘Panel IV: Accountability – the global bridge to support high standards of data protection?’, Open Session, 41st International Conference of Data Protection and Privacy Commissioners, Tirana, Albania.

Opening remarks from Elizabeth Denham CBE, Chair of ICDPPC and UK Information Commissioner, at the 41st International Conference of Data Protection and Privacy Commissioners in Tirana, Albania on 23 October 2019.

Original script may differ from delivered version.

On behalf of the conference, let me thank Commissioner Dervishi and his team, and our ICDPPC 2019 Programme Advisory Committee co-led by Peter Hustinx, who’ve all done such a fantastic job organising this week’s programme.

This is our forty first conference, continuing an event first held in 1979.

This year’s event comes at a crucial time. We are in an era where privacy has become mainstream.

We all in this room have seen that change first-hand over the past year or two. People are expecting more around how their data is handled, and so many of the big international issues – the big discussions – have a central privacy element, from fair elections to keeping children safe online, from crypto currencies to facial recognition technologies.

The focus of our closed conference for ICDPPC members over the past two days reflected that context.

I’m so proud to be able to tell you that we have endorsed this week what I believe is an historic agreement towards greater regulatory cooperation and high data protection standards.

We have agreed an international approach that tells a shared story, built on the foundations of the ICDPPC’s own Madrid Declaration and previous conference resolutions.

• We all know consumers in Canberra, Cape Town and Accra suffer alike when big companies get data protection wrong. And so the ICDPPC has moved to strengthen regulatory co-operation, paving the way not only to sharing best practice, but potentially sharing lines of enquiry.
• We all know people in Seoul, San Francisco and Stockholm are asking the same data protection questions. Questions around how new technologies and new approaches affect them. And so the ICDPPC has moved to better our collaboration on policy themes, so we can build on each other’s work.
• Authorities worldwide, so many of whom are in this room today, share ambitions to continue to be effective and efficient data protection regulators. This week we have endorsed a move to work harder to share expertise, help one another and work together year-round.

We have resolved to open our gates further. We will share ideas within our membership, and engage with the world beyond our community, including a new reference panel to be formed next year.

Do look at the new release on the ICDPPC website to see more details of the important discussions we had in that closed session.

And I’d add that we agreed a new name and logo reflecting our continued growth – more on that later in the conference.

The thread joining all of that work is convergence and connectivity, a theme we continue in the fantastic agenda we have ahead of us today and tomorrow.

We’ll hear more of the clamour for high standards globally. We’ll talk about the impact of data driven business models and the role of data in competition. And tomorrow we’ll hear about accountability and the challenges we can expect in the future.

We also have three outstanding keynote speakers:

• the always thought-provoking Jamie Bartlett,
• Brad Smith, who brings a crucial insight from the digital economy,
• and then tomorrow Christopher Docksey, who brings expertise on accountability and the GDPR.

Before we begin, we must acknowledge someone who is not with us today. I spoke at the closed session of how our work this week in Tirana builds on the wisdom and expertise shared at previous conferences. We stand on the shoulders of giants. And Giovanni Buttarelli was truly a giant of our community.

Giovanni Buttarelli was an inspiring figure in the international data protection and privacy community. He was an integral member of our Executive Committee and co-host of last year’s conference. And to so many of us in this room he was a friend.

I’d like to conclude my welcome by playing this short tribute video, which we’re grateful to the European Data Protection Supervisor for providing.