Entries submitted

C1: Office of the Privacy Commissioner of Canada
C2: Office of the Privacy Commissioner, New Zealand
C3: Superintendence of Industry and Commerce, Colombia [shorlisted]
C4: CNIL France [shorlisted]
C5: Information Commissioner’s Office (ICO), UK [winner]

C1 – Entry by: Office of the Privacy Commissioner of Canada

Description of the initiative: 

Issued in April 2020, the OPC Framework for the Government of Canada to Assess PrivacyImpactful Initiatives in Response to COVID-19 sets out privacy principles for government to observe in any assessment of measures meant to combat COVID-19. The principles include necessity and proportionality, openness and transparency measures, and oversight and accountability mechanisms, among others. The framework was issued in response to data driven initiatives to contain and gain insights about the novel virus, including potentially more extraordinary and less voluntary measures being contemplated, some with significant implications for privacy and civil liberties.

Why the initiative deserves to be recognised by an award?

The OPC’s Framework document is a strong case study of how a data protection authority can have a demonstrable, proactive impact on government program-design decisions. Spring 2020 was a period of considerable urgency for Canada, with new pandemic initiatives being announced on a weekly basis. Border authorities, immigration officials, and health agencies were all seeking privacy guidance from our Office.

In direct response to this demand, the Framework sets out key privacy principles that should factor into any privacy impact assessment of COVID-19 measures or programs, which was a major concern for many governmental authorities ramping up various initiatives to respond to the pandemic. It delineates essential considerations for program managers and sets out clear direction for government organizations wherever personal information is collected, utilized or shared in the context of pandemic response.

We note that the Framework was developed as a full countrywide lockdown took place, leading to technical challenges of implementing mass telework. Despite this, in mid-April 2020, it was one of the first DPA-issued pieces of general guidance responding to the pandemic, crafted specifically for government authorities, and addressed a pressing need to ensure COVID-related measure were developed and deployed in a privacy sensitive manner.

View more information.


C2 – Entry by: Office of the Privacy Commissioner, New Zealand

Description of the initiative: 

As COVID-19 emerged in New Zealand in early 2020, the Ministry of Health entered into arrangements of sharing COVID-19 patient information with emergency services. This Inquiry assessed whether those arrangements where compliant with New Zealand privacy
laws, specifically focusing on:

– The Ministry of Health’s disclosure of COVID-19 patient information to emergency services, including Police; and
– Police’s access to and use of that COVID-19 patient information.

Why the initiative deserves to be recognised by an award?

This inquiry was triggered because there was a lack of transparency in New Zealand around what was happening with COVID-19 patient information. There was also high public interest in the topic with the leak of patient details to the media. The Inquiry helped bring some assurance to the public that the information sharing arrangements between the agencies were appropriately scrutinised by the Commissioner.

The rapidly evolving nature of the pandemic response in New Zealand meant the Inquiry needed to be completed at speed. To this end the Commissioner formally launched the Inquiry in August 2020, and released his final report in September 2020. This ensured the agencies who were subject to the Inquiry received observations and feedback that were relevant, of use, and that they could implement immediately.

The Commissioner anticipates the value of the findings and recommendations of the Inquiry will not be limited to the COVID-19 response last year; rather they will also be applicable to guide the responses of these agencies for future COVID-19 outbreaks, or indeed future pandemic responses

View more information.


C3 – Entry by: Superintendence of Industry and Commerce, Colombia [shortlisted]

Description of the initiative:

The guideline for the implementation of the principle of Accountability in international transfers of personal data contains specialized recommendations so that the cross-border circulation of data is carried out respecting the rights of the data subjects whose information is sent to other countries. This guideline is additional and complementary to the one issued by our entity in 2015 (Guide for the implementation of Accountability).

Why the initiative deserves to be recognised by an award?

The Superintendence of Industry and Commerce of Colombia has permanently worked so that the Principle of Accountability is implemented in practice (and not only on paper).

The Principle Accountability was expressly incorporated into Colombian regulation through Decree 1377 of June 27, 2013. Since then, we have issued two guidelines (the first in 2015 and the most recent in 2021). But additionally, we have issued orders and sanctions because the Controllers and Processors do not comply, among others, with the aforementioned principle. During 2020 and 2021 (as of June 5) we have incorporated this principle in 109 resolutions (administrative acts or decisions).

Additionally, in other guidelines we have referred and recommended strategies of Accountability to be implemented in relation to the Processing of Personal Data. For example, this was expressly included in the following guidelines:

  • Guide on data processing in horizontal property (pages 19-20)
  • Guide on data processing for e-commerce purposes (Pages 4-6)
  • Data processing guidelines for marketing and advertising purposes (Pages 8-10)

The 2021 guideline is one of the different works and actions that we have carried out so that the proper processing of personal data is guaranteed in practice and human rights are respected.

View more information (in English).

View more information (in Spanish).


C4 – Entry by: CNIL, France [shortlisted]

Description of the initiative:

The Developer’s Guide to GDPR provides a first approach to the main principles of GDPR and the different points of attention to consider when developing and deploying applications that respect the privacy of users. This guide has been thought as an open project from its inception. As such, it is primarily delivered on github platform, which is a popular platform for developers, as a free and copyleft License and using solely MarkDown text.

Why the initiative deserves to be recognised by an award?

This guide recognizes the central role of developers when it comes to lead project towards GDPR compliancy. By summarizing the GDPR requirements without altering its complexity, this guide offers a step-by-step guidance to the key resources needed to design applications and services that takes into consideration privacy issues. The form of its publication encourages the reader to ask or propose for clarifications or corrections as well as addressing new subjects.

At its publication, the guide successfully reaches a large audience, although the guide was released only in French. Today, the project is still by far the most popular project on the github repository of CNIL. CNIL has also officially endorsed the English and Italian version from its contributors. Other unofficial translation includes Mandarine. It also received 17 issues and 17 pull requests.

View more information.

C5 – Entry by: Information Commissioner’s Office (ICO), UK [shortlisted]

Description of the initiative:

Accountability is key to minimising data protection risk and increasing public trust.

The ICO’s Accountability Framework (the Framework) is a practical tool to support organisations to put in place appropriate, risk-based data protection measures, and to demonstrate their compliance.

It includes downloadable guidance, a self-assessment with a report, and an ‘Accountability Tracker’ to record progress.

The Framework can help to support any organisation, whether small or large, with their data protection obligations.

Why the initiative deserves to be recognised by an award?

Post GDPR, the Information Commissioner described accountability as ‘the next big stage of data protection’ and set out an ambitious plan to create the first ICO Accountability Framework to increase public trust and embed a positive culture.

Public consultation helped us to consider people’s needs, practical solutions and overcome challenges. We explored what scope, structure and level of detail would be most helpful, which were challenging areas.

There was a very positive response to our initial plans but we also adapted in response to people’s feedback. For example, people reported difficulties getting senior ‘buy in’ so the Framework clearly sets out benefits and includes reporting features.

We also hosted successful workshops with Field Fisher Law and business leaders at CIPL.

Using feedback, we transformed our extensive supervisory experience into transparent, public-facing guidance that ultimately makes people’s lives easier.

We are confident it is making a positive impact towards higher quality data protection standards. Representatives in government have told us that the Framework is ‘one of the best they have seen’ and DPO’s tell us it is invaluable.

We are committed to the continued development of the Framework, and will shortly release further updates in response to public feedback.

View more information.