Data protection audit and data protection issues in the

telecom sectorDr. Katalin EgriLegal advisor

Office of the Parliamentary Commissioner for Data Protection and Freedom of Information

7-1-2009

Introduction• Data protection audit

- the merits of data protection audit- EuroPriSe – European Privacy Seal a special auditing project

• International Working Group on Data Protection in Telecommunications

Data protection audit

• Issues, interests of companies• Foreign samples, methods, practices to be

followed, for a more effective operation» purposes can me reached by not infringing

the right to data protection, other personality rights and by serving the interests of the company at the same time

Data protection audit• Data processing occurs in context with other

legal relations, procedures• It occurs within a comprehensive scheme

where it serves a specific purpose» The principle that data processing has to be

completed by a specific purpose is emphasized by the Act LXIII of 1992 on the protection of personal data and public access to data of public interest (DPAct) and by the Constitution of the Republic of Hungary

Data protection audit• Data protection audit may serve as a

solution for complying with standards of adequate data protection

• Constructive approach – basis for effective data protection

• Companies realised its importance in complex strategies, complicated business processes, internal rules

Data protection auditData protection audit is very widespread and has high

importance in the European Union• Legal background: Directive 95/46/EC of the

European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data

• Strict requirements, all Member States have to comply with it both in the public and private sector

• Data protection has a value• Need for quality assurance and uniform standards• In many countries – e.g. Germany – an act regulates

the legal framework, methods, and the audit is performed with the assistance of the authority

Data protection audit• The DPAct regulates in the scope of data

security that the data controller shall take all technical and organisational measures and elaborate the rules of procedure necessary to enforce compliance with the Act and other rules pertaining to data protection and confidentiality (Art. 10.)

• It makes it obligatory for certain data controllers to appoint an internal data protection officer – with a set scope of duties – and the development of data protection and data security rules ( Art. 31/A).

Data protection audit• Audit may have significance when the

number of data subjects is big, the scope of data processed is wide and varying.

• Typical areas:Electronic telecommunications, financial relations, employment, direct marketing, insurance – sensitive data are also processed

• Different kind of audit is necessary in case of information security – technical requirements prevail

Data protection audit• Purposes of the data protection audit: complying

with legal regulations and technical requirements of data security

• Data security, information security – required by the DPAct, interest of data subjects also, its analysing requires special knowledge

• Interests of the company: information security, protection of business secrets etc.

• Complying with legal regulations: its analysing includes the observation of purposes, interests also

» The aim of the audit is to give assurance that the data controlling complies with laws and ensures conformity between the effective operation and data protection, data security

Data protection audit• There is no uniform method for data protection audit• Guidelines may be: Personal Data Protection Audit

Framework of the European Committee for Standardization, EU Directive 95/46/EC

• Main areas to be dealt with in general:- specifying the target of audit- choosing the person for performing the audit- specifying the method of audit- overview of areas, issues to be evaluated- results- follow up

EuroPriSe – European Privacy Seal • The European Privacy Seal (EuroPriSe) project

introduces a trans-European privacy seal issued by independent third parties certifying compliance of IT-products and IT-based services with European regulations on privacy and data security.

• The European Privacy Seal project aims to establish a European product audit certifying compliance of IT-products and IT-based services with European regulations on privacy and data security after the completion of a specific two-step procedure: an evaluation of the product or service by accepted legal and IT experts and a crosschecking of the evaluation report by an accredited certification body.

EuroPriSe – European Privacy Seal

• EuroPriSe provides:- a transparent procedure and reliable criteria to award a European Privacy Seal. - it visualizes that a product has been checked and approved by an independent privacy organisation and thus indicates a trustworthy product. - the privacy seal at the same time fosters consumer protection and trust and provides a marketing incentive to manufacturers and vendors for privacy relevant goods and services.

EuroPriSe – European Privacy Seal

• EuroPriSe aims to establish- Voluntary privacy certification valid throughout Europe - Transparent non-bureaucratic procedure and reliable criteria – based on a cataloge of legal regulations, criteria, requirements, points of evaluation, basic issues, authorization of data processing, technical and organizational measures- Supervision by an independent third party - Visibility of privacy compliance available for marketing - Comparability of products by short public reports

EuroPriSe – European Privacy Seal

• The EuroPriSe consortium is lead by the Independent Centre for Privacy Protection Schleswig-Holstein (ICPP/ULD), Germany. The partners from 8 European countries include the data protection authorities from Madrid, Agencia de Protección de Datos de la Communidad de Madrid and France, the Commission Nationale de l’Informatique et de Libertés (CNIL), the Austrian Academy of Science and London Metropolitan University from the UK, Borking Consultancy from the Netherlands, Ernst and Young AB from Sweden, TÜV Informationstechnik GmbH from Germany, and VaF s.r.o. from Slovakia.

EuroPriSe – European Privacy Seal

• The pilot project of EuroPriSe is financed by the European Commission, though it has not decided whether to introduce the Seal uniformly.

• Since the EuroPriSe specifies clear and high criteria at European level, its wider introduction will need a common opinion, the European Data Protection Supervisor and the Article 29 Working Party will also deal with this issue.

• Further information may be sought at the following link:www.european-privacy-seal.eu

International Working Group on Data Protection in Telecommunications

• The Working Group was founded in 1983 in the framework of the International Conference of Data Protection and Privacy Commissioners at the initiative of the Berlin Commissioner for Data Protection, who has since then been chairing the Group.

• It has since 1983 adopted numerous recommendations (“Common Positions” and “Working Papers”) aimed at improving the protection of privacy in telecommunications.

• Membership of the Group includes representatives from Data Protection Authorities and other bodies of national public administrations, international organisations and scientists from all over the world.

• The Group has meetings twice in every year.

International Working Group on Data Protection in Telecommunications

• The Group has in particular focused on the protection of privacy on the Internet since the 1990’s.

• Latest papers of the Working Group cover the following issues indicating the trends and main interests of data protection:- Privacy in Social Network Services - 3./4.03.2008 - Cybercrime (a.k.a. “Budapest Convention”) -

3./4.03.2008 - Privacy Issues in the Distribution of Digital Media

Content and Digital Television - 4./5.09.2007 - E-Ticketing in Public Transport - 4./5.09.2007 - Cross-Border Telemarketing - 12./13.04.2007- Trusted Computing, Associated Digital Rights

Management Technologies, and Privacy - Some issues for governments and software developers - 05./06.09.2006

- Online Availability of Electronic Health Records 06./07.04.2006

Privacy in Social Network Services• A social network service focuses on the building and verifying of online social networks for communities of people who share interests and activities, or who are interested in exploring the interests and activities of others, and which necessitates the use of software. Most services are primarily web based and provide a collection of various ways for users to interact.• Risks for privacy and security: no oblivion on the Internet, the misleading notion of “community”, “Free of charge” may in fact not be “for free”, traffic data collection, giving away more personal information, misuse of profile data by third parties, further increased risks of identity theft, use of a notoriously insecure infrastructure, existing unsolved security problems of Internet

Privacy in Social Network ServicesRecommendations to regulators, providers and users of

social network services:• Introduce the option of a right to pseudonymous use• Introduction of an obligation to data breach notification • Improve integration of privacy issues into the

educational system • Re-thinking the current regulatory framework with

respect to controllership • Transparent and open information of users • Privacy-friendly default settings • Improve user control over use of profile data • Appropriate complaint handling mechanisms • Improve and maintain security of information systems • Offer encrypted connections for maintaining user

profiles

Privacy in Social Network ServicesRecommendations in particular to users :• Be careful • Think twice before using your real name in a

profile • Respect the privacy of others • Be informed: e.g. Who operates the service? • Use privacy friendly settings • Use different identification data • Use opportunities to control • Pay attention to the activity of your children

International Working Group on Data Protection in Telecommunications

Berliner Beauftragter für Datenschutz und Informationsfreiheit

An der Urania 4- 10, D-10787 BerlinTel.: +49 / 30 / 13889 0Fax: +49 / 30 / 215 5050E-Mail: IWGDPT@datenschutz-berlin.deInternet: http://www.berlin-privacy-group.org

Thank you for your attention!

Office of the Parliamentary Commissioner for Data Protection and Freedom of

Information

www.obh.hu

H-1051 Budapest Nádor u. 22

privacy@obh.hu

tel: 4757138fax: 2693541