panelist: mr. reijo aarnio, data protection ombudsman, finland friday, november 14th 2008 12:00 –...

PANELIST:

Mr. Reijo Aarnio, Data Protection Ombudsman, Finland

Friday, november 14th 2008

12:00 – 14:30 hrs. PANEL:

OFFICE OF THE DATA PROTECTION OMBUDSMAN

Protection of personal data in the present times

1. The oath of Hippokrate

2. Great revolutions

3. World War II

4. The development of the ICT

5. Trust in the information society

The development and history of data protection. What is data protection?

OFFICE OF THE DATA PROTECTION OMBUDSMAN/Finland/R. Aarnio

data protection legislation has expanded and the rights of data subjects have improved over the past few decades. The figure describes the umbrella of data protection, although not exhaustively.

I Pillar

III Pillar

- LISBON TREATY- FRAMEWORK DECISION


HAVE FUN WITH THE BOYS ON THE TOWN, DARLING!

? ?

BASIC QUESTION”legal dispute”


The Constitution of Finland (731/1999)

Section 10 - The right to privacy

”Everyone's private life, honour and the sanctity of the home are guaranteed. More detailed provisions on the protection of personal data are laid down by an Act.

The secrecy of correspondence, telephony and other confidential communications is inviolable.

Measures encroaching on the sanctity of the home, and which are necessary for the purpose of guaranteeing basic rights and liberties or for the investigation of crime, may be laid down by an Act. In addition, provisions concerning limitations of the secrecy of communications which are necessary in the investigation of crimes that jeopardise the security of the individual or society or the sanctity of the home, at trials and security checks, as well as during the deprivation of liberty may be laid down by an Act”.OFFICE OF THE DATA PROTECTION OMBUDSMAN/Finland/R. Aarnio

right to know and to affect/impact right to organise one’s private life Automatic processing of personal data and keeping of register

CONSTITUTION/FUNDAMENTAL LAW 12 §

ACT ON THE OPENNESS OF GOVERNMENT ACTIVITIES

PRIVACY

PROTECTION OF PRIVATE LIFE

DATA PROTECTION

CRIMINAL CODE, CHAPTER 24

FREEDOM OF SPEECH

SECRECY REGULATIONS

PERSONAL DATA ACT

COMMUNI-CATION

Protection of the:

content

traffic data


self-determination

secrecy

social connections

accessibility

community

remoteness

isolation

publicity

PRIVACY


the right to control and decide how (autonomy)

the right to know who

the right to live your life without undue interference (confidentiality in all communications, regulated by law)

the right to be evaluated on the basis of correct and relevant information

the right to know what criteria automatic decision- making systems are based on

the right to trust data security = secures other rights

the right to receive assistance from independent authorities

the right to be treated in accordance with all other basic rights (democracy)

the right to have access to public documents

freedom of speech

!

What does “data protection” mean?


Why all these rights?

We need these rights so that:

WE CAN DEFEND OUR RIGHTS our human dignity is respected

our autonomy is respected

our honour is respected

we will not be discriminated against

our equality as citizens is secured.

? ! ! ! ! !

GOOD QUALITY OF LIFE


Framework for the regulation (information society)

GLOBAL ENVIRONMENT AND NATIONAL STATES

LEGISLATION/FUNCTIONS

(COMMUNICATION)

LEGISLATION/SECTORS

CODES OF CONDUCT

- OECD, - UNITED NATIONS - OTHER SUPRA- NATIONAL ORG.

EU

NATIONAL STATES

COUNCIL OF EUROPE

DIRECT AND INDIRECT IMPACTS

DATA PROT.AND PUBLICITYLEGISLATION


Resital 72:

”Whereas this Directive allows the principle of public access to official documents to be taken into account when implementing the principles set out in this Directive”

Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data


”Section 18 — Good practice on information managementIn order to create and realise good practice on information management, the authorities shall see to the appropriate availability, usability, protection, integrity and other matters of quality pertaining to documents and information management systems and, for this purpose, especially:

(1.1) maintain an index of any matters submitted and taken up for consideration and any matters considered and decided, or otherwise make sure that their public documents can be easily located;

(1.2) draw up and make available specifications on their information management systems and the public information contained therein, unless granting access to such information would be contrary to the provisions in section 24 or in some other Act;

(1.3) when the introduction of information management systems or administrative or legislative reforms are being prepared, analyse the effect of the proposed reform on the publicity, secrecy and protection of documents and on the quality of the information contained therein, as well as undertake the necessary measures for the safeguarding of the rights pertaining to the information and its quality, and for the arrangement of the protection of the documents, the information management systems and the information contained therein;

Act on the Openness of Government Activities (621/1999)

”Section 18 — Good practice on information management

(1.4) plan and realise their document and information administration and the information management systems and computer systems they maintain in a manner allowing for the effortless realisation of access to the documents and for the appropriate archiving or destruction of the documents, the information management systems and the information contained therein, as well as for the appropriate safeguarding and data security arrangements for the protection,integrity and quality of the documents, the information management systems and the information contained therein, paying due attention to the significance of the information and the uses to which it is to be put, to the risks to the documents and the information management systems and to the costs incurred by the data security arrangements;

(1.5) see to it that their personnel are adequately informed of the right of access to the documents they deal with and the procedures, data security arrangements and division of tasks relating to the provision of access and the management of information, as well as to the safeguarding of information, documents and information management systems, and that compliance with the provisions, orders and guidelines issued for the realisation of good practice on informationmanagement is properly monitored.


”Section 18 — Good practice on information management

(2) More detailed provisions on the measures necessary for the realisation of the obligations provided in paragraph (1) shall be issued by Decree. However, more detailed provisions on the diaries of the courts and prosecutors shall be issued by the Ministry of Justice. Provisions may be issued by Decree on the powers of the Government to issue more detailed orders and guidelines on the technicalspecifications for data security arrangements and procedures for the safeguarding of information management systems and the information contained therein, ensuring the integrity and quality of the information and the transfer of information by way of data networks, as well as on the classification, within the State administration, of the pertinent documents, information management systems and the information contained therein.

(3) The provisions in the Archives Act (831/1994) and the provisions and orders issued on the basis of that Act apply to the duties of the archive service.



Section 16.3. — Modes of access

Access may be granted to a personal data filing system controlled by an authority in the form of a copy or a printout, or an electronic-format copy of the contents of the system, unless specifically otherwise provided in an Act, if the person requesting access has the right to record and use such data according to the legislation on the protection of personal data. However, access to personal data for purposes of direct marketing, polls or market research shall not be granted unless specifically otherwise provided or unless the data subject has consented to the same.



Resital 2:

”Whereas data-processing systems are designed to serve man; whereas they must, whatever the nationality or residence of natural persons, respect their fundamental rights and freedoms, notably the right to privacy, and contribute to economic and social progress, trade expansion and the well-being of individuals;”

Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data


PERSONAL DATA ACT

Analyse Your business

5§,6§

Planning,Carefulness

5§,6§

Name the person in charge!

5§

Information9§,13§

Data security32§

Where from theinformation is

collected9§

Use only for theoriginal purpose

7§

Using externalservice providers8.1§ paragraph 7

Right to use8§,12§,13§4th Chapter

Purpose of processing

3§ paragraph 3, 6§

Administration of use5§

The other rightsof the

data subject24§,25-29§

Instruct!Guide!

5§

Notifications toauthorities

36§,37§

Informing the data subject 24§

Destroy!Put into archive!

34§

Where tothe information

is given8§, 12§, 13§4th Chapter

Description of the processing of personal data and the evaluation of lawfulness

Transferringto abroad22§,23§

PE

RS

ON

AL

DA

TA

FIL

E

Description ofthe file

10§

Keepavailable!

10§

Start


Act on Access to Public Documents

According to Bennett (2002):The main duties/roles of Data Protection Ombudsmen

1. Public counsel, ombudsman 2. Inspector 3. Consult

4. Educator

5. Political adviser

6. Negotiant

7. Executor

8. International emissaryOFFICE OF THE DATA PROTECTION OMBUDSMAN/Finland/R. Aarnio

DirectionSupport

GuidanceFollow-up

Legal protectionInternational legal protection

Objective:Good data proces-sing practises Codes of conduct

InspectionGuidance, rectifications

EducationReports to the Data

Protection OmbudsmanInternational issues

EU co-operation- WP 29- Schengen- Europol

- Others

Development Human resources Internal communications

Public relationsFollow-upStatements

Initiatives

LEGISLATION

CITIZENS

MEDIA ETC.

STAFFMINISTRY OF

JUSTICE

INTERNATIONAL ISSUES

SYSTEMS

CONTROLLERS


Operation Environment and Duties


THE MEDIA (etc.)

Staff (Human resources)

INTERNATIONALISSUES

The interest groups related to the Office of the Data Protection Ombudsman (DPO) / Finland

WP 29

European Commission

Europol, Schengen, Eurodac, Customs (datasystems)

Safety delegate

= statutory= operational

Finnish News Agency

Press corps (juridic)

Prime Minister’s Office / public relations department

Cooperation: DPO + CONSUMER OMBUDSMAN + FINNISH COMMUNICATIONS REGULATORY AUTHORITY(Ficora) MAIN

HEADQUARTERS

SECURITYPOLICE

POLICE

Advertising agencies

Publishing house (Stellatum)

Ministry for Foreign AffairsTelecommuni-

cations Advisory Board

National Information Security Strategy

Ministry of Social Affairs and Health working group on labour issues

National Archive

Association of finnish Local and Regional Authorities

Center for Research and Development of Welfare and Health

Performance management

Executive assistance/ member states of EU/ authorities

LAW-MAKING(LEGISLATION)

MINISTRY OFJUSTICE

ESTABLISHMENTCONTROLLERS

Parliament

Other ministries (§)

Ministry of Justice

Office of the DataProtection Ombudsman (DPO)

Work groups initiated by DPO

Steering Group of Information Security in State Government

Ficora / CERT

The fields of activities (org.) Personal Data Act 42 §

TRAINING

CITIZENS

ADMINISTRATIVE COURTS

PROSECUTING AUTHORITY

SUPREME ADMIN. COURT EXPERTS,

CONSULTANTS

DATA PROTEC-TION BOARD

Information Society Council

”LUOTI” project /POSITIVE CIRCULAR EFFECT

NATIONALCOMPETITIVENESS

ENHANCING CONFIDENCE

MORE EFFECTIVE USE OF ICT-TECHNOLOGY

DEVELOPMENT OF THE INFORMATION SOCIETY

(www.luoti.fi)


”LUOTI” project /LAUNCHED IN FINLAND/ spring 2005 (www.luoti.fi)

aims to enhance the information security of multi-channel digital services and to improve the consumer’s trust in new electronic services.

part of the National Data Protection Strategy.

Goal: to identify future risks endangering data protection and information security as well as to find ways to counteract these risks.

During 2006, a guide for service developers on data security issues concerning digital services will be published.

investigates the need to develop the legislation on data protection issues in digital services

investigates the need for research and education on the subject

develops a new concept where information security and data protection is included in the digital services from the very beginning of their development phase.


Changing forces= The factors that prime us to move on to the ubiquitous computing society (combined effect)

Telecommunications trunk networks will be replaced with optical networks, which have a higher data transmission capacity Simultaneously, the basic technology of wireless local and short- range networks has been developed and their adoption has begun, or has already partly happened Various remote-sensing devices and positioning technologies already familiar to us are also part of our world today All data transmission will shift to Internet-based technology. With the adoption of the new IP address system we will no longer talk about “connecting people” but about “connecting all things and people”. Open component-based software architecture will increasingly support many important functions, such as identification, identity management, session management, positioning and information management. Perhaps even confidence (PET). XML-based languages enable the compatibility of technologies used by various application areas Small terminal devices will become more common and converge Hidden functions related to technology.OFFICE OF THE DATA PROTECTION OMBUDSMAN/Finland/R. Aarnio

UBIQUITOUS SOCIETYOur role as users of technology is rapidly changing:

readers storytellers

viewers active players

passive listeners active talkers

users developers

consumers producers

subjects participants


CONCLUSION

Data protection is a value associated with democracy. Its roots lie deep in human rights and the European values based on them.

Ubiquitous computing can, at its worst, or almost certainly, threaten these values.

we need a value debate penetrating through all of society.


DATA SUBJECT

DATA CONTROLLER

TRADITIONAL DP-MODEL

DATA PROTECTION

PERSONAL DATA FILES

LAW ENFORCEMENT AUTHORITIES

PRINCIPLES:- FINALITY- QUALITY- PROPORTIONALITY- ACCURACY


”NEW DP-MODEL”

DATA SUBJECT

LAW ENFORCEMENTAUTHORITIES

DATA CONTROLLER

FILES

DATA PROTECTION SHOULD BE INTEGRATED!- PRINCIPLES

THE COURT

LICENSE

PARLIAMENT

COMPETENCIES

* FINALITY* QUALITY* PROPORTIONALITY* ACCURACY


Friday, november 14th 2008

12:00 – 14:30 hrs. PANEL:


Protection of personal data in the present times

PANELIST:

Mr. Reijo Aarnio, Data Protection Ombudsman, Finland

THANK YOU FOR LISTENING!

panelist: mr. reijo aarnio, data protection ombudsman, finland friday, november 14th 2008 12:00 –...

Documents

data protection legislation

history of data protection

umbrella of data protection

data security

rights of data subjects

basic rights democracy

secrecy of communications

privacy everyones private