panelist: mr. reijo aarnio, data protection ombudsman, finland friday, november 14th 2008 12:00 –...
TRANSCRIPT
PANELIST:
Mr. Reijo Aarnio, Data Protection Ombudsman, Finland
Friday, november 14th 2008
12:00 – 14:30 hrs. PANEL:
OFFICE OF THE DATA PROTECTION OMBUDSMAN
Protection of personal data in the present times
1. The oath of Hippokrate
2. Great revolutions
3. World War II
4. The development of the ICT
5. Trust in the information society
The development and history of data protection. What is data protection?
OFFICE OF THE DATA PROTECTION OMBUDSMAN/Finland/R. Aarnio
data protection legislation has expanded and the rights of data subjects have improved over the past few decades. The figure describes the umbrella of data protection, although not exhaustively.
I Pillar
III Pillar
- LISBON TREATY- FRAMEWORK DECISION
OFFICE OF THE DATA PROTECTION OMBUDSMAN/Finland/R. Aarnio
HAVE FUN WITH THE BOYS ON THE TOWN, DARLING!
? ?
BASIC QUESTION”legal dispute”
OFFICE OF THE DATA PROTECTION OMBUDSMAN/Finland/R. Aarnio
The Constitution of Finland (731/1999)
Section 10 - The right to privacy
”Everyone's private life, honour and the sanctity of the home are guaranteed. More detailed provisions on the protection of personal data are laid down by an Act.
The secrecy of correspondence, telephony and other confidential communications is inviolable.
Measures encroaching on the sanctity of the home, and which are necessary for the purpose of guaranteeing basic rights and liberties or for the investigation of crime, may be laid down by an Act. In addition, provisions concerning limitations of the secrecy of communications which are necessary in the investigation of crimes that jeopardise the security of the individual or society or the sanctity of the home, at trials and security checks, as well as during the deprivation of liberty may be laid down by an Act”.OFFICE OF THE DATA PROTECTION OMBUDSMAN/Finland/R. Aarnio
right to know and to affect/impact right to organise one’s private life Automatic processing of personal data and keeping of register
CONSTITUTION/FUNDAMENTAL LAW 12 §
ACT ON THE OPENNESS OF GOVERNMENT ACTIVITIES
PRIVACY
PROTECTION OF PRIVATE LIFE
DATA PROTECTION
CRIMINAL CODE, CHAPTER 24
FREEDOM OF SPEECH
SECRECY REGULATIONS
PERSONAL DATA ACT
COMMUNI-CATION
Protection of the:
content
traffic data
OFFICE OF THE DATA PROTECTION OMBUDSMAN/Finland/R. Aarnio
self-determination
secrecy
social connections
accessibility
community
remoteness
isolation
publicity
PRIVACY
OFFICE OF THE DATA PROTECTION OMBUDSMAN/Finland/R. Aarnio
the right to control and decide how (autonomy)
the right to know who
the right to live your life without undue interference (confidentiality in all communications, regulated by law)
the right to be evaluated on the basis of correct and relevant information
the right to know what criteria automatic decision- making systems are based on
the right to trust data security = secures other rights
the right to receive assistance from independent authorities
the right to be treated in accordance with all other basic rights (democracy)
the right to have access to public documents
freedom of speech
!
What does “data protection” mean?
OFFICE OF THE DATA PROTECTION OMBUDSMAN/Finland/R. Aarnio
Why all these rights?
We need these rights so that:
WE CAN DEFEND OUR RIGHTS our human dignity is respected
our autonomy is respected
our honour is respected
we will not be discriminated against
our equality as citizens is secured.
? ! ! ! ! !
GOOD QUALITY OF LIFE
OFFICE OF THE DATA PROTECTION OMBUDSMAN/Finland/R. Aarnio
Framework for the regulation (information society)
GLOBAL ENVIRONMENT AND NATIONAL STATES
LEGISLATION/FUNCTIONS
(COMMUNICATION)
LEGISLATION/SECTORS
CODES OF CONDUCT
- OECD, - UNITED NATIONS - OTHER SUPRA- NATIONAL ORG.
EU
NATIONAL STATES
COUNCIL OF EUROPE
DIRECT AND INDIRECT IMPACTS
DATA PROT.AND PUBLICITYLEGISLATION
OFFICE OF THE DATA PROTECTION OMBUDSMAN/Finland/R. Aarnio
Resital 72:
”Whereas this Directive allows the principle of public access to official documents to be taken into account when implementing the principles set out in this Directive”
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data
OFFICE OF THE DATA PROTECTION OMBUDSMAN/Finland/R. Aarnio
”Section 18 — Good practice on information managementIn order to create and realise good practice on information management, the authorities shall see to the appropriate availability, usability, protection, integrity and other matters of quality pertaining to documents and information management systems and, for this purpose, especially:
(1.1) maintain an index of any matters submitted and taken up for consideration and any matters considered and decided, or otherwise make sure that their public documents can be easily located;
(1.2) draw up and make available specifications on their information management systems and the public information contained therein, unless granting access to such information would be contrary to the provisions in section 24 or in some other Act;
(1.3) when the introduction of information management systems or administrative or legislative reforms are being prepared, analyse the effect of the proposed reform on the publicity, secrecy and protection of documents and on the quality of the information contained therein, as well as undertake the necessary measures for the safeguarding of the rights pertaining to the information and its quality, and for the arrangement of the protection of the documents, the information management systems and the information contained therein;
Act on the Openness of Government Activities (621/1999)
”Section 18 — Good practice on information management
(1.4) plan and realise their document and information administration and the information management systems and computer systems they maintain in a manner allowing for the effortless realisation of access to the documents and for the appropriate archiving or destruction of the documents, the information management systems and the information contained therein, as well as for the appropriate safeguarding and data security arrangements for the protection,integrity and quality of the documents, the information management systems and the information contained therein, paying due attention to the significance of the information and the uses to which it is to be put, to the risks to the documents and the information management systems and to the costs incurred by the data security arrangements;
(1.5) see to it that their personnel are adequately informed of the right of access to the documents they deal with and the procedures, data security arrangements and division of tasks relating to the provision of access and the management of information, as well as to the safeguarding of information, documents and information management systems, and that compliance with the provisions, orders and guidelines issued for the realisation of good practice on informationmanagement is properly monitored.
Act on the Openness of Government Activities (621/1999)
”Section 18 — Good practice on information management
(2) More detailed provisions on the measures necessary for the realisation of the obligations provided in paragraph (1) shall be issued by Decree. However, more detailed provisions on the diaries of the courts and prosecutors shall be issued by the Ministry of Justice. Provisions may be issued by Decree on the powers of the Government to issue more detailed orders and guidelines on the technicalspecifications for data security arrangements and procedures for the safeguarding of information management systems and the information contained therein, ensuring the integrity and quality of the information and the transfer of information by way of data networks, as well as on the classification, within the State administration, of the pertinent documents, information management systems and the information contained therein.
(3) The provisions in the Archives Act (831/1994) and the provisions and orders issued on the basis of that Act apply to the duties of the archive service.
OFFICE OF THE DATA PROTECTION OMBUDSMAN/Finland/R. Aarnio
Act on the Openness of Government Activities (621/1999)
Section 16.3. — Modes of access
Access may be granted to a personal data filing system controlled by an authority in the form of a copy or a printout, or an electronic-format copy of the contents of the system, unless specifically otherwise provided in an Act, if the person requesting access has the right to record and use such data according to the legislation on the protection of personal data. However, access to personal data for purposes of direct marketing, polls or market research shall not be granted unless specifically otherwise provided or unless the data subject has consented to the same.
OFFICE OF THE DATA PROTECTION OMBUDSMAN/Finland/R. Aarnio
Act on the Openness of Government Activities (621/1999)
Resital 2:
”Whereas data-processing systems are designed to serve man; whereas they must, whatever the nationality or residence of natural persons, respect their fundamental rights and freedoms, notably the right to privacy, and contribute to economic and social progress, trade expansion and the well-being of individuals;”
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data
OFFICE OF THE DATA PROTECTION OMBUDSMAN/Finland/R. Aarnio
PERSONAL DATA ACT
Analyse Your business
5§,6§
Planning,Carefulness
5§,6§
Name the person in charge!
5§
Information9§,13§
Data security32§
Where from theinformation is
collected9§
Use only for theoriginal purpose
7§
Using externalservice providers8.1§ paragraph 7
Right to use8§,12§,13§4th Chapter
Purpose of processing
3§ paragraph 3, 6§
Administration of use5§
The other rightsof the
data subject24§,25-29§
Instruct!Guide!
5§
Notifications toauthorities
36§,37§
Informing the data subject 24§
Destroy!Put into archive!
34§
Where tothe information
is given8§, 12§, 13§4th Chapter
Description of the processing of personal data and the evaluation of lawfulness
Transferringto abroad22§,23§
PE
RS
ON
AL
DA
TA
FIL
E
Description ofthe file
10§
Keepavailable!
10§
Start
OFFICE OF THE DATA PROTECTION OMBUDSMAN/Finland/R. Aarnio
Act on Access to Public Documents
According to Bennett (2002):The main duties/roles of Data Protection Ombudsmen
1. Public counsel, ombudsman 2. Inspector 3. Consult
4. Educator
5. Political adviser
6. Negotiant
7. Executor
8. International emissaryOFFICE OF THE DATA PROTECTION OMBUDSMAN/Finland/R. Aarnio
DirectionSupport
GuidanceFollow-up
Legal protectionInternational legal protection
Objective:Good data proces-sing practises Codes of conduct
InspectionGuidance, rectifications
EducationReports to the Data
Protection OmbudsmanInternational issues
EU co-operation- WP 29- Schengen- Europol
- Others
Development Human resources Internal communi- cations
Public relationsFollow-upStatements
Initiatives
LEGISLATION
CITIZENS
MEDIA ETC.
STAFFMINISTRY OF
JUSTICE
INTERNATIONAL ISSUES
SYSTEMS
CONTROLLERS
OFFICE OF THE DATA PROTECTION OMBUDSMAN
Operation Environment and Duties
OFFICE OF THE DATA PROTECTION OMBUDSMAN/Finland/R. Aarnio
THE MEDIA (etc.)
Staff (Human resources)
INTERNATIONALISSUES
The interest groups related to the Office of the Data Protection Ombudsman (DPO) / Finland
WP 29
European Commission
Europol, Schengen, Eurodac, Customs (datasystems)
Safety delegate
= statutory= operational
Finnish News Agency
Press corps (juridic)
Prime Minister’s Office / public relations department
Cooperation: DPO + CONSUMER OMBUDSMAN + FINNISH COMMUNICATIONS REGULATORY AUTHORITY(Ficora) MAIN
HEADQUARTERS
SECURITYPOLICE
POLICE
Advertising agencies
Publishing house (Stellatum)
Ministry for Foreign AffairsTelecommuni-
cations Advisory Board
National Information Security Strategy
Ministry of Social Affairs and Health working group on labour issues
National Archive
Association of finnish Local and Regional Authorities
Center for Research and Development of Welfare and Health
Performance management
Executive assistance/ member states of EU/ authorities
LAW-MAKING(LEGISLATION)
MINISTRY OFJUSTICE
ESTABLISHMENTCONTROLLERS
Parliament
Other ministries (§)
Ministry of Justice
Office of the DataProtection Ombudsman (DPO)
Work groups initiated by DPO
Steering Group of Information Security in State Government
Ficora / CERT
The fields of activities (org.) Personal Data Act 42 §
TRAINING
CITIZENS
ADMINISTRATIVE COURTS
PROSECUTING AUTHORITY
SUPREME ADMIN. COURT EXPERTS,
CONSULTANTS
DATA PROTEC-TION BOARD
Information Society Council
”LUOTI” project /POSITIVE CIRCULAR EFFECT
NATIONALCOMPETITIVENESS
ENHANCING CONFIDENCE
MORE EFFECTIVE USE OF ICT-TECHNOLOGY
DEVELOPMENT OF THE INFORMATION SOCIETY
(www.luoti.fi)
OFFICE OF THE DATA PROTECTION OMBUDSMAN/Finland/R. Aarnio
”LUOTI” project /LAUNCHED IN FINLAND/ spring 2005 (www.luoti.fi)
aims to enhance the information security of multi-channel digital services and to improve the consumer’s trust in new electronic services.
part of the National Data Protection Strategy.
Goal: to identify future risks endangering data protection and information security as well as to find ways to counteract these risks.
During 2006, a guide for service developers on data security issues concerning digital services will be published.
investigates the need to develop the legislation on data protection issues in digital services
investigates the need for research and education on the subject
develops a new concept where information security and data protection is included in the digital services from the very beginning of their development phase.
OFFICE OF THE DATA PROTECTION OMBUDSMAN/Finland/R. Aarnio
Changing forces= The factors that prime us to move on to the ubiquitous computing society (combined effect)
Telecommunications trunk networks will be replaced with optical networks, which have a higher data transmission capacity Simultaneously, the basic technology of wireless local and short- range networks has been developed and their adoption has begun, or has already partly happened Various remote-sensing devices and positioning technologies already familiar to us are also part of our world today All data transmission will shift to Internet-based technology. With the adoption of the new IP address system we will no longer talk about “connecting people” but about “connecting all things and people”. Open component-based software architecture will increasingly support many important functions, such as identification, identity management, session management, positioning and information management. Perhaps even confidence (PET). XML-based languages enable the compatibility of technologies used by various application areas Small terminal devices will become more common and converge Hidden functions related to technology.OFFICE OF THE DATA PROTECTION OMBUDSMAN/Finland/R. Aarnio
UBIQUITOUS SOCIETYOur role as users of technology is rapidly changing:
readers storytellers
viewers active players
passive listeners active talkers
users developers
consumers producers
subjects participants
OFFICE OF THE DATA PROTECTION OMBUDSMAN/Finland/R. Aarnio
CONCLUSION
Data protection is a value associated with democracy. Its roots lie deep in human rights and the European values based on them.
Ubiquitous computing can, at its worst, or almost certainly, threaten these values.
we need a value debate penetrating through all of society.
OFFICE OF THE DATA PROTECTION OMBUDSMAN/Finland/R. Aarnio
DATA SUBJECT
DATA CONTROLLER
TRADITIONAL DP-MODEL
DATA PROTECTION
PERSONAL DATA FILES
LAW ENFORCEMENT AUTHORITIES
PRINCIPLES:- FINALITY- QUALITY- PROPORTIONALITY- ACCURACY
OFFICE OF THE DATA PROTECTION OMBUDSMAN/Finland/R. Aarnio
”NEW DP-MODEL”
DATA SUBJECT
LAW ENFORCEMENTAUTHORITIES
DATA CONTROLLER
FILES
DATA PROTECTION SHOULD BE INTEGRATED!- PRINCIPLES
THE COURT
LICENSE
PARLIAMENT
COMPETENCIES
* FINALITY* QUALITY* PROPORTIONALITY* ACCURACY
OFFICE OF THE DATA PROTECTION OMBUDSMAN/Finland/R. Aarnio
Friday, november 14th 2008
12:00 – 14:30 hrs. PANEL:
OFFICE OF THE DATA PROTECTION OMBUDSMAN
Protection of personal data in the present times
PANELIST:
Mr. Reijo Aarnio, Data Protection Ombudsman, Finland
THANK YOU FOR LISTENING!