вход по аккаунту


Data protection audit

код для вставкиСкачать
Data protection audit and
data protection issues in the
telecom sector
Dr. Katalin Egri
Legal advisor
Office of the Parliamentary Commissioner for
Data Protection and Freedom of Information
• Data protection audit
- the merits of data protection audit
- EuroPriSe – European Privacy Seal
a special auditing project
• International Working Group on Data
Protection in Telecommunications
Data protection audit
• Issues, interests of companies
• Foreign samples, methods, practices to be
followed, for a more effective operation
В» purposes can me reached by not infringing
the right to data protection, other personality
rights and by serving the interests of the
company at the same time
Data protection audit
• Data processing occurs in context with other
legal relations, procedures
• It occurs within a comprehensive scheme
where it serves a specific purpose
В» The principle that data processing has to be
completed by a specific purpose is
emphasized by the Act LXIII of 1992 on the
protection of personal data and public
access to data of public interest (DPAct) and
by the Constitution of the Republic of
Data protection audit
• Data protection audit may serve as a
solution for complying with standards
of adequate data protection
• Constructive approach – basis for
effective data protection
• Companies realised its importance in
business processes, internal rules
Data protection audit
Data protection audit is very widespread and has high
importance in the European Union
• Legal background: Directive 95/46/EC of the
European Parliament and of the Council of 24
October 1995 on the protection of individuals with
regard to the processing of personal data and on the
free movement of such data
• Strict requirements, all Member States have to
comply with it both in the public and private sector
• Data protection has a value
• Need for quality assurance and uniform standards
• In many countries – e.g. Germany – an act regulates
the legal framework, methods, and the audit is
performed with the assistance of the authority
Data protection audit
• The DPAct regulates in the scope of data
security that the data controller shall take all
technical and organisational measures and
elaborate the rules of procedure necessary
to enforce compliance with the Act and other
rules pertaining to data protection and
confidentiality (Art. 10.)
• It makes it obligatory for certain data
controllers to appoint an internal data
protection officer – with a set scope of duties
– and the development of data protection and
data security rules ( Art. 31/A).
Data protection audit
• Audit may have significance when the
number of data subjects is big, the scope of
data processed is wide and varying.
• Typical areas:
Electronic telecommunications, financial
relations, employment, direct marketing,
insurance – sensitive data are also
• Different kind of audit is necessary in case of
requirements prevail
Data protection audit
• Purposes of the data protection audit: complying
with legal regulations and technical requirements of
data security
• Data security, information security – required by the
DPAct, interest of data subjects also, its analysing
requires special knowledge
• Interests of the company: information security,
protection of business secrets etc.
• Complying with legal regulations: its analysing
includes the observation of purposes, interests also
В» The aim of the audit is to give assurance that the data
controlling complies with laws and ensures
conformity between the effective operation and data
protection, data security
Data protection audit
• There is no uniform method for data protection audit
• Guidelines may be: Personal Data Protection Audit
Framework of the European Committee for
Standardization, EU Directive 95/46/EC
• Main areas to be dealt with in general:
- specifying the target of audit
- choosing the person for performing the audit
- specifying the method of audit
- overview of areas, issues to be evaluated
- results
- follow up
EuroPriSe – European Privacy Seal
• The European Privacy Seal (EuroPriSe)
project introduces a trans-European privacy
seal issued by independent third parties
certifying compliance of IT-products and ITbased services with European regulations on
privacy and data security.
• The European Privacy Seal project aims to
establish a European product audit certifying
compliance of IT-products and IT-based
services with European regulations on
privacy and data security after the
completion of a specific two-step procedure:
an evaluation of the product or service by
accepted legal and IT experts and a
crosschecking of the evaluation report by an
accredited certification body.
EuroPriSe – European Privacy Seal
• EuroPriSe provides:
- a transparent procedure and reliable criteria
to award a European Privacy Seal.
- it visualizes that a product has been
checked and approved by an independent
privacy organisation and thus indicates a
trustworthy product.
- the privacy seal at the same time fosters
consumer protection and trust and provides
a marketing incentive to manufacturers and
vendors for privacy relevant goods and
EuroPriSe – European Privacy Seal
• EuroPriSe aims to establish
- Voluntary privacy certification valid throughout
- Transparent non-bureaucratic procedure and
reliable criteria – based on a cataloge of legal
regulations, criteria, requirements, points of
evaluation, basic issues, authorization of data
processing, technical and organizational measures
- Supervision by an independent third party
- Visibility of privacy compliance available for
- Comparability of products by short public reports
EuroPriSe – European Privacy Seal
• The EuroPriSe consortium is lead by the
Schleswig-Holstein (ICPP/ULD), Germany. The
partners from 8 European countries include the data
protection authorities from Madrid, Agencia de
ProtecciГіn de Datos de la Communidad de Madrid
and France, the Commission Nationale de
l’Informatique et de Libertés (CNIL), the Austrian
Academy of Science and London Metropolitan
University from the UK, Borking Consultancy from
the Netherlands, Ernst and Young AB from Sweden,
TГњV Informationstechnik GmbH from Germany, and
VaF s.r.o. from Slovakia.
EuroPriSe – European Privacy Seal
• The pilot project of EuroPriSe is financed by the
European Commission, though it has not decided
whether to introduce the Seal uniformly.
• Since the EuroPriSe specifies clear and high criteria
at European level, its wider introduction will need a
common opinion, the European Data Protection
Supervisor and the Article 29 Working Party will also
deal with this issue.
• Further information may be sought at the following
International Working Group on Data
Protection in Telecommunications
• The Working Group was founded in 1983 in the
framework of the International Conference of Data
Protection and Privacy Commissioners at the
initiative of the Berlin Commissioner for Data
Protection, who has since then been chairing the
• It
“Working Papers”) aimed at improving the
protection of privacy in telecommunications.
• Membership of the Group includes representatives
from Data Protection Authorities and other bodies of
organisations and scientists from all over the world.
• The Group has meetings twice in every year.
International Working Group on Data Protection in
• The Group has in particular focused on the protection
of privacy on the Internet since the 1990’s.
• Latest papers of the Working Group cover the following
issues indicating the trends and main interests of data
- Privacy in Social Network Services - 3./4.03.2008
- Cybercrime (a.k.a. “Budapest Convention”) 3./4.03.2008
- Privacy Issues in the Distribution of Digital Media
Content and Digital Television - 4./5.09.2007
- E-Ticketing in Public Transport - 4./5.09.2007
- Cross-Border Telemarketing - 12./13.04.2007
- Trusted Computing, Associated Digital Rights
Management Technologies, and Privacy - Some
issues for governments and software developers 05./06.09.2006
- Online Availability of Electronic Health Records
Privacy in Social Network Services
• A social network service focuses on the building and
verifying of online social networks for communities of
people who share interests and activities, or who are
interested in exploring the interests and activities of
others, and which necessitates the use of software. Most
services are primarily web based and provide a collection
of various ways for users to interact.
• Risks for privacy and security: no oblivion on the
Internet, the misleading notion of “community”, “Free of
charge” may in fact not be “for free”, traffic data
collection, giving away more personal information,
misuse of profile data by third parties, further increased
risks of identity theft, use of a notoriously insecure
infrastructure, existing unsolved security problems of
Privacy in Social Network Services
Recommendations to regulators, providers and users of
social network services:
• Introduce the option of a right to pseudonymous use
• Introduction of an obligation to data breach notification
• Improve integration of privacy issues into the
educational system
• Re-thinking the current regulatory framework with
respect to controllership
• Transparent and open information of users
• Privacy-friendly default settings
• Improve user control over use of profile data
• Appropriate complaint handling mechanisms
• Improve and maintain security of information systems
• Offer encrypted connections for maintaining user
Privacy in Social Network Services
Recommendations in particular to users :
• Be careful
• Think twice before using your real name in a
• Respect the privacy of others
• Be informed: e.g. Who operates the service?
• Use privacy friendly settings
• Use different identification data
• Use opportunities to control
• Pay attention to the activity of your children
International Working Group on Data
Protection in Telecommunications
Berliner Beauftragter fГјr Datenschutz und
An der Urania 4- 10, D-10787 Berlin
Tel.: +49 / 30 / 13889 0
Fax: +49 / 30 / 215 5050
Thank you for your attention!
Office of the Parliamentary Commissioner
for Data Protection and Freedom of
H-1051 Budapest NГЎdor u. 22
tel: 4757138
fax: 2693541
Размер файла
335 Кб
Пожаловаться на содержимое документа