Illustration of "Personal information and privacy"

In the context of UK... Data protection appeared ~84 in UK, 1995 in EU

  • Solitude (Solitariness)
  • Intimacy (Solitude of small groups)
  • Anonymity (No standing out in public)
  • Reserve (protection of the minds)

Data protection Act and privacy, GDPR

General Data Protection Regulation (EU, 2016). Private data protection:

  1. Legitimate and relevant usage/storage of private data
  2. Secure the data
  3. Require consent (contract, ...)

Define privacy / Personal data

  • race
  • sexual life, religion
  • syndicates, unions
  • health, biometrics, ...

Users' rights

  • Access, purpose, transparency
  • Update, rectification, erasure
  • Prevent processing, marketing
  • Compensation

GDPR

  • regulation of data protection (data protection impact assessments)
  • one stop shop
  • data breach notification
  • privacy by design

 Europe & US (theory)

  • US: 4th amendment
  • EU: Human rights (processing fair, legitimate, relevant, transparent)

 Privacy by design

Principles

  • proactive (before privacy breach): the structure must avoid privacy issue
  • protection by default
  • end-to-end security
  • transparency of the processes
  • user-centric (not system centric)

Privacy Impact Assessments

Data Protection Impact Assessment (Privacy Impact Assessments) is a document to identify and minimize privacy issues.

  • Describe data processing
  • Assess necessity (proportionality) of the processing, and risk
  • Assess risk
  • Conformance with law and policy

Risk

Evaluate the system with 2 factors: likelihood, consequence

  • project failure
  • loss, muses
  • function creep
  • data breach
  • privacy invasion
  • reputation

2 ways to handle a data problem:

  • prevent (proactive measure)
  • mitigate
  • acknowledge / accept (not likelihood or not enough consequences to invest money in security measures

Security issues

  • theft / unauthorised use: access control, firewalls, encryption
  • damage / destruction: backup

But people must go it (organisational measures):

  • check, reminders
  • audits, enforcement

 Practice of PIA

The CNIL produces a good document (template) of PIA on the cnil.fr