Data protection audit and data protection issues in the telecom sector

1
Data protection audit and data protection
issues in the telecom sector

• Dr. Katalin Egri
• Legal advisor
• Office of the Parliamentary Commissioner for
• Data Protection and Freedom of Information
• 7-1-2009

2
Introduction

• Data protection audit
• - the merits of data protection audit
• - EuroPriSe European Privacy Seal
• a special auditing project
• International Working Group on Data Protection in
  Telecommunications

3
Data protection audit

• Issues, interests of companies
• Foreign samples, methods, practices to be
  followed, for a more effective operation
• purposes can me reached by not infringing the
  right to data protection, other personality
  rights and by serving the interests of the
  company at the same time

4
Data protection audit

• Data processing occurs in context with other
  legal relations, procedures
• It occurs within a comprehensive scheme where it
  serves a specific purpose
• The principle that data processing has to be
  completed by a specific purpose is emphasized by
  the Act LXIII of 1992 on the protection of
  personal data and public access to data of public
  interest (DPAct) and by the Constitution of the
  Republic of Hungary

5
Data protection audit

• Data protection audit may serve as a solution for
  complying with standards of adequate data
  protection
• Constructive approach basis for effective data
  protection
• Companies realised its importance in complex
  strategies, complicated business processes,
  internal rules

6
Data protection audit

• Data protection audit is very widespread and has
  high importance in the European Union
• Legal background Directive 95/46/EC of the
  European Parliament and of the Council of 24
  October 1995 on the protection of individuals
  with regard to the processing of personal data
  and on the free movement of such data
• Strict requirements, all Member States have to
  comply with it both in the public and private
  sector
• Data protection has a value
• Need for quality assurance and uniform standards
• In many countries e.g. Germany an act
  regulates the legal framework, methods, and the
  audit is performed with the assistance of the
  authority

7
Data protection audit

• The DPAct regulates in the scope of data security
  that the data controller shall take all technical
  and organisational measures and elaborate the
  rules of procedure necessary to enforce
  compliance with the Act and other rules
  pertaining to data protection and confidentiality
  (Art. 10.)
• It makes it obligatory for certain data
  controllers to appoint an internal data
  protection officer with a set scope of duties
  and the development of data protection and data
  security rules ( Art. 31/A).

8
Data protection audit

• Audit may have significance when the number of
  data subjects is big, the scope of data processed
  is wide and varying.
• Typical areas
• Electronic telecommunications, financial
  relations, employment, direct marketing,
  insurance sensitive data are also processed
• Different kind of audit is necessary in case of
  information security technical requirements
  prevail

9
Data protection audit

• Purposes of the data protection audit complying
  with legal regulations and technical requirements
  of data security
• Data security, information security required by
  the DPAct, interest of data subjects also, its
  analysing requires special knowledge
• Interests of the company information security,
  protection of business secrets etc.
• Complying with legal regulations its analysing
  includes the observation of purposes, interests
  also
• The aim of the audit is to give assurance that
  the data controlling complies with laws and
  ensures conformity between the effective
  operation and data protection, data security

10
Data protection audit

• There is no uniform method for data protection
  audit
• Guidelines may be Personal Data Protection Audit
  Framework of the European Committee for
  Standardization, EU Directive 95/46/EC
• Main areas to be dealt with in general
• - specifying the target of audit
• - choosing the person for performing the audit
• - specifying the method of audit
• - overview of areas, issues to be evaluated
• - results
• - follow up

11
EuroPriSe European Privacy Seal

• The European Privacy Seal (EuroPriSe) project
  introduces a trans-European privacy seal issued
  by independent third parties certifying
  compliance of IT-products and IT-based services
  with European regulations on privacy and data
  security.
• The European Privacy Seal project aims to
  establish a European product audit certifying
  compliance of IT-products and IT-based services
  with European regulations on privacy and data
  security after the completion of a specific
  two-step procedure an evaluation of the product
  or service by accepted legal and IT experts and a
  crosschecking of the evaluation report by an
  accredited certification body.

12
EuroPriSe European Privacy Seal

• EuroPriSe provides
• - a transparent procedure and reliable criteria
  to award a European Privacy Seal.
• - it visualizes that a product has been checked
  and approved by an independent privacy
  organisation and thus indicates a trustworthy
  product.
• - the privacy seal at the same time fosters
  consumer protection and trust and provides a
  marketing incentive to manufacturers and vendors
  for privacy relevant goods and services.

13
EuroPriSe European Privacy Seal

• EuroPriSe aims to establish
• - Voluntary privacy certification valid
  throughout Europe
• - Transparent non-bureaucratic procedure and
  reliable criteria based on a cataloge of legal
  regulations, criteria, requirements, points of
  evaluation, basic issues, authorization of data
  processing, technical and organizational measures
• - Supervision by an independent third party
• - Visibility of privacy compliance available for
  marketing
• - Comparability of products by short public
  reports

14
EuroPriSe European Privacy Seal

• The EuroPriSe consortium is lead by the
  Independent Centre for Privacy Protection
  Schleswig-Holstein (ICPP/ULD), Germany. The
  partners from 8 European countries include the
  data protection authorities from Madrid, Agencia
  de Protección de Datos de la Communidad de Madrid
  and France, the Commission Nationale de
  lInformatique et de Libertés (CNIL), the
  Austrian Academy of Science and London
  Metropolitan University from the UK, Borking
  Consultancy from the Netherlands, Ernst and Young
  AB from Sweden, TÜV Informationstechnik GmbH from
  Germany, and VaF s.r.o. from Slovakia.

15
EuroPriSe European Privacy Seal

• The pilot project of EuroPriSe is financed by the
  European Commission, though it has not decided
  whether to introduce the Seal uniformly.
• Since the EuroPriSe specifies clear and high
  criteria at European level, its wider
  introduction will need a common opinion, the
  European Data Protection Supervisor and the
  Article 29 Working Party will also deal with this
  issue.
• Further information may be sought at the
  following link
• www.european-privacy-seal.eu

16
International Working Group on Data Protection in
Telecommunications

• The Working Group was founded in 1983 in the
  framework of the International Conference of Data
  Protection and Privacy Commissioners at the
  initiative of the Berlin Commissioner for Data
  Protection, who has since then been chairing the
  Group.
• It has since 1983 adopted numerous
  recommendations (Common Positions and Working
  Papers) aimed at improving the protection of
  privacy in telecommunications.
• Membership of the Group includes representatives
  from Data Protection Authorities and other bodies
  of national public administrations, international
  organisations and scientists from all over the
  world.
• The Group has meetings twice in every year.

17
International Working Group on Data Protection in
Telecommunications

• The Group has in particular focused on the
  protection of privacy on the Internet since the
  1990s.
• Latest papers of the Working Group cover the
  following issues indicating the trends and main
  interests of data protection
• Privacy in Social Network Services - 3./4.03.2008
  
• Cybercrime (a.k.a. Budapest Convention) -
  3./4.03.2008
• Privacy Issues in the Distribution of Digital
  Media Content and Digital Television -
  4./5.09.2007
• E-Ticketing in Public Transport - 4./5.09.2007
• Cross-Border Telemarketing - 12./13.04.2007
• Trusted Computing, Associated Digital Rights
  Management Technologies, and Privacy - Some
  issues for governments and software developers -
  05./06.09.2006
• Online Availability of Electronic Health Records
  06./07.04.2006

18
Privacy in Social Network Services

• A social network service focuses on the building
  and verifying of online social networks for
  communities of people who share interests and
  activities, or who are interested in exploring
  the interests and activities of others, and which
  necessitates the use of software. Most services
  are primarily web based and provide a collection
  of various ways for users to interact.
• Risks for privacy and security no oblivion on
  the Internet, the misleading notion of
  community, Free of charge may in fact not be
  for free, traffic data collection, giving away
  more personal information, misuse of profile data
  by third parties, further increased risks of
  identity theft, use of a notoriously insecure
  infrastructure, existing unsolved security
  problems of Internet

19
Privacy in Social Network Services

• Recommendations to regulators, providers and
  users of social network services
• Introduce the option of a right to pseudonymous
  use
• Introduction of an obligation to data breach
  notification
• Improve integration of privacy issues into the
  educational system
• Re-thinking the current regulatory framework with
  respect to controllership
• Transparent and open information of users
• Privacy-friendly default settings
• Improve user control over use of profile data
• Appropriate complaint handling mechanisms
• Improve and maintain security of information
  systems
• Offer encrypted connections for maintaining user
  profiles

20
Privacy in Social Network Services

• Recommendations in particular to users
• Be careful
• Think twice before using your real name in a
  profile
• Respect the privacy of others
• Be informed e.g. Who operates the service?
• Use privacy friendly settings
• Use different identification data
• Use opportunities to control
• Pay attention to the activity of your children

21
International Working Group on Data Protection in
Telecommunications

• Berliner Beauftragter für Datenschutz und
  Informationsfreiheit
• An der Urania 4- 10, D-10787 Berlin
• Tel. 49 / 30 / 13889 0
• Fax 49 / 30 / 215 5050
• E-Mail IWGDPT_at_datenschutz-berlin.de
• Internet http//www.berlin-privacy-group.org

22
Thank you for your attention!

• Office of the Parliamentary Commissioner for Data
  Protection and Freedom of Information
• www.obh.hu
• H-1051 Budapest Nádor u. 22privacy_at_obh.hutel
  4757138fax 2693541