Slide 1

Data protection audit and data protection issues in the telecom sector Dr. Katalin Egri Legal advisor Office of the Parliamentary Commissioner for Data Protection and Freedom of Information 7-1-2009

Slide 2

Introduction Data protection audit - the merits of data protection audit - EuroPriSe European Privacy Seal a special auditing project International Working Group on Data Protection in Telecommunications

Slide 3

Data protection audit Issues, interests of companies Foreign samples, methods, practices to be followed, for a more effective operation purposes can me reached by not infringing the right to data protection, other personality rights and by serving the interests of the company at the same time

Slide 4

Data protection audit Data processing occurs in context with other legal relations, procedures It occurs within a comprehensive scheme where it serves a specific purpose The principle that data processing has to be completed by a specific purpose is emphasized by the Act LXIII of 1992 on the protection of personal data and public access to data of public interest (DPAct) and by the Constitution of the Republic of Hungary

Slide 5

Data protection audit Data protection audit may serve as a solution for complying with standards of adequate data protection Constructive approach basis for effective data protection Companies realised its importance in complex strategies, complicated business processes, internal rules

Slide 6

Data protection audit Data protection audit is very widespread and has high importance in the European Union Legal background: Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data Strict requirements, all Member States have to comply with it both in the public and private sector Data protection has a value Need for quality assurance and uniform standards In many countries e.g. Germany an act regulates the legal framework, methods, and the audit is performed with the assistance of the authority

Slide 7

Data protection audit The DPAct regulates in the scope of data security that the data controller shall take all technical and organisational measures and elaborate the rules of procedure necessary to enforce compliance with the Act and other rules pertaining to data protection and confidentiality (Art. 10.) It makes it obligatory for certain data controllers to appoint an internal data protection officer with a set scope of duties and the development of data protection and data security rules ( Art. 31/A).

Slide 8

Data protection audit Audit may have significance when the number of data subjects is big, the scope of data processed is wide and varying. Typical areas: Electronic telecommunications, financial relations, employment, direct marketing, insurance sensitive data are also processed Different kind of audit is necessary in case of information security technical requirements prevail

Slide 9

Data protection audit Purposes of the data protection audit: complying with legal regulations and technical requirements of data security Data security, information security required by the DPAct, interest of data subjects also, its analysing requires special knowledge Interests of the company: information security, protection of business secrets etc. Complying with legal regulations: its analysing includes the observation of purposes, interests also T he aim of the audit is to give assurance that the data controlling complies with laws and ensures conformity between the effective operation and data protection, data security

Slide 10

Data protection audit There is no uniform method for data protection audit Guidelines may be: Personal Data Protection Audit Framework of the European Committee for Standardization, EU Directive 95/46/EC Main areas to be dealt with in general: - specifying the target of audit - choosing the person for performing the audit - specifying the method of audit - overview of areas, issues to be evaluated - results - follow up

Slide 11

EuroPriSe European Privacy Seal The European Privacy Seal (EuroPriSe) project introduces a trans-European privacy seal issued by independent third parties certifying compliance of IT-products and IT- based services with European regulations on privacy and data security. The European Privacy Seal project aims to establish a European product audit certifying compliance of IT-products and IT-based services with European regulations on privacy and data security after the completion of a specific two-step procedure: an evaluation of the product or service by accepted legal and IT experts and a crosschecking of the evaluation report by an accredited certification body.

Slide 12

EuroPriSe European Privacy Seal EuroPriSe provides: - a transparent procedure and reliable criteria to award a European Privacy Seal. - it visualizes that a product has been checked and approved by an independent privacy organisation and thus indicates a trustworthy product. - the privacy seal at the same time fosters consumer protection and trust and provides a marketing incentive to manufacturers and vendors for privacy relevant goods and services.

Slide 13

EuroPriSe European Privacy Seal EuroPriSe aims to establish - Voluntary privacy certification valid throughout Europe - Transparent non-bureaucratic procedure and reliable criteria based on a cataloge of legal regulations, criteria, requirements, points of evaluation, basic issues, authorization of data processing, technical and organizational measures - Supervision by an independent third party - Visibility of privacy compliance available for marketing - Comparability of products by short public reports

Slide 14

EuroPriSe European Privacy Seal The EuroPriSe consortium is lead by the Independent Centre for Privacy Protection Schleswig-Holstein (ICPP/ULD), Germany. The partners from 8 European countries include the data protection authorities from Madrid, Agencia de Proteccin de Datos de la Communidad de Madrid and France, the Commission Nationale de lInformatique et de Liberts (CNIL), the Austrian Academy of Science and London Metropolitan University from the UK, Borking Consultancy from the Netherlands, Ernst and Young AB from Sweden, TV Informationstechnik GmbH from Germany, and VaF s.r.o. from Slovakia.

Slide 15

EuroPriSe European Privacy Seal The pilot project of EuroPriSe is financed by the European Commission, though it has not decided whether to introduce the Seal uniformly. Since the EuroPriSe specifies clear and high criteria at European level, its wider introduction will need a common opinion, the European Data Protection Supervisor and the Article 29 Working Party will also deal with this issue. Further information may be sought at the following link: www.european-privacy-seal.eu

Slide 16

International Working Group on Data Protection in Telecommunications The Working Group was founded in 1983 in the framework of the International Conference of Data Protection and Privacy Commissioners at the initiative of the Berlin Commissioner for Data Protection, who has since then been chairing the Group. It has since 1983 adopted numerous recommendations (Common Positions and Working Papers) aimed at improving the protection of privacy in telecommunications. Membership of the Group includes representatives from Data Protection Authorities and other bodies of national public administrations, international organisations and scientists from all over the world. The Group has meetings twice in every year.

Slide 17

International Working Group on Data Protection in Telecommunications The Group has in particular focused on the protection of privacy on the Internet since the 1990s. Latest papers of the Working Group cover the following issues indicating the trends and main interests of data protection: -Privacy in Social Network Services - 3./4.03.2008 -Cybercrime (a.k.a. Budapest Convention) - 3./4.03.2008 -Privacy Issues in the Distribution of Digital Media Content and Digital Television - 4./5.09.2007 -E-Ticketing in Public Transport - 4./5.09.2007 -Cross-Border Telemarketing - 12./13.04.2007 -Trusted Computing, Associated Digital Rights Management Technologies, and Privacy - Some issues for governments and software developers - 05./06.09.2006 -Online Availability of Electronic Health Records 06./07.04.2006

Slide 18

Privacy in Social Network Services A social network service focuses on the building and verifying of online social networks for communities of people who share interests and activities, or who are interested in exploring the interests and activities of others, and which necessitates the use of software. Most services are primarily web based and provide a collection of various ways for users to interact. Risks for privacy and security: no oblivion on the Internet, the misleading notion of community, Free of charge may in fact not be for free, traffic data collection, giving away more personal information, misuse of profile data by third parties, further increased risks of identity theft, use of a notoriously insecure infrastructure, existing unsolved security problems of Internet

Slide 19

Privacy in Social Network Services Recommendations to regulators, providers and users of social network services: Introduce the option of a right to pseudonymous use Introduction of an obligation to data breach notification Improve integration of privacy issues into the educational system Re-thinking the current regulatory framework with respect to controllership Transparent and open information of users Privacy-friendly default settings Improve user control over use of profile data Appropriate complaint handling mechanisms Improve and maintain security of information systems Offer encrypted connections for maintaining user profiles

Slide 20

Privacy in Social Network Services Recommendations in particular to users : Be careful Think twice before using your real name in a profile Respect the privacy of others Be informed: e.g. Who operates the service? Use privacy friendly settings Use different identification data Use opportunities to control Pay attention to the activity of your children

Slide 21

International Working Group on Data Protection in Telecommunications Berliner Beauftragter fr Datenschutz und Informationsfreiheit An der Urania 4- 10, D-10787 Berlin Tel.: +49 / 30 / 13889 0 Fax: +49 / 30 / 215 5050 E-Mail: IWGDPT@datenschutz-berlin.de Internet: http://www.berlin-privacy-group.orghttp://www.berlin-privacy-group.org

Slide 22

Thank you for your attention! Office of the Parliamentary Commissioner for Data Protection and Freedom of Information www.obh.hu H-1051 Budapest Ndor u. 22 privacy@obh.hu tel: 4757138 fax: 2693541 privacy@obh.hu