The GDPR and Upcoming mhealth Code of Conduct. Dr Etain Quigley Postdoctoral Research Fellow (ARCH, UCD)
|
|
- Eleanor Simon
- 5 years ago
- Views:
Transcription
1 The GDPR and Upcoming mhealth Code of Conduct Dr Etain Quigley Postdoctoral Research Fellow (ARCH, UCD)
2 EU General Data Protection Regulation (May 2018) First major reform in 20 years 25 th May 2018 no transition time! Changes to the Data Protection landscape and companies need to be aware of their new obligations under the Regulation Current Regulation will be repealed
3 Todays Discussion Researchers and ethicists always concerned with this area particularly important in the technical age GDPR is an 88 page document today is a taster but not exhaustive! Helicopter overview of GDPR and a more detailed discussion on the mhealth Code of Conduct 3
4 Key Definitions Data controller: natural or legal person, public authority, agency or other body who alone or jointly determines the purpose and means of processing personal data Personal data: information relating to an identified or identifiable natural person (data subject) Data processor: natural or legal person, public authority, agency or other body who processes personal data on behalf of the controller 4
5 General Data Protection Regulation: Key Changes 1. Accountability 2. Consent 3. Data Portability 4. Data Process Contracts 5. Mandatory Breach Notification 6. Data Protection Impact Assessment 7. Mandatory Appointment of Data Protection Officers 8. Right to Compensation and Liability 9. Financial Penalties
6 Accountability Will require evidence of compliance: Protocol Document compliance journey E.g how will you deal with a breach How will you provide the user with requests for information Accountability = evidential trail of compliance, no longer good enough to be compliant must now show compliance
7 Consent Implicit consent no longer satisfactory Now require explicit consent this may be in the form of a signature or a notice if you continue with usage you consent. Opt out not an option anymore Must be able to withdraw consent as easily as providing it cannot be hidden amongst other text etc. Withdrawal of consent does not effect the lawfulness of processing based on consent prior to withdrawal
8 Data Portability New! Aim: facilitate subject moving swiftly from one service provider to another E.g Spotify ITunes Must inform subject of this right Access to dashboard select what data they wish to move? Cannot pass on cost to subject
9 Data Processing When processing data on behalf of a controller must have contract in place No longer sufficient to have a generic contract must be specific to the relationship E.g. Only process in accordance with the data controllers instruction Outline of security measures Outline what will happen at the end of processing More detailed and specific contract now required
10 Mandatory Reporting of Breach Current reporting (lack of obligation) will cease Where there is a risk and high risk (neither definition has been defined and will likely be tested at some point) must be reported Large majority of data breaches will require reporting No minimum threshold - theoretically 1 may require reporting (currently under 100 inform self and not necessary to report) Health Data: sensitive personal data requires reporting Data controller responsible for reporting to Commissioner
11 Data Impact Assessment Central to incorporation Privacy by Design Conduct risk assessment (document) Level of intrusion on subject by your service/product must be proportionate Risk mitigation (document) How to mitigate risk? Who is responsible for it?
12 Mandatory Appointment of Data Protection Officer Controller or Processor must designate a Data Protection Officer where: The processing is carried out by a public authority or body The core activities of the Controller or Processor operations which, because of their nature, scope or their purpose require regular and systematic (regular and systematic not defined but WP 29 suggest such activities as profiling and scoring for risk assessment will require testing) monitoring of data subjects on a large scale (large scale not defined but WP 29 suggest bank/insurance company will require testing) or The core activities of the Controller or Processor consist of processing on a large scale of sensitive personal data (DPO can be appointed to a number of undertakings)
13 Right to Compensation and Liability Recovery for distress new Currently Ireland does not provide for recovery for distress. Requirement to show loss Collins v FBD [2013] IEHC 137
14 Financial Penalties Two tier structure: 10m or 2% of global turnover whichever is greater 20m or 4% of global turnover whichever is greater The administrative sanction shall be in each individual case effective, proportionate and dissuasive The supervisory body shall impose a fine up to to anyone who intentionally or negligently
15 First Steps in Getting Ready Catalogue what type of data you collect Outline why collecting the above data Outline use of data Protocol - record how data is being collected, shared and being sent to others Protocol how will you tell subjects how their data will be used? Protocol - conduct a risk assessment Protocol - risk mitigation Develop templates for subject access response (how will you deal with access requests?) access portals/pathways? Review breach response protocol compliant? Privacy by design central component
16 What Does Privacy by Design Look Like? Embed privacy into design Full lifecycle protection Privacy as default setting PBD Proactive to prevent breach rather than reacting to it User centric approach Transparenc y
17 What Does Compliant By Design Look Like? Evidence based reporting (audits) Authorisati on work flows (transfer) Map data CBD Risk profile of data Data protection impact assessme nt Data retention schedules Subject access protocol Encrypt/ anon
18 mhealth Mobile health applications ubiquitous Beneficial in terms of support and selfmanagement Data potentially highly sensitive Design must ensure privacy of user optimally protected How do users know the various applications on offer meet their privacy concerns?
19 Purpose of Code Foster trust amongst mhealth application users Ensure users are making informed decisions related to their engagement with the application. The Code aims to facilitate data protection compliance Promote good practice Provide app developers with a Code which they can publically declare their compliance with
20 Purpose of the Code The Privacy Code of Conduct on mobile health (mhealth) apps, facilitated by the European Commission, will provide a competitive advantage for those who are signatory to it, and help to promote trust among users of mhealth apps. European Commission 20
21 What is Personal Data? Information on the user (name, address, contact information) Device identifiers Location data Any other information related to an identified or identifiable natural person
22 What is Data Concerning Health? Any personal data related to the physical or mental health of an individual Including: The provision of health care services Information about health status Personal information that has a clear and close link with the description of the health status of a person (e.g. raw sensor data that can draw conclusions about health status) Lifestyle data (raw data on individuals habits not inherently relate to health may not be considered health data) however, if it has a clear and close link to persons health status it may be health data!
23 Examples An application that allows the user to track their medication adherence in line with medical advice prescribed by their doctor classed as processing data related to health An application that tracks a persons footsteps solely to measure a persons activity and does not store the data to build an profile to evaluate the persons physical fitness or health condition is classed as processing data related to lifestyle Code applies to the former data protection law applies to both
24 What is Processing of Data? Any operation or set of operations performed on personal data (or sets of personal data) automated or otherwise such as, collecting, organising, recording, structuring, storing, adaption/alteration, retrieval, consultation, use, disclosure by transmission, dissemination (making available), alignment/combination, restriction, erasure or destruction. Just about anything to do with data!
25 Additional Legal Obligations (GDPR) Biometrics Data Personal data resulting from specific technical processing related to physical, psychological or behavioural characteristics of an individual which allows or confirms the unique identification of the individual such as facial images or fingerprint data Genetic Data Personal data related to the genetic characteristics of an individual that have been inherited or acquired, which give unique information about the physiology or the health of that individual resulting from the analysis of a biological sample from the person in question
26 How will the Code Operate? In line with the GDPR: mhealth Ecosystem General Assembly: stakeholders (app developers, data protection community, industry associations, and/or patient associations) meet at least twice a year to discuss the maintenance, interpretation and evolution of the Code. Consultative organ which supervises the Code but has no day-to-day input. Governance Board: Decision making powers (app developers, app developer associations and industry associations). Take decisions on the maintenance, interpretation and evolution of the Code and on the membership of the Assembly. Monitoring body: Operational tasks such as enforcement of the Code, management of the Code specific website, facilitate communication with the public, monitor compliance in line with the Data Protection Regulation
27 Compliance with the Code: Declaration, Monitoring and Enforcement If a developer wishes to declare adherence to the code must apply to the Monitoring Body Application process submit a privacy impact assessment and a selfdeclaration of compliance If accepted application will be identified on a centralised public register maintained by the Monitoring Body Voluntary third party audit to receive certification of their compliance with the Code at app developers own expense (audit can be completed by any organisation mandated by the Governance Board) Monitoring Body will randomly select a sample for re-checking of their continued adherence Public can lodge complaints the Monitoring Body will inform national data protection agencies of complaints received
28 Compliance with the Code: Declaration, Monitoring and Enforcement Once an application is placed on the Codes registry the developer may apply a trust mark made available - under the terms and conditions set out by the Governance Board. Breach the Monitoring Body will mark the application as having failed the adherence requirements. The application developer will be forbidden to make any reference to the Code or display the trust mark. 28
29 Practical Guidelines for Application Developers
30 1. Obtaining consent Consent must be sought through user friendly text - information cannot be couched in complex/long legal text Upon instillation Before data processing Health data explicit. Not sufficient that the user does not object after reading your intention You must be able to demonstrate consent Consent at various stages considered good practice Easy to withdraw including by choosing to delete their data (locally or remotely or both) or by uninstalling the app If user withdraws consent delete users data from your system unless there was prior agreement for retention
31 2. Main principles that must be considered A) Purpose limitation (collect and process data): Specific and legitimate purposes Purpose must be clearly defined Must bear a meaningful relationship to the functionality of the app E.g: An application that monitors blood sugar levels to assist patients with diabetes dispensing medication cannot sell this information to vendors of medication If data being used for other purpose must be completely anonymised (very difficult to do under GDPR) or informed and explicit consent of the user must be obtained
32 2. Main principles that must be considered B) Data minimisation: Consider what data is strictly necessary for app to provide functionality Cannot collect more data and keep for longer than is necessary (Redundant, Obsolete and Trivial) E.g: Do not collect and store DOB when age range is sufficient
33 2. Main principles that must be considered C) Transparency: Provide users with clear description of purpose for which data will be processed They must be able to understand what personal data is collected and why Language must be understandable
34 2. Main principles that must be considered D) Privacy by Design and Privacy by Default Privacy implications considered at each step of development Make it easy to consent/withdraw consent at various stages of the app use Least invasive privacy choice E.g. if the app allows users to share their data, by default this option should be off. Active consent required.
35 2. Main principles that must be considered E) Data Subject Rights: Right to access data Right to obtain corrections Right to object to any further processing Users should be easily able to find this and other rights based information
36 3) Information to provide before use Essential scope of information about data processing must be available prior to installation Clear description of how their data will be processed Identify yourself clearly and unambiguously Provide your contact information so user can ask questions and/or exercise their rights Informed if data concerning health will be stored in any other location other than the users device This information must be easy to find at and after installation Layered approach to information satisfactory first layer = most crucial information; second layer= full privacy policy
37 4) Keeping the data No longer than necessary for the functionalities of the app unless required or permitted by law Clear criteria must be set out related to data deletion After a certain period of time of non use of the app data should be considered expired and must be deleted even if user takes no positive action to do this Instead of deletion you may decide to irreversibly anonymise the data (this is challenging to do in manner compliant with (GDPR). If any possibility of combining with other data and making it re-identifiable it remains personal data under the Regulation
38 5) Security measures Required you to identify any data protection risks Take steps to mitigate these risks On-going process to ensure privacy is continually protected Conduct Privacy Impact Assessment
39 What Does a Privacy Impact Assessment Look Like? Requires answers to questions such as (examples required): What kind of data is being collected? Explain how this data is required for functionality For which purposes is the data being processed (functionality, technical purposes, big data analysis and monetisation)? How have you obtained consent? Have you used accessible language? Likely to be used by minors? If so, what safeguards are in place? Have you designated anyone to answer privacy related questions? If so, have you informed the user on how they can contact them? Was the app developed in conjunction with a HCP?
40 What Does a Privacy Impact Assessment Look Like? (cont.) Has Privacy by Design has been embedded in the design? Has data minimisation been embedded into the design? Is the data identifiable? Have appropriate authorisation mechanisms been built in? Has all information that is appropriate for encryption been encrypted? Has the app been developed using known guidelines and secure development software? Are regular security audits required? Has the app been piloted? Can incidents that affect remotely stored data be identified and addressed? Are appropriate contractual agreements in place for data transferability 40
41 6) Advertisements in an mhealth applications Permissible once clearly authorised by the user prior to installation Contextual advertising can be opt-out E.g. app monitoring blood sugar advertising re blood sugar but which has no data on the user and is therefore not specific to the user Profiled advertising must be opt-in E.g. app monitoring blood sugar advertising re blood sugar level data specifically related to the user must be opt-in Acceptance of advertising can be a condition. Thus non acceptance = removal of app from users device
42 7) Personal data for secondary use (e.g. big data) Any processing of personal data must be compatible with purpose Data for scientific and historical research or statistical purposes is still considered compatible if done in accordance with EU level rules (when GDPR comes in each country will have to derogate for this wait to see how Ireland deals with this issue) Big data required to ask for consent or completely anonymise
43 8) Third party for processing Must inform the user Enter into binding agreement with the processor specifying what purpose they may process data (this must be aligned with purpose described to user) Agreement must contain sufficient security obligations security may not be weakened by passing to third party Liability of the third party must be clear You are responsible for selecting an appropriate third party you may be liable towards any incidents
44 9) Transferring the gathered data User can store data on own phone and if you have obtained consent you can store on own server Transfer to third party must meet prior criteria and must be within EU/EEA If you want to transfer outside of EU/EEA: must have legal guarantees in place to ensure transfer is permitted under EU law Country covered by adequacy decision of the European Commission Appropriate contractual agreement under the European Commission s Model of Contracts or the Binding Corporate Rules Obtained unambiguous consent not for repeated transfers
45 10) Personal data breach Prepare a response to a breach before it occurs Is the breach related to personal data? Notify breach without undue delay where feasible no later than 72 hours after becoming aware of breach Notify affected individuals without undue delay Detail the breach, potential consequences and measures taken
46 11) Data gathered from children Most restrictive data processing approach Respect data minimisation and purpose minimisation Refrain, where possible, from collecting data through children in relation to their relatives and/or friends Parental involvement is crucial Must undertake reasonable efforts to verify that consent/authorisation is given by a person with parental responsibility
47 How can ARCH help? This is not new to us! Ethics and data protection has always been central to all our work and is built into all evaluations (early and late stage projects) ARCH has extensive experience in the co-design space This expertise will be available to ARCH members so talk with us early on/prior to prototype development 47
48 Thank You!
GDPR Awareness. Kevin Styles. Certified Information Privacy Professional - Europe Member of International Association of Privacy professionals
GDPR Awareness Kevin Styles Certified Information Privacy Professional - Europe Member of International Association of Privacy professionals Introduction Privacy and data protection are fundamental rights
More informationEXIN Privacy and Data Protection Foundation. Preparation Guide. Edition
EXIN Privacy and Data Protection Foundation Preparation Guide Edition 201701 Content 1. Overview 3 2. Exam requirements 5 3. List of Basic Concepts 9 4. Literature 15 2 1. Overview EXIN Privacy and Data
More informationThis policy sets out how Legacy Foresight and its Associates will seek to ensure compliance with the legislation.
Privacy Notice August 2018 Introduction The General Data Protection Regulation (GDPR) is European wide data protection legislation that requires organisations working with individuals based in the European
More informationARTICLE 29 Data Protection Working Party
ARTICLE 29 Data Protection Working Party Brussels, 10 April 2017 Hans Graux Project editor of the draft Code of Conduct on privacy for mobile health applications By e-mail: hans.graux@timelex.eu Dear Mr
More informationGDPR Implications for ediscovery from a legal and technical point of view
GDPR Implications for ediscovery from a legal and technical point of view Friday Paul Lavery, Partner, McCann FitzGerald Ireland Meribeth Banaschik, Partner, Ernst & Young Germany mccannfitzgerald.com
More informationBiometric Data, Deidentification. E. Kindt Cost1206 Training school 2017
Biometric Data, Deidentification and the GDPR E. Kindt Cost1206 Training school 2017 Overview Introduction 1. Definition of biometric data 2. Biometric data as a new category of sensitive data 3. De-identification
More informationFirst Components Ltd, Savigny Oddie Ltd, & Datum Engineering Ltd. is pleased to provide the following
Privacy Notice Introduction This document refers to personal data, which is defined as information concerning any living person (a natural person who hereafter will be called the Data Subject) that is
More informationIAB Europe Guidance THE DEFINITION OF PERSONAL DATA. IAB Europe GDPR Implementation Working Group WHITE PAPER
IAB Europe Guidance WHITE PAPER THE DEFINITION OF PERSONAL DATA Five Practical Steps to help companies comply with the E-Privacy Working Directive Paper 02/2017 IAB Europe GDPR Implementation Working Group
More informationThe EU's new data protection regime Key implications for marketers and adtech service providers Nick Johnson and Stephen Groom 11 February 2016
The EU's new data protection regime Key implications for marketers and adtech service providers Nick Johnson and Stephen Groom 11 February 2016 General Data Protection Regulation ("GDPR") timeline 24.10.95
More informationThe General Data Protection Regulation and use of health data: challenges for pharmaceutical regulation
The General Data Protection Regulation and use of health data: challenges for pharmaceutical regulation ENCePP Plenary Meeting- London, 22/11/2016 Alessandro Spina Data Protection Officer, EMA An agency
More informationEU-GDPR The General Data Protection Regulation
EU-GDPR The General Data Protection Regulation Lucas Heymans, Higher Education Applications Product Strategy EMEA Safe Harbor Statement The following is intended to outline our general product direction.
More informationhttps://www.icann.org/en/system/files/files/interim-models-gdpr-compliance-12jan18-en.pdf 2
ARTICLE 29 Data Protection Working Party Brussels, 11 April 2018 Mr Göran Marby President and CEO of the Board of Directors Internet Corporation for Assigned Names and Numbers (ICANN) 12025 Waterfront
More informationOcean Energy Europe Privacy Policy
Ocean Energy Europe Privacy Policy 1. General 1.1 This is the privacy policy of Ocean Energy Europe AISBL, a non-profit association with registered offices in Belgium at 1040 Brussels, Rue d Arlon 63,
More informationPhotography and Videos at School Policy
Photography and Videos at School Policy Last updated: 25 May 2018 Contents: Statement of intent 1. Legal framework 2. Definitions 3. Roles and responsibilities 4. Parental consent 5. General procedures
More informationThe EFPIA Perspective on the GDPR. Brendan Barnes, EFPIA 2 nd Nordic Real World Data Conference , Helsinki
The EFPIA Perspective on the GDPR Brendan Barnes, EFPIA 2 nd Nordic Real World Data Conference 26-27.9.2017, Helsinki 1 Key Benefits of Health Data Improved decision-making Patient self-management CPD
More informationHL7 Standards and Components to Support Implementation of the European General Data Protection Regulation (GDPR)
HL7 Standards and Components to Support Implementation of the European General Data Protection Regulation (GDPR) Alexander Mense - University of Applied Sciences Vienna Bernd Blobel - Medical Faculty,
More informationRobert Bond Partner, Commercial/IP/IT
Using Privacy Impact Assessments Effectively robert.bond@bristows.com Robert Bond Partner, Commercial/IP/IT BA (Hons) Law, Wolverhampton University Qualified as a Solicitor 1979 Qualified as a Notary Public
More informationEnd-to-End Privacy Accountability
End-to-End Privacy Accountability Denis Butin 1 and Daniel Le Métayer 2 1 TU Darmstadt 2 Inria, Université de Lyon TELERISE, 18 May 2015 1 / 17 Defining Accountability 2 / 17 Is Accountability Needed?
More informationFiscal 2007 Environmental Technology Verification Pilot Program Implementation Guidelines
Fifth Edition Fiscal 2007 Environmental Technology Verification Pilot Program Implementation Guidelines April 2007 Ministry of the Environment, Japan First Edition: June 2003 Second Edition: May 2004 Third
More informationWhat does the revision of the OECD Privacy Guidelines mean for businesses?
m lex A B E X T R A What does the revision of the OECD Privacy Guidelines mean for businesses? The Organization for Economic Cooperation and Development ( OECD ) has long recognized the importance of privacy
More informationThe new GDPR legislative changes & solutions for online marketing
TRUSTED PRIVACY The new GDPR legislative changes & solutions for online marketing IAB Forum 2016 29/30th of November 2016, Milano Prof. Dr. Christoph Bauer, GmbH Who we are and what we do Your partner
More informationPRIVACY ANALYTICS WHITE PAPER
PRIVACY ANALYTICS WHITE PAPER European Legal Requirements for Use of Anonymized Health Data for Research Purposes by a Data Controller with Access to the Original (Identified) Data Sets Mike Hintze Khaled
More information510 Data Responsibility Policy
510 Data Responsibility Policy Rationale behind this policy For more than 150 years, the Red Cross has been guided by principles to provide impartial humanitarian help. The seven fundamental principles
More informationOur position. ICDPPC declaration on ethics and data protection in artificial intelligence
ICDPPC declaration on ethics and data protection in artificial intelligence AmCham EU speaks for American companies committed to Europe on trade, investment and competitiveness issues. It aims to ensure
More informationViolent Intent Modeling System
for the Violent Intent Modeling System April 25, 2008 Contact Point Dr. Jennifer O Connor Science Advisor, Human Factors Division Science and Technology Directorate Department of Homeland Security 202.254.6716
More informationISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Privacy framework
INTERNATIONAL STANDARD ISO/IEC 29100 First edition 2011-12-15 Information technology Security techniques Privacy framework Technologies de l'information Techniques de sécurité Cadre privé Reference number
More informationEuropean Union General Data Protection Regulation Effects on Research
European Union General Data Protection Regulation Effects on Research Mark Barnes Partner, Ropes & Gray LLP Co-Director, Multi-Regional Clinical Trials Center of Brigham and Women s Hospital and Harvard
More informationInteraction btw. the GDPR and Clinical Trials Regulation
Interaction btw. the GDPR and Clinical Trials Marjut Salokannel SaReCo Oslo, Clinical Trials (CTR) approved in 2014 and will most likely come into effect as of Oct. 2018 all information btw. the parties
More informationStandards and privacy engineering ISO, OASIS, PRIPARE and Other Important Developments
Standards and privacy engineering ISO, OASIS, PRIPARE and Other Important Developments Antonio Kung, CTO 25 rue du Général Foy, 75008 Paris www.trialog.com 9 May 2017 1 Introduction Speaker Engineering
More informationMinistry of Justice: Call for Evidence on EU Data Protection Proposals
Ministry of Justice: Call for Evidence on EU Data Protection Proposals Response by the Wellcome Trust KEY POINTS It is essential that Article 83 and associated derogations are maintained as the Regulation
More informationNymity Demonstrating Compliance Manual: A Structured Approach to Privacy Management Accountability
A Structured Approach to Privacy Management Accountability Copyright 2016 by Nymity Inc. All rights reserved. All text, images, logos, trademarks and information contained in this document are the intellectual
More informationICO submission to the inquiry of the House of Lords Select Committee on Communications - The Internet : To Regulate or not to Regulate?
Information Commissioner s Office ICO submission to the inquiry of the House of Lords Select Committee on Communications - The Internet : To Regulate or not to Regulate? 16 May 2018 V. 1.0 Final 1 Contents
More information2018 / Photography & Video Bell Lane Primary School & Children s Centre
2018 / 2019 Photography & Video Use @ Bell Lane Primary School & Children s Centre Bell Lane Primary School & Children s Centre Responsible: Headteacher & Governing Body Last reviewed: Summer 2018 Review
More informationCONSENT IN THE TIME OF BIG DATA. Richard Austin February 1, 2017
CONSENT IN THE TIME OF BIG DATA Richard Austin February 1, 2017 1 Agenda 1. Introduction 2. The Big Data Lifecycle 3. Privacy Protection The Existing Landscape 4. The Appropriate Response? 22 1. Introduction
More informationIN VITRO DIAGNOSTICS: CAPITA EXOTICA
IN VITRO DIAGNOSTICS: CAPITA EXOTICA Axon IVD seminar 12 September 2012 Erik Vollebregt www.axonadvocaten.nl orphan subjects that will soon develop to full-blown issues Stand alone software Data protection
More informationTERMS AND CONDITIONS. for the use of the IMDS Advanced Interface by IMDS-AI using companies
TERMS AND CONDITIONS for the use of the IMDS Advanced Interface by IMDS-AI using companies Introduction The IMDS Advanced Interface Service (hereinafter also referred to as the IMDS-AI ) was developed
More informationIoT in Health and Social Care
IoT in Health and Social Care Preserving Privacy: Good Practice Brief NOVEMBER 2017 Produced by Contents Introduction... 3 The DASH Project... 4 Why the Need for Guidelines?... 5 The Guidelines... 6 DASH
More informationDetails of the Proposal
Details of the Proposal Draft Model to Address the GDPR submitted by Coalition for Online Accountability This document addresses how the proposed model submitted by the Coalition for Online Accountability
More informationPrivacy Policy SOP-031
SOP-031 Version: 2.0 Effective Date: 18-Nov-2013 Table of Contents 1. DOCUMENT HISTORY...3 2. APPROVAL STATEMENT...3 3. PURPOSE...4 4. SCOPE...4 5. ABBREVIATIONS...5 6. PROCEDURES...5 6.1 COLLECTION OF
More informationclarification to bring legal certainty to these issues have been voiced in various position papers and statements.
ESR Statement on the European Commission s proposal for a Regulation on the protection of individuals with regard to the processing of personal data on the free movement of such data (General Data Protection
More informationAGREEMENT on UnifiedPrinciples and Rules of Technical Regulation in the Republic of Belarus, Republic of Kazakhstan and the Russian Federation
AGREEMENT on UnifiedPrinciples and Rules of Technical Regulation in the Republic of Belarus, Republic of Kazakhstan and the Russian Federation The Republic of Belarus, Republic of Kazakhstan and the Russian
More informationPrivacy Management in Smart Cities
Privacy Management in Smart Cities Antonio Kung 26/04/2017 Data management and citizens privacy in smart cities open governance 1 Introduction Speaker Antonio Kung, Trialog (www.trialog.com,fr) Engineering
More informationData Protection by Design and by Default. à la European General Data Protection Regulation
Data Protection by Design and by Default à la European General Data Protection Regulation Marit Hansen Data Protection Commissioner Schleswig-Holstein, Germany IFIP Summer School 2016 Karlstad, 26 August
More informationSECTION 13. ACQUISITIONS
SECTION 13. ACQUISITIONS... 13-1 13.1 Introduction... 13-1 13.2 On-Market Takeover... 13-1 13.3 Off-Market Takeover... 13-2 13.3.1 Accepting an Off-Market Bid... 13-3 13.3.2 Accepting an Off Market Bid
More informationTowards Code of Conduct on Processing of Personal Data for Purposes of Scientific Research in the Area of Health
Towards Code of Conduct on Processing of Personal Data for Purposes of Scientific Research in the Area of Health 19/4/2017 BBMRI-ERIC WHAT HAPPENED SO FAR? 2 2015-2016 Holding a Day of Action on the draft
More informationCCTV Policy. Policy reviewed by Academy Transformation Trust on June This policy links to: Safeguarding Policy Data Protection Policy
CCTV Policy Policy reviewed by Academy Transformation Trust on June 2018 This policy links to: Located: Safeguarding Policy Data Protection Policy Review Date May 2019 Our Mission To provide the very best
More informationPan-Canadian Trust Framework Overview
Pan-Canadian Trust Framework Overview A collaborative approach to developing a Pan- Canadian Trust Framework Authors: DIACC Trust Framework Expert Committee August 2016 Abstract: The purpose of this document
More informationDNVGL-CG-0214 Edition September 2016
CLASS GUIDELINE DNVGL-CG-0214 Edition September 2016 The content of this service document is the subject of intellectual property rights reserved by ("DNV GL"). The user accepts that it is prohibited by
More informationGuidelines for the Stage of Implementation - Self-Assessment Activity
GUIDELINES FOR PRIVACY AND INFORMATION MANAGEMENT (PIM) PROGRAM SELF-ASSESSMENT ACTIVITY Guidelines for the Stage of Implementation - Self-Assessment Activity PURPOSE This tool is for the use of school
More informationCCTV Policy. Policy reviewed by Academy Transformation Trust on June This policy links to: T:Drive. Safeguarding Policy Data Protection Policy
CCTV Policy Policy reviewed by Academy Transformation Trust on June 2018 This policy links to: Safeguarding Policy Data Protection Policy Located: T:Drive Review Date May 2019 Our Mission To provide the
More informationData Protection and Information Security. Photography and Filming - Guidelines for the use of Personal Data
Data Protection and Information Security Photography and Filming - Guidelines for the use of Personal Data Page 1 of 7 Created on: 05/06/2013 Contents 1. Introduction... 3 2. Definitions... 3 3. Consent...
More informationPolish Science Database (BWNP)
Warsaw, 24 May 2018 POLISH SCIENCE DATABASE Mandatory information to be provided under Articles 13 and 14 of the GDPR PERSONAL DATA OF SCHOLARS AND INDIVIDUALS SUBMITTING SUCH DATA FOR THE Polish Science
More informationAustralian Census 2016 and Privacy Impact Assessment (PIA)
http://www.privacy.org.au Secretary@privacy.org.au http://www.privacy.org.au/about/contacts.html 12 February 2016 Mr David Kalisch Australian Statistician Australian Bureau of Statistics Locked Bag 10,
More informationIV/10. Measures for implementing the Convention on Biological Diversity
IV/10. Measures for implementing the Convention on Biological Diversity A. Incentive measures: consideration of measures for the implementation of Article 11 Reaffirming the importance for the implementation
More informationPrimary IVF Conditions for Registration For Assisted Reproductive Treatment Providers under the Assisted Reproductive Treatment Act 2008
Primary IVF Conditions for Registration For Assisted Reproductive Treatment Providers under the Assisted Reproductive Treatment Act 2008 Effective: 1 June 2018 Contents SECTION 1: Background... 3 SECTION
More informationType Approval JANUARY The electronic pdf version of this document found through is the officially binding version
STANDARD FOR CERTIFICATION No. 1.2 Type Approval JANUARY 2013 The electronic pdf version of this document found through http://www.dnv.com is the officially binding version The content of this service
More informationPersonal Data Protection Competency Framework for School Students. Intended to help Educators
Conférence INTERNATIONAL internationale CONFERENCE des OF PRIVACY commissaires AND DATA à la protection PROTECTION des données COMMISSIONERS et à la vie privée Personal Data Protection Competency Framework
More informationTechAmerica Europe comments for DAPIX on Pseudonymous Data and Profiling as per 19/12/2013 paper on Specific Issues of Chapters I-IV
Tech EUROPE TechAmerica Europe comments for DAPIX on Pseudonymous Data and Profiling as per 19/12/2013 paper on Specific Issues of Chapters I-IV Brussels, 14 January 2014 TechAmerica Europe represents
More informationPrivacy Procedure SOP-031. Version: 04.01
SOP-031 Version: 04.01 Effective Date: 01-Mar-2017 Table of Contents 1. DOCUMENT HISTORY... 3 2. APPROVAL STATEMENT... 3 3. PURPOSE... 4 4. SCOPE... 4 5. ABBREVIATIONS... 4 6. PROCEDURES... 5 6.1 COLLECTION
More informationGUITAR PRO SOFTWARE END-USER LICENSE AGREEMENT (EULA)
GUITAR PRO SOFTWARE END-USER LICENSE AGREEMENT (EULA) GUITAR PRO is software protected by the provisions of the French Intellectual Property Code. THIS PRODUCT IS NOT SOLD BUT PROVIDED WITHIN THE FRAMEWORK
More informationDEVELOPMENTS IN EU MDD & IVDD SOFTWARE REGULATION
Objectives DEVELOPMENTS IN EU MDD & IVDD SOFTWARE REGULATION Some brief remarks on data protection Current regulation of medical devices software Overview of EU medical devices directives revision process
More informationLAW ON TECHNOLOGY TRANSFER 1998
LAW ON TECHNOLOGY TRANSFER 1998 LAW ON TECHNOLOGY TRANSFER May 7, 1998 Ulaanbaatar city CHAPTER ONE COMMON PROVISIONS Article 1. Purpose of the law The purpose of this law is to regulate relationships
More informationEuropean Charter for Access to Research Infrastructures - DRAFT
13 May 2014 European Charter for Access to Research Infrastructures PREAMBLE - DRAFT Research Infrastructures are at the heart of the knowledge triangle of research, education and innovation and therefore
More informationGUIDELINES ON PRIVACY BY DESIGN AND PRIVACY IMPACT ASSESSMENT
Document 2.1.4-7 GUIDELINES ON PRIVACY BY DESIGN AND PRIVACY IMPACT ASSESSMENT Component 2 Activity 2.1.4-4 Draft version - November 2011 The content of this report is the sole responsibility of Human
More informationCOMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT. pursuant to Article 294(6) of the Treaty on the Functioning of the European Union
EUROPEAN COMMISSION Brussels, 9.3.2017 COM(2017) 129 final 2012/0266 (COD) COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT pursuant to Article 294(6) of the Treaty on the Functioning of the
More informationGlobal Alliance for Genomics & Health Data Sharing Lexicon
Version 1.0, 15 March 2016 Global Alliance for Genomics & Health Data Sharing Lexicon Preamble The Global Alliance for Genomics and Health ( GA4GH ) is an international, non-profit coalition of individuals
More informationThe Information Commissioner s response to the Draft AI Ethics Guidelines of the High-Level Expert Group on Artificial Intelligence
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF T. 0303 123 1113 F. 01625 524510 www.ico.org.uk The Information Commissioner s response to the Draft AI Ethics Guidelines of the High-Level Expert
More informationHaving regard to the Treaty establishing the European Community, and in particular its Article 286,
Opinion of the European Data Protection Supervisor on the Communication from the Commission on an Action Plan for the Deployment of Intelligent Transport Systems in Europe and the accompanying Proposal
More informationIET Guidelines for Volunteers: Data Protection
SERIAL NO: Issue No: 3.0 IET Guidelines for Volunteers: Protection Effective Date Approved by Author February 2012 Executive Committee Richard Best Date of Last Review Reviewed By Date of Next Review February
More informationHong Kong Personal Data Protection Regulatory Framework From Compliance to Accountability
Legal Week s Corporate Counsel Forum 2016 Renaissance Harbour View Hotel 23 June 2016 Hong Kong Personal Data Protection Regulatory Framework From Compliance to Accountability Stephen Kai-yi Wong Privacy
More informationITAC RESPONSE: Modernizing Consent and Privacy in PIPEDA
August 5, 2016 ITAC RESPONSE: Modernizing Consent and Privacy in PIPEDA The Information Technology Association of Canada (ITAC) appreciates the opportunity to participate in the Office of the Privacy Commissioner
More informationDiana Gordick, Ph.D. 150 E Ponce de Leon, Suite 350 Decatur, GA Health Insurance Portability and Accountability Act (HIPAA)
Diana Gordick, Ph.D. 150 E Ponce de Leon, Suite 350 Decatur, GA 30030 Health Insurance Portability and Accountability Act (HIPAA) NOTICE OF PRIVACY PRACTICES I. COMMITMENT TO YOUR PRIVACY: DIANA GORDICK,
More informationUser Privacy in Health Monitoring Wearables
User Privacy in Health Monitoring Wearables Requirements stemming from current and proposed European Union legislation Kiril Kalev, Jernej Mavrič, Sophie Pijnenburg, Anouk de Ruijter Tilburg Institute
More informationPrivacy engineering, privacy by design, and privacy governance
CyLab Lorrie Faith Cranor" Engineering & Public Policy acy & Secur ity Priv e l HT TP ratory bo La 8-533 / 8-733 / 19-608 / 95-818:! Privacy Policy, Law, and Technology CyLab U sab November 17, 2015 ://
More informationIntegrating Fundamental Values into Information Flows in Sustainability Decision-Making
Integrating Fundamental Values into Information Flows in Sustainability Decision-Making Rónán Kennedy, School of Law, National University of Ireland Galway ronan.m.kennedy@nuigalway.ie Presentation for
More informationPrecious Metal Articles Act
Issuer: Riigikogu Type: act In force from: 01.07.2014 In force until: mitte jõustunud Translation published: 07.04.2014 Amended by the following acts Passed 22.01.2003 RT I 2003, 15, 85 Entered into force
More information1 SERVICE DESCRIPTION
DNV GL management system ICP Product Certification ICP 4-6-3-5-CR Document number: ICP 4-6-3-5-CR Valid for: All in DNV GL Revision: 2 Date: 2017-05-05 Resp. unit/author: Torgny Segerstedt Reviewed by:
More informationCOUNCIL OF THE EUROPEAN UNION. Brussels, 19 May 2014 (OR. en) 9879/14 Interinstitutional File: 2013/0165 (COD) ENT 123 MI 428 CODEC 1299
COUNCIL OF THE EUROPEAN UNION Brussels, 19 May 2014 (OR. en) 9879/14 Interinstitutional File: 2013/0165 (COD) T 123 MI 428 CODEC 1299 NOTE From: To: General Secretariat of the Council Council No. prev.
More information(Non-legislative acts) DECISIONS
4.12.2010 Official Journal of the European Union L 319/1 II (Non-legislative acts) DECISIONS COMMISSION DECISION of 9 November 2010 on modules for the procedures for assessment of conformity, suitability
More informationRules of the prize game Sa Zaba karticama dobivam više!
The purpose of these Rules is to ensure all participants have equal chance to enter the Prize Game and win prizes after meeting the requirements set forth in these Rules. MPG d.o.o. (with their registered
More informationData Protection and Privacy in a M2M world. Yiannis Theodorou, Regulatory Policy Manager GSMA Latam Plenary Peru, November 2013
Data Protection and Privacy in a M2M world Yiannis Theodorou, Regulatory Policy Manager GSMA Latam Plenary Peru, November 2013 A M2M world? Machine-to-machine (M2M) is the exchange of mainly data communications
More informationJustice Select Committee: Inquiry on EU Data Protection Framework Proposals
Justice Select Committee: Inquiry on EU Data Protection Framework Proposals Response by the Wellcome Trust KEY POINTS The Government must make the protection of research one of their priorities in negotiations
More informationResponsible Data Use Policy Framework
1 May 2018 Sidewalk Toronto is a joint effort by Waterfront Toronto and Sidewalk Labs to create a new kind of complete community on Toronto s waterfront that combines cutting-edge technology and forward-thinking
More informationLegal Aspects of the Internet of Things. Richard Kemp June 2017
Legal Aspects of the Internet of Things Richard Kemp June 2017 LEGAL ASPECTS OF THE INTERNET OF THINGS TABLE OF CONTENTS Para Heading Page A. INTRODUCTION... 1 1. What is the Internet of Things?... 1 2.
More informationSeminar on Consultation on. Review of the Personal Data (Privacy) Ordinance. Why the review is being conducted and what this means to you
Seminar on Consultation on Review of the Personal Data (Privacy) Ordinance Why the review is being conducted and what this means to you On 28 August 2009, the Government released the Consultation Document
More informationPrivacy by Design Assessment and Certification. For discussion purposes only
Privacy by Design Assessment and Certification For discussion purposes only Privacy by Design The Framework Privacy by Design 2 Adoption of Privacy by Design as an International Standard Landmark Resolution
More informationPrivacy Impact Assessment on use of CCTV
Appendix 2 Privacy Impact Assessment on use of CCTV CCTV is currently in the majority of the Council s leisure facilities, however this needs to be extended to areas not currently covered by CCTV. Background
More informationPRODUCT INFORMATION FORM (PIF TM )
PRODUCT INFORMATION FORM (PIF TM ) PIF Version 6.0 Frequently Asked Questions September 2017 CONTENTS The following headings are hyperlinked to the section of the Q&A where the information related to the
More informationData Protection and Ethics in Healthcare
Data Protection and Ethics in Healthcare Harald Zwingelberg ULD June 14 th, 2017 at Brocher Foundation, Geneva Organized by: with input by: Overview Goal: Protection of people Specific legal setting for
More informationENGINEERING DRAWINGS MANAGEMENT POLICY (IFC/AS BUILTS)
Approval Amendment Record Approval Date Version Description 15/10/2015 1 This policy takes precedence over L1-NAM-PRO-003 Infrastructure As Built Drawing Management due to business restructures. New Content
More informationShould privacy impact assessments be mandatory? David Wright Trilateral Research & Consulting 17 Sept 2009
Should privacy impact assessments be mandatory? David Wright Trilateral Research & Consulting 17 Sept 2009 1 Today s presentation Databases solving one problem & creating another What is a privacy impact
More informationPaola Bailey, PsyD Licensed Clinical Psychologist PSY# 25263
NOTICE OF PRIVACY PRACTICES THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY. Privacy is a very
More informationPRIVACY IMPACT ASSESSMENT
PRIVACY IMPACT ASSESSMENT PRIVACY IMPACT ASSESSMENT The template below is designed to assist you in carrying out a privacy impact assessment (PIA). Privacy Impact Assessment screening questions These questions
More informationAbout the Office of the Australian Information Commissioner
Australian Government Office of the Australian Information Commissioner www.oaic.gov.au GPO Box 5218 Sydney NSW 2001 P +61 2 9284 9800 F +61 2 9284 9666 E enquiries@oaic.gov.au Enquiries 1300 363 992 TTY
More informationHigh Holborn, London ETI ID Number: Ave des Nerviens 85 B 1040 Brussels Belgium
Bar Council of England and Wales Brussels Office Ave des Nerviens 85 B 1040 Brussels Belgium Tel: 02/230 48 10 Fax: 02/230 45 96 e mail: evanna.fruithof@ barcouncil.be Response of the Bar Council of England
More informationCARAPELLI FOR ART COMPETITION RULES AND REGULATIONS
CARAPELLI FOR ART COMPETITION RULES AND REGULATIONS COMPETITION PROJECT Carapelli is promoting the first Carapelli for Art award, a competition for visual arts that intends to enhance, promote and support
More informationInterest Balancing Test Assessment on the processing of the copies of data subjects driving licences for the MOL Limo service
1 Legitimate interest of the controller or a third party: General description of the processing environment Users can commence the registration required for using the MOL LIMO service in the Mobile Application
More informationTECHNICAL AND OPERATIONAL NOTE ON CHANGE MANAGEMENT OF GAMBLING TECHNICAL SYSTEMS AND APPROVAL OF THE SUBSTANTIAL CHANGES TO CRITICAL COMPONENTS.
TECHNICAL AND OPERATIONAL NOTE ON CHANGE MANAGEMENT OF GAMBLING TECHNICAL SYSTEMS AND APPROVAL OF THE SUBSTANTIAL CHANGES TO CRITICAL COMPONENTS. 1. Document objective This note presents a help guide for
More informationICC POSITION ON LEGITIMATE INTERESTS
ICC POSITION ON LEGITIMATE INTERESTS POLICY STATEMENT Prepared by the ICC Commission on the Digital Economy Summary and highlights This statement outlines the International Chamber of Commerce s (ICC)
More informationPhase 2 Executive Summary: Pre-Project Review of AECL s Advanced CANDU Reactor ACR
August 31, 2009 Phase 2 Executive Summary: Pre-Project Review of AECL s Advanced CANDU Reactor ACR-1000-1 Executive Summary A vendor pre-project design review of a new nuclear power plant provides an opportunity
More information