Data Protection Principles Research Articles

Basic principles of personal data protection in automated information systems of commercial enterprises on the territory of the Russian Federation

Basic principles of personal data protection in automated information systems of commercial enterprises on the territory of the Russian Federation

ІНФОРМАЦІЙНА БЕЗПЕКА СУБ’ЄКТІВ МАЛОГО ПІДПРИЄМНИЦТВА В УМОВАХ ЦИФРОВІЗАЦІЇ

The article defines and analyzes the characteristic features of modern society digitalization, in particular the digital economy. It is noted that progress in the digital technology environment requires the application of information security measures, primarily in the financial and economic activities of small businesses. The interpretation of the definitions «information security» and «economic security» has been clarified. Attention is drawn to a conscious understanding of the interaction between people and technology during the digital transformation of the economy in such a way that the latest technologies must adapt to people, and not vice versa. It is emphasized that such an understanding can come only in the process of training and acquiring appropriate professional competencies, especially among small businesses. The types of small businesses information that are subject to protection and components of economic security are determined. Proposals have been formed for the creation of a comprehensive security program, which should include an action plan aimed at protecting the functioning of the enterprise's information system from external and internal influences, and a set of measures designed to protect the confidentiality, availability, and integrity of data from internal and external, malicious and accidental threats. Information security of small businesses in the context of digitalization should be based on the following positions: the management of the enterprise should regularly train all employees in the principles of Information Security, data protection and protect physical data carriers from cyber attacks; the corporate network should be segmented, and access to it – controlled; partnership with service providers from the point of view of information security should be equivalent; remote access to the corporate network of the enterprise, which is now becoming more widespread, should be as secure as possible and comply with information security standards. A promising area of further research is the development of a set of measures at the state level, which includes streamlining the simplified tax system, promoting the development of innovative entrepreneurship, cluster organization of small businesses, the formation of a modern information infrastructure to support entrepreneurship, the formation of a favorable business climate.

DEVELOPMENT OF THE PERSONAL DATA PROTECTION FRAMEWORK – WILL THE PANDEMIC BRING NEW CHANGES?

The General Data Protection Regulation (hereinafter – the Regulation), which entered into force on 25 May 2018 and introduced a new legal framework for the protection of personal data in the European Union, also included a number of new rights, more precise definitions and improvements in the field of personal data protection. The three‐year period has shown that the Regulation has successfully replaced Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement ofsuch data, but the Covid‐19 pandemic posed the question: does the Regulation sufficiently define and explain how controllers should deal with the processing of sensitive data, or in situations where employees of companies and institutions work remotely? Data protection is a complex concept that can be analyzed from both a legal and a social point of view. Traditionally, data protection has been referred to as the protection of personal privacy in the context of processes involving the use of personal data. Prior to the implementation of the Regulation, the existing rules on the protection of personal data in the European Union were not sufficiently uniform and were implemented differently in each Member State. It contributed to the development and implementation of the Regulation, in the hope that it would modernize and promote a common data protection regime, while maintaining all the basic principles of data protection that have been followed so far. Prior to the pandemic, the Regulation successfully achieved its original objectives, but hasthe pandemic necessitated a revision of the Regulation? This article will analyze the development of the legal framework for the protection of personal data and analyze the compliance of the Regulation with the requirements arising from the effects of the pandemic.

Towards GDPR-compliant data processing in modern SIEM systems

The introduction of the General Data Protection Regulation (GDPR) in Europe raises a whole series of issues and implications on the handling of corporate data. We consider the case of security-relevant data analyses in companies, such as those carried out by Security Information and Event Management (SIEM) systems. It is often argued that the processing of personal data is necessary to achieve service quality. However, at present existing systems arguably are in conflict with the GDPR since they often process personal data without taking data protection principles into account. In this work, we first examine the GDPR regarding the resulting requirements for SIEM systems. On this basis, we propose a SIEM architecture that meets the privacy requirements of the GDPR and show the effects of pseudonymization on the detectability of incidents.

Resuscitation with an AED: putting the data to use.

The increased use of the automated external defibrillator (AED) contributes to the rising survival rate after sudden cardiac arrest in the Netherlands. When used, the AED records the unconscious person’s medical data (heart rhythm and information about cardiopulmonary resuscitation), which may be important for further diagnosis and treatment. In practice, ethical and legal questions arise about what can and should be done with these ‘AED data’. In this article, the authors advocate the development of national guidelines on the handling of AED data. These guidelines should serve two purposes: (1) to safeguard that data are handled carefully in accordance with data protection principles and the rules of medical confidentiality; and (2) to ensure nationwide availability of data for care of patients who survive resuscitation, as well as for quality monitoring of this care and for related scientific research. Given the medical ethical duties of beneficence and fairness, existing (sometimes lifesaving) information about AED use ought to be made available to clinicians and researchers on a structural basis. Creating a national AED data infrastructure, however, requires overcoming practical and organisational barriers. In addition, further legal study is warranted.

Sairaanhoitajien valmiudet tiedonhallintaan sekä kokemukset potilas- ja asiakastietojärjestelmien tuesta työtehtäviin

Sairaanhoitajien kokemuksia potilas- ja asiakastietojärjestelmistä kartoitettiin nyt toiseen kertaan valtakunnallisella kyselytutkimuksella. Tutkimuksen tavoitteena on tuottaa tietoa kansallisessa Tieto hyvinvoinnin ja uudistuvien palvelujen tukena – Sote-tieto hyötykäyttöön 2020 -strategiassa asetettujen tavoitteiden saavuttamisesta yhden osa-alueen (Kyvykkäille käyttäjille fiksut järjestelmät) osalta sairaanhoitajien näkökulmasta. Näitä strategian osatavoitteita mukailevat tutkimuskysymykset ovat: Miten asiakas- ja potilastietojärjestelmät tukevat hoitajien työtehtäviä, yhteistyötä ja tiedonkulkua? Minkälaiseksi hoitajat arvioivat nykyisen käyttökokemuksensa, koulutuksensa, perehdyttämisen toimintatapojen muutokseen sekä lisäkoulutustarpeensa? Miten hyödylliseksi hoitajat arvioivat asiakas- ja potilastietojärjestelmät työssään?
 Tutkimusaineisto kerättiin sähköisellä kyselyllä hyödyntäen Sairaanhoitajaliiton, Tehyn sekä Akavan sairaanhoitajat ja Taja ry:n (TAJA) jäsenrekistereitä keväällä 2020. Kyselyyn vastasi hyväksyttävästi 3 610 sairaanhoitajaa, kätilöä tai terveydenhoitajaa, jotka toimivat julkisessa terveydenhuollossa, sosiaalihuollossa tai yksityisellä sektorilla. Vastaajat olivat kokeneita asiakas- ja potilastietojärjestelmien käyttäjiä. Valtaosa heistä kirjautui vähintään yhteen järjestelmään päivittäin, osa jopa viiteen tai sitä useampaan järjestelmään. Tulosten mukaan vastaajat eivät olleet tyytyväisiä järjestelmien tukeen niiden käytön vaatiman pitkän perehdytyksen vuoksi. Tiedonkulkuun hoitajien välillä omassa organisaatiossa oltiin tyytyväisiä, mutta tiedonkulussa eri organisaatioissa toimivien hoitajien välillä sekä hoitajien ja potilaiden välillä koettiin puutteita. Enemmistö vastaajista koki tietotekniset perustaitonsa, taitonsa tehdä kirjaukset asiakas- tai potilastietojärjestelmään, taitonsa tehdä potilaan hoidon kirjaus hoitotyön prosessin mukaisesti sekä tietosuojan ja tietoturvan periaatteiden hyödyntämisensä päivittäisessä työssä hyviksi tai erinomaisiksi kaikissa toimintaympäristöissä. Yli puolet vastaajista ei ilmoittanut lisäkoulutustarpeita. Kuitenkin hoitajat toivoivat työnantajiltaan enemmän täydennyskoulutusta. Vastaajat kokivat ongelmalliseksi järjestelmien kyvyn tai toiminnallisuuden koostaa yhteenvetonäkymiä. Yhteenvetona voidaan todeta sairaanhoitajilla olevan hyvät tai erinomaiset taidot käyttää asiakas- ja potilastietojärjestelmiä, mutta perehdytystä tarvitaan tukemaan digitaalisten palvelujen tuottamissa työprosesseissa. Hoidon jatkuvuus, laatu ja potilasturvallisuus ovat erityisesti hyötyjä, joita tietojärjestelmien käytöllä jo saavutetaan.

Data protection during the coronavirus crisis.

Smartphone apps to track SARS-CoV 2 infections need to fulfill certain minimal requirements to guarantee privacy and justify their use under data protection laws.

Aarogya Setu- Carrying Your Privacy in Your Hands?

There are numerous benefits of having a data protection legislation in place to guide a nation in how to protect the personal data of individuals. These guiding factors maybe transparency, accountability, ensuring rights of the individuals, listing out organizational measures and the compliance to be undertaken, to name a few. In the current context of having contact tracing apps, it becomes all the more important to have a data protection legal framework. The article seeks to understand the privacy concerns spelled out by the Aarogya Setu App, briefly compare the same with practices across different countries and understanding the need for legislative action concerning the privacy issues. In absence of a legislation, compliance with the privacy principles is not enough. The absence of a national or applicable law that posits data protection principles, provisions and organizational measures, should not permit denial of the basic tenets and continued provision of basic minimum rights of personal data protection and privacy, which must be ensured to all individuals at all times. Finally, it must be borne in mind that the adoption of contact tracing apps will put to test the balance between state surveillance and user privacy. The need of a data protection legislation is very telling in the current times and speaks for itself.

Ethics in Artificial Intelligence: A disjoint between knowing and acting

While artificial intelligence (AI) is changing our daily lives, its impacts and risks to privacy remain one of the top agendas in its developments. As AI frequently relies on massive and seemingly irrelevant data to discover insights that are sometimes unexpected, the technology is at odds with the traditional data protection principles of data minimisation and transparency. Aware of the challenge, data protection authorities (DPAs) are looking for a paradigm shift in how personal data privacy may be respected in the AI era. Now many of them have started to advocate the idea of the ethical use of AI. There is evidence, however, to suggest that there is a disjoint between knowing the importance of ethics and acting ethically. This paper describes the current efforts by DPAs in promoting ethics in AI, discusses the flux concept of ethics, suggests the reasons behind the disjoint between the ethical ‘knowing’ and ‘acting’, and proposes how education, promotion of desired behaviours and a cross-functional approach may help bridge the gap.

COVID-19 contact tracing apps: a stress test for privacy, the GDPR, and data protection regimes.

Digital surveillance has played a key role in containing the COVID-19 outbreak in China, Singapore, Israel, and South Korea. Google and Apple recently announced the intention to build interfaces to allow Bluetooth contact tracking using Android and iPhone devices. In this article, we look at the compatibility of the proposed Apple/Google Bluetooth exposure notification system with Western privacy and data protection regimes and principles, including the General Data Protection Regulation (GDPR). Somewhat counter-intuitively, the GDPR’s expansive scope is not a hindrance, but rather an advantage in conditions of uncertainty such as a pandemic. Its principle-based approach offers a functional blueprint for system design that is compatible with fundamental rights. By contrast, narrower, sector-specific rules such as the US Health Insurance Portability and Accountability Act (HIPAA), and even the new California Consumer Privacy Act (CCPA), leave gaps that may prove difficult to bridge in the middle of an emergency.

ISO/IEC 27701: Threats and Opportunities for GDPR Certification

The paper assesses the possible consequences for Article 42/43 certification of the recently published ISO/IEC 27701:2019 standard. The new ISO standard establishes a management system that aims to manage ‘the processes for protecting the capture, accountability, availability, integrity, and confidentiality of personal data.’ The conformity with the standard’s requirements is certifiable by the private certification bodies interested in providing this service to businesses. The paper shows that ISO/IEC 27701:2019 based certification possesses many assets to dominate the market of data protection certification and, thus, compete with the approach supported by the European supervisory authorities on data protection. ISO based certification offers many operational advantages to businesses which are looking for a workable solution to streamline information security and data protection in their organization. In the meantime, the EU supervisory authorities are still wandering on the right option to approve certification schemes under Article 42/43 regime. A strong uptake of ISO/IEC 27701:2019 based certification alongside Article 42/43 certification could confuse the general public and eventually threaten Article 42/43 implementation. But it could also offer an opportunity to the European supervisory authorities to spread data protection principles beyond EU borders and clarify the relationships they intend to establish between Article 42/43 certification and ISO standards based one.

Fit for purpose? The GDPR and the governance of European digital health

ABSTRACT The introduction of the General Data Protection Regulation (GDPR) in 2018 served as the cornerstone of the new data governance regime of the European Union. Informed by principles and values such as privacy, accountability, transparency, and fairness, the GDPR is premised on the objective to balance the protection of individual privacy and the promotion of a thriving European data economy. Still, shortcomings of this regulatory effort have been noted by recent ethical, socio-political, legal, and policy scholarship. Focusing on the deployment of digital health technologies and big data practices within the European digital health ecosystem, this article draws upon these bodies of literature to chart the main lines of tension emerging between the current GDPR-based data governance regime and the broader societal shifts coming along with the expansion of digital health. Central aspects of the GDPR–i.e. key underlying data protection principles and regulatory categories, the reliance on the “notice-and-consent” model, the (narrow) remit of the Regulation vis-à-vis possible harms and discriminations–are misaligned with the surge in digital health. This throws into doubt whether the Regulation is fully fit for the purpose of governing current developments in this field, while also calling for swift and adequate policy responses.

Technical aspects of quality assurance for intravitreal injections (IVI)

Successful quality assurance in intravitreal injection (IVI) of medications requires acomplex information technology infrastructure. The main challenges are data availability independent of location, standardization of clinical data, integration of extensive and currently non-standardized image documentation from coherence tomography and compliance with data protection regulations. In this article the technical implementation and data protection principles are reviewed. Essential aspects in the implementation of quality assurance in the field of IVI are discussed in asystematic approach. In the field of network architectures web-based applications supplemented by local virtual private networks (VPN) and/or other software instances have recently replaced the previously commonly used physical data medium exchange. The standardization of the data, e.g. by converting the visual acuity into logMAR, plays an important role in the collection of treatment data. Multiple non-standardized data formats in optical coherence tomography complicate the general quality assurance structure and comparability of data. International standards will probably facilitate this in the near future. Until then individual solutions have to be found on site.

Thailand – Asia’s Strong New Data Protection Law

Thailand’s Personal Data Protection Act of 2019 may become one of the strongest data privacy laws in Asia. It is much stronger than the previous Bill, both in terms of its principles and its enforcement. However, the picture will not be complete until the many rules that can be made by its data protection authority (the PDPC), and any Royal Decrees granting exemptions, are developed. The main significance of the Thai law is that it is the first explicitly ‘GDPR-based’ law to yet be enacted in Asia, ahead of the GDPR-informed draft Bills in India and Indonesia, While not all of the innovations of the EU GDPR’s data protection principles are included in the PDPA, a substantial set are included. Following the Thai 2019 elections, the EU is again willing to re-commence negotiations on a free trade agreement (FTA) with Thailand and is its third-largest trading partner. For businesses operating in Thailand, this Act imposes serious obligations, but to assess their full extent they will need to obtain much further information which is not yet available. For data subjects the PDPA creates serious rights and remedies not previously available, and the Act overall is a major step forward. From the perspective of Civil Society, the complex administrative and enforcement structure of the Act raises difficulties in determining who could be held responsible for effective enforcement. The potential scope of exemptions are also of great concern. The enforcement mechanisms in the Act are all much stronger than in the previous Bill. Rights of appeal against administrative fines and other decisions of the PDPC or its expert Committees, and in criminal prosecutions, might benefit from some further clarity. All of these matters are examined in detail in this article.

Forgetful AI: AI and the Right to Erasure under the GDPR

Artificial Intelligence and, specifically, Machine Learning, depends on data for its development and continuous evolution. Frequently, the information used to train Machine Learning algorithms is personal data and, thereby, subject to the rules contained within the GDPR. If the necessary requirements are fulfilled, Article 17 of the GDPR grants to the data subject the right to request from the controller the erasure of personal data concerning him/her. In this paper we will study the impact of the right to erasure under the GDPR in the development of Artificial Intelligence in the European Union. We will assess whether datasets, mathematical models and the results of applying such models to new data need to be erased, pursuant to a valid request from the data subject. We will also analyse the challenges created by this erasure, how they can be minimized and the most adequate legal interpretations to ensure seamless AI development that is also compatible with the principles of privacy and data protection currently in force within the European Union. Keywords: Artificial Intelligence, GDPR, Right to Erasure

Data Protection, Scientific Research, and the Role of Information

This paper aims to critically assess the information duties set out in the General Data Protection Regulation (GDPR) and national adaptations when the purpose of processing is research. Due to the peculiarities of the legal regime applicable to the context information about the processing plays a crucial role for data subjects. However, the analysis points out that the information obligations, or mandated disclosures, introduced in the GDPR are not entirely satisfying and present some flaws. In addition, the GDPR information duties risk suffering from the same shortcomings usually addressed in the literature about mandated disclosures. The paper argues that the principle of transparency, developed as a “user-centric” concept, can support the adoption of solutions that embed behavioural insights to support the rationale of the information provision better. This article is structured as follows. A preliminary issue to untangle is the definition of scientific research under the GDPR: what kinds of activities fall under this notion? What are the differences from neighbouring concepts, such as statistical purposes? (Section 2). Once the boundaries of the concept of are clarified the applicable legal regime will be reconstructed. As will be shown in Section 3 the GDPR establishes a framework particularly favourable for purposes. Such processing can benefit from some exceptions to data protection principles and derogations to data subjects' rights. However, this special regime comes with a set of obligations. Data controllers, in particular, have to set up appropriate measures and safeguards to protect the rights and freedoms of individuals. How these safeguards look is not an entirely clear matter in either the GDPR or national adaptations. Section 4 will complete the analysis of the legal regime by investigating the lawful basis that can legitimise processing for purposes. As the analysis will show, on the one hand data subjects’ consent is not always necessary for processing. On the other hand, can open the door to secondary uses and indefinite retention of personal data originally collected for other purposes. Therefore, information duties established at Articles 13 and 14 GDPR remain a fundamental tool for data subjects to exert some form of control over their data. However, mandated disclosures are a policy instrument that has been highly criticised in the literature. In particular, they are unable to preserve the autonomy of the data subject for several reasons: people are decision-averse, data subjects suffer from a certain degree of illiteracy and innumeracy, readers are unable to cope with the overload and accumulation problem, and cognitive biases and heuristics interfere - often in unpredictable ways – in the decision-making process of individuals. In Section 5 such criticisms will be addressed and contextualised within the framework of the GDPR. In particular, identification of potential shortcomings will be used to pave the way for possible interventions to effectively and dynamically inform data subjects. Such solutions, coupled with the controller’s accountability duties, can help shape the abstract principle of transparency in practice and promote the data subject’s informationelle Selbstbestimmung.

Best Practice of the Court of the EU in Ensuring the Principles of the Personal Data Protection

Research of the decisions of the European Court of Justice and of the European Court of Human Right is crucial in the process of approximation of Ukrainian legislation to the EU Law. This article subjects to analysis certain decisions of the Court of Justice of the EU in the area of Personal Data Protection, in particular, the main principles of protection. Court of Justice of the EU forms its decisions on Personal Data Protection in the format of conclusions, provided by the Court in response to the pre-judicial requests from national courts in relation to enquiries from citizens on legality of processing of their personal data, on terms of response to such enquiries, on terms of access by citizens to information which is considered Personal Data, on ensuring security of keeping Personal Data, on restrictions in collecting data, on the provisions in the national law on independence of bodies responsible for collecting and storing personal data. These conclusions of the Court of Justice of the EU aim to prevent violations of the protection of personal data or of its security, which could lead to accidental or illegal destruction, loss, change, unauthorised access to data. It should be noted that the term Personal Data covers not only the private sphere of citizens but also their professional or civic activity. Key words: personal data; EU; Court of Justice of the EU; EU principles of Personal Data Protection.

Data protection in biobanks from a practical point of view: what must be taken into account during set-up and operation?

Abstract The European General Data Protection Regulation (GDPR) incorporates many of the principles of data protection that were already in force in the past. Insofar the data protection requirements for German biobanks have not fundamentally changed since the GDPR became applicable in May 2018. In detail, however, new and relevant requirements have been added. Due to many derogation clauses that allow national deviations, federal and state laws must also be taken into account in Germany, depending on the legal form of the biobank or the supporting institution, which increases the complexity in individual cases. Research-oriented biobanks can still rely on informed, voluntary and explicit consent from patients or test persons. Other legal bases are also possible in certain cases. The information and transparency requirements have increased with the DSGVO, which has led to higher administrative costs. However, a major problem existed before and continues to exist in clarifying how biobanks deal with the right to know and the right not to know of their subjects, how this is explained in advance and which policy can be implemented in the long term, also in the context of targeted recruitment for later studies. The complexity of the regulatory framework and the resulting demands on biobanks make the development and implementation of standards unavoidable. In addition, it is recommended that such infrastructures be centralised, professionalised and equipped with the necessary resources.

Correlation between the principles of publicity of Constitutional Court decisions and personal data protection (case study of Georgian Constitutional Court)

Presented paper concerns to the issue of proper perception of the state in establishing the distinction between personal data protection and principles of publicity. The idea that the information protected by public institutions is a public good is nowadays reinforced by domestic and international legal documents. The aim of the research is to study abovementioned issue in regard with the practice of Georgian Constitutional Court and based on the results, to define the main problems identifying the main line between personal data and principles of publicity. According to case study, it’s clear that individuals are not aware how they can protect their personal data. Data processing organizations themselves violate the requirements of Georgian Law on Personal Data Protection. Current judicial practice makes it possible to believe that violations of abovementioned rights will not only decrease, but will define the proper line between personal data protection and Publicity principles concerning court decisions.

Règlement général sur la protection des données pour MASK-air® (application mobile rhinite et asthme)

The General Data Protection Regulation (GDPR) regulates the processing of personal data in the European Union. The legal context is adapted to follow the evolution of technologies and of society. This new European regulation became mandatory, especially for connected devices, on May 25, 2018. An app originally known as "The Allergy Diary" is available for Android phones and iPhones. Its name was recently changed to MASK-air. The downloading and use of this app are free of charge and there are no adverts. It enables users to record their symptoms and their medications to better track the progress of their allergic rhinitis and/or asthma. It has been developed by public (Foundation FMC VIA-LR, University of Montpellier) and private (KYomed INNOV) organizations based in France and therefore falls under French jurisdiction. This article summarizes the five main principles of personal data protection to be respected during the development of the app: purpose, proportionality and relevance, limited retention period, security and confidentiality, as well as the rights of the people who are involved in the management of the personal data (including withdrawal and modification).