Entries submitted (as on 21.04.2017)

B1: Procedures Manual: Dispute Resolution and Investigations (New Zealand)
B2: A comprehensive guidebook entitled “Personal Data (Privacy) Law in Hong Kong – a Practical Guide on Compliance” (Hong Kong)
B3: Sensitisation activities to promote awareness on the legal provisions of the Data Protection Act (Mauritius)
B4: Digital tool for citizens to report nuisance calls and messages (UK)
B5: System of Access, Rectification, Cancellation and Opposition of Personal Data of the State of Mexico (SARCOEM) (Infoem, Mexico)
B6: First ever data privacy summit in the Philippines (Philippines)
B7: Complex investigation into the unlawful acquisition and use of personal data (UK)
B8: Data Protection self-assessment for SMEs (UK)
B9: ILITA’s enforcement actions against data traders (Israel)
B10: Crossing the Line: The Indiscriminate Disclosure of Attempted Suicide Information to U.S Border Officials via CPIC (OIPC Ontario, Canada)

B1: Procedures Manual: Dispute Resolution and Investigations (New Zealand)

 

 

 

 

 

 

Entry by: Office of the Privacy Commissioner, New Zealand

Procedures Manual: Dispute Resolution and Investigations
In November 2016 the Office of the Privacy Commissioner adopted an internal Procedures Manual to guide staff work in dispute resolution and investigations. The objective is to help to:

  • ensure that our work is lawful
  • provide certainty and consistency in our administrative processes
  • preserve institutional memory by recording the knowledge and experience accumulated over two decades
  • reinforce and support investigations staff in exercising statutory discretion

Why the initiative deserves to be recognised by an award?*
The Procedures Manual represents a successful initiative to consolidate and document good practice while retaining flexibility. It has been produced in a form that is easy to use by staff and embeds reforms made in the administrative handling of cases.

* Non-competition entry: New Zealand has exempted itself from the competition as the ICDPPC Chair, who is judging the competition, is also the New Zealand Commissioner. This entry is for illustrative purposes only.

 Complete entry available here.

B2: A comprehensive guidebook entitled “Personal Data (Privacy) Law in Hong Kong – a Practical Guide on Compliance” (Hong Kong)

 

 

 

 

 

 

 

Entry by: Privacy Commissioner for Personal Data, Hong Kong

A comprehensive guidebook entitled “Personal Data (Privacy) Law in Hong Kong – a Practical Guide on Compliance”
The book is written with a view to explaining the conceptual, legal and practical frameworks of personal data privacy protection in Hong Kong, in the hope that readers, whether professionals or otherwise, will find it user-friendly to delve into the most relevant statutory provisions for their need or interest in the topics.

Why the initiative deserves to be recognised by an award?
This publication serves the dual aim of providing a comprehensive compliance guide and source of reference materials for practitioners on the one hand, and discharging the PCPD’s duty to promote awareness and understanding of the Personal Data (Privacy) Ordinance on the other.

Coming straight from the PCPD, this publication is official, all-inclusive, practical and the first of its kind in the region.  While print copy of this book sits proudly on the bookshelf of many practitioners and academia, its e-version is now available on the PCPD’s website free of charge, with hyperlinks added to allow swift divert to relevant materials.  Making the book easily accessible to the public helps to enhance the awareness and knowledge of data protection in the community generally, which also indirectly contributes to the decrease in the number of enquiries (a drop of 12%) and complaints (a drop of 7%) received by the PCPD in 2016 as compared with the figures in 2015.

Internally, the book is shared on the intranet of the PCPD and will be updated from time to time.  It has become a useful tool for officers of the enquiries and complaints teams in ensuring consistency and quality in performing their duties.

Complete entry available here.

B3: Sensitisation activities to promote awareness on the legal provisions of the Data Protection Act (Mauritius)

Entry by: Data Protection Office, Mauritius

The Data Protection Office engaged in continuous sensitisation activities to promote awareness on the legal provisions of the Data Protection Act and application of data protection principles in real-life scenarios. The office adopted a customer centric approach by moving towards people. In its mission to remedy the infringements occurring through the mishandling of personal information of our citizens, this office conducted enquiries and investigations with a view to establishing whether a breach has taken place or not under the Data Protection Act.

Why the initiative deserves to be recognised by an award?
This office provided fourteen (14) presentations / sensitisations / trainings on privacy and data protection to data controllers. A ‘‘Data Controllers’ Sensitisation Workshop’’ was also organised where topics including Cloud Computing, Privacy Impact Assessment, Smart Device Apps, Biometric Data, Data Sharing and Security of Personal Data were presented. In addition, two Data Protection Officers participated in a radio program aimed at informing, educating and sensitising listeners and the public in general on their rights and responsibilities.

During the year 2016, the Data Protection Office received a total of eighteen (18) new complaints for investigations. The DPC provided sixteen (16) decisions in 2016. Following an appeal against a decision of the Data Protection Commissioner, the Information and Communication Technologies Appeal Tribunal upheld the decisions delivered by the Data Protection Commissioner.

The sensitisation activities, complaint investigations and decisions of the Data Protection Office contribute in protecting the privacy rights of our citizens and are seen as an effective deterring measure in avoiding the reoccurrence of such breaches again and as such deserve to be recognised.

Complete entry available here.

B4: Digital tool for citizens to report nuisance calls and messages (UK)


 

 

 

 

 

Entry by: Information Commissioner’s Office, UK

For citizens to report nuisance calls and messages to the UK Information Commissioner’s Office (ICO), so that we can take action against those responsible.

Why the initiative deserves to be recognised by an award?
The service is the key source of intelligence to identify and take action against those responsible for nuisance calls and messages in contravention of the Privacy and Electronic Communications Regulations. Its ease of use has led to high numbers of reports; the service allows us to easily manage this volume and use the intelligence without having to deal with each report as an individual case – helping us meet our strategic aims.

The results in numbers:

  • 40,000 reports received in the first 10 weeks;
  • 80% increase in the number of reports received – from an average 2,300 to 4,150 a week;
  • 92% completion rate.
  • Over £2.5m issued in fines since the start of 2016 (using information from the tool and its predecessor).

Comments from users:

  • “We now have somewhere to go to report these unwanted calls in the hope that action will be taken against them. Website is easy and clear to use.”
  • “It’s nicely streamlined, straightforward and without bogging the user down with too much information – important when users may be wanting to make a complaint whilst being a bit flustered due to having been annoyed by unsolicited sales calls.”
  • “New nuisance call complaint form is a great improvement.”

Complete entry available here.

B5: System of Access, Rectification, Cancellation and Opposition of Personal Data of the State of Mexico (SARCOEM) (Infoem, Mexico)

 

 

 

 

 

 

Entry by: Transparency, Public Information Access and Personal Data Protection Institute of Estado de México and municipalities, Infoem, Mexico

Sarcoem is a computer system that allows ARCO rights to be exercised to authorities of the State of Mexico and Municipalities by Internet, to file an appeal against (review), verifying compliance and management to the profiles of various users.

Why the initiative deserves to be recognised by an award?
Sarcoem is an innovative system, there is no reference to a similar system at the global level in the public sector.

It is Infoem development, with level and security measures adequate to carry out the management of requests ARCO, also has Secure Socket Layer certificate.

Sarcoem is an example of efficiency, effectiveness and economy, considering that Infoem has a limited budget for the fulfilment of its obligations compared to other authorities (the general budget of the Institution was about 5´000,000 euros last year, conversion of April 3, 2017), a part of which is used for administration and maintenance of proprietary systems through a Directorate specialized in information technologies.

It is a simple, free and easily accessible system for citizens, available 24 hours 365 days a year. A system with a philosophy of continuous improvement, as its operation is constantly evaluated to increase safety and efficiency measures. Focused to an important target population, since only the State of Mexico had 16’187,608 population in 2015 (last official census).

System with global users, makes possible the exercise of ARCO rights from anywhere in the world by authorities of the State of Mexico and Municipalities.

Complete entry available here.

B6: First ever data privacy summit in the Philippines (Philippines)


 

 

 

 

 

Entry by: National Privacy Commission, Philippines

Privacy.Gov.PH — Government at the Forefront of Protecting the Filipino in the Digital World is the Philippines’ first data privacy summit, held last December 5-6 at Novotel Manila. With over 250 attendees from government agencies and civil groups, it provided a venue for state institutions to familiarize themselves with the fundamentals of data privacy, the Data Privacy Act, and its IRR.

Why the initiative deserves to be recognised by an award?
The privacy summit is the first event organized by the National Privacy Commission, aside from being the first of its kind in the Philippines. It had come at a very crucial time, with the country still reeling from the effects of the “Comeleak” and finding long-term solutions to data privacy and protection concerns. Although short on time and resources, the task force behind the massive two-day event was able to create educational materials and prepare seminars and workshops on compliance and accountability, fueled by a desire to fulfill the Commission’s mandate and achieve as much as it can within its first year of operatons, as the Commission had only begun formal operations in March of 2016.

The event also received positive feedback from the attendees, who rated the event with an average grade of 4.5 out of 5 stars. Among the event’s strong points were its information and educational materials and its explanations of data privacy concepts. Participants commended the event’s relevance and ability to present complicated topics in an easily understandable manner, especially given its status as a start-up agency.

Complete entry available here.

B7: Complex investigation into the unlawful acquisition and use of personal data (UK)

 

 

 

 

 

Entry by: Information Commissioner’s Office UK.

Complex investigation into the unlawful acquisition and use of personal data by 24 major UK charitable organisations. The investigation uncovered widespread unlawful use of donor and supporter personal data, with charities sharing it with commercial third parties in order to undertake detailed investigation into donor income and finances. The charities used the personal data provided by supporters to uncover additional personal data and use it to target donors.

Why the initiative deserves to be recognised by an award?
This work was relevant to every citizen in the UK. Our objective – to stop the unlawful practices – required a careful and considered combination of education and action.

We overcame our key challenge of educating an entire sector about the law despite significant external challenges. That meant facing hostile audiences at conferences, engaging in difficult conversations with some of the biggest charities in the country and working closely with other regulators to present a unified front. All of this while pursuing our investigative lines of enquiry.

We did not forget donors and supporters in our work. We created webpages to explain what some charities were doing and why we were taking action. And we took the unprecedented step to reduce fines as an acknowledgment of donor impact.

There are signs of success. Many of the charities we fined have accepted wrong-doing in public statements and all of those we investigated have stopped the unlawful practices. Media coverage, blogs and comment pieces in mainstream and specialist press, indicate that our actions were necessary and proportionate and have made a difference.

We will continue to monitor the sector and are drafting a report to the Parliamentary select committee on our findings and next steps.

Complete entry available here.

B8: Data Protection self-assessment for SMEs (UK)


 

 

 

 

 

Entry by: Information Commissioner’s Office, UK

Data Protection self-assessment for SMEs
For organisations, particularly small and medium sized enterprises, to quickly and easily assess their compliance with the Data Protection Act in a range of areas, and get targeted guidance on what they can do to improve.

We are currently working on improvements to the tool, expected to go live in May 2017. We would like them to be included as part of this entry and we have detailed them below.

Why the initiative deserves to be recognised by an award?
We undertake regular testing with users on our website. We’d heard that many organisations struggled to know where to start. This tool helps organisations by highlighting key areas, and giving advice based on the organisation’s particular needs.

As part of the ICO’s digital and IT strategy we aim to be digital by default, and more self sufficient when building and maintaining our digital services. The tool provides a service that would usually require input from ICO staff via our helpline, email or post. We have built the technology with common, re-usable components within our open source content management system so that we are able to create new checklists without reliance on third party developers.

The tool receives an average 9,000 visits each month.

Comments from users:

  • “The toolkit allows us to review and identify any data protection gaps and confirm that the processes we have are sound. Our core business is providing a service to patients and part of this is safely handling their data.”- Orthodontic practitioner
  • “The tool was very simple to use and provided a wealth of information. This is a great tool for a beginner or an experienced information practitioner. The toolkit has highlighted weak spots with our information security that we will now work on.”- Consultancy service provider
  • “I recommend any and all companies to use this tool.” – Marketing company group manager

Complete entry available here.

B9: ILITA’s enforcement actions against data traders (Israel)

 

 

 

Entry by: ILITA The Israeli Law, Information and Technology Authority, Israel

ILITA’s enforcement actions against data traders
In 2005 the Israeli population registry was stolen. ILITA conducted a criminal investigation that ended with 5 people convicted, two of which were sentenced to jail. In order to prevent further use of the data, in a complex forensic investigation, which took place in 2016, ILITA found data traders that obtained the illegal information, and terminated their activities. ILITA identified the clients who bought the data, gave them instructions and fined “dis obedient” clients.

Why the initiative deserves to be recognised by an award?
This case presents how ILITA handled different parts of the “data chain” that were all using data which was illegally obtained. ILITA accommodated it’s enforcement tools accordingly to the parts of the chain as follows:

In the year 2005 the Israeli population registry was stolen. ILITA conducted a complex criminal investigation, and thanks to it’s findings, 5 people were convicted, two of which were sentenced
to jail. Jailing the involved data abusers did not prevent using the information by other parties that were exposed to it. In a complex forensic investigation, which took place in 2016, ILITA found data traders that obtained the illegal information, and terminated their activities, by deleting them from the database registrar. ILITA “followed the data” identified the clients who bought it, gave them instructions and issued fines to “dis obedient” clients.

Action against all the data chain components, which included administrative supervision, inquiries instructions, reviews (on some of the customers), shutting down illegal activities and even criminal treatment, is an excellent example of a policy that involves the integration of various regulatory tools and the power that exists in the synergy of our activity, to tackle severe privacy violations.

Complete entry available here.

B10: Crossing the Line: The Indiscriminate Disclosure of Attempted Suicide Information to U.S Border Officials via CPIC (OIPC Ontario, Canada)


 

 

 

 

 

 

 

Entry by: Office of the Information and Privacy Commissioner of Ontario, Canada (OIPC)

Crossing the Line: The Indiscriminate Disclosure of Attempted Suicide Information to U.S Border Officials via CPIC
An OIPC investigation revealed that Ontario police services were disclosing information about suicide attempts to U.S. agencies under an international data-sharing agreement. Subsequent court action and settlement discussions led to privacy-protective changes to national computer systems (Canadian Police Information Centre (CPIC)), the removal of a majority of such Toronto police generated information from CPIC, the suppression of all but a few such entries from U.S. access and fairer CPIC entry and removal procedures.

Why the initiative deserves to be recognised by an award?
A police practice of routinely disclosing attempted suicide information to national police computer systems had led to people being denied entry to the U.S. with attendant financial, emotional and human rights-related costs.

The compliance and enforcement activities of the OIPC and related dispute resolution efforts of the OIPC and the TPS have helped to ensure that the disclosure of this sensitive information will be carefully controlled, while allowing police to share limited information for the purpose of assisting officers in Canada to respond appropriately to subsequent mental health related encounters.

This was made possible by the compliance, enforcement, and dispute resolution efforts of the OIPC, which brought greater clarity and discipline to police disclosure practices. By seeking input from police, privacy, mental health and human rights stakeholders and working collaboratively with the TPS, the OIPC was able to help develop privacy controls beyond those that could have been achieved by litigation alone. Other police services now have the benefit of a comprehensive model that allows them to readily incorporate the new safeguards into their own suicide-related CPIC disclosure procedures. This initiative has also demonstrated what can be achieved when privacy and public safety leaders work together in the public interest.

Complete entry available here.