Entries submitted (as on 1.05.2017)

B1: Procedures Manual: Dispute Resolution and Investigations (New Zealand)
B2: A comprehensive guidebook entitled “Personal Data (Privacy) Law in Hong Kong – a Practical Guide on Compliance” (Hong Kong)
B3: Sensitisation activities to promote awareness on the legal provisions of the Data Protection Act (Mauritius)
B4: Digital tool for citizens to report nuisance calls and messages (UK)
B5: System of Access, Rectification, Cancellation and Opposition of Personal Data of the State of Mexico (SARCOEM) (Infoem, Mexico)
B6: First ever data privacy summit in the Philippines (Philippines)
B7: Complex investigation into the unlawful acquisition and use of personal data (UK)
B8: Data Protection self-assessment for SMEs (UK)
B9: ILITA’s enforcement actions against data traders (Israel)
B10: Crossing the Line: The Indiscriminate Disclosure of Attempted Suicide Information to U.S Border Officials via CPIC (OIPC Ontario, Canada)
B11: The First Philippine Data Protection Officers’ Assembly – DPO1 (Philippines)
B12: Data Protection by Design Award (Catalonia, Spain)
B13: The joint investigation of the Ashley Madison Breach (Australia, Canada and USA)
B14: Necessity Toolkit (EDPS, European Union)
B15: Access Rights and Responsibilities Guide (Ireland)
B16: First private sector audit (British Columbia, Canada)

B1: Procedures Manual: Dispute Resolution and Investigations (New Zealand)

 

 

 

 

 

 

Entry by: Office of the Privacy Commissioner, New Zealand

Procedures Manual: Dispute Resolution and Investigations
In November 2016 the Office of the Privacy Commissioner adopted an internal Procedures Manual to guide staff work in dispute resolution and investigations. The objective is to help to:

  • ensure that our work is lawful
  • provide certainty and consistency in our administrative processes
  • preserve institutional memory by recording the knowledge and experience accumulated over two decades
  • reinforce and support investigations staff in exercising statutory discretion

Why the initiative deserves to be recognised by an award?*
The Procedures Manual represents a successful initiative to consolidate and document good practice while retaining flexibility. It has been produced in a form that is easy to use by staff and embeds reforms made in the administrative handling of cases.

* Non-competition entry: New Zealand has exempted itself from the competition as the ICDPPC Chair, who is judging the competition, is also the New Zealand Commissioner. This entry is for illustrative purposes only.

 Complete entry available here.

B2: A comprehensive guidebook entitled “Personal Data (Privacy) Law in Hong Kong – a Practical Guide on Compliance” (Hong Kong)

 

 

 

 

 

 

 

Entry by: Privacy Commissioner for Personal Data, Hong Kong

A comprehensive guidebook entitled “Personal Data (Privacy) Law in Hong Kong – a Practical Guide on Compliance”
The book is written with a view to explaining the conceptual, legal and practical frameworks of personal data privacy protection in Hong Kong, in the hope that readers, whether professionals or otherwise, will find it user-friendly to delve into the most relevant statutory provisions for their need or interest in the topics.

Why the initiative deserves to be recognised by an award?
This publication serves the dual aim of providing a comprehensive compliance guide and source of reference materials for practitioners on the one hand, and discharging the PCPD’s duty to promote awareness and understanding of the Personal Data (Privacy) Ordinance on the other.

Coming straight from the PCPD, this publication is official, all-inclusive, practical and the first of its kind in the region.  While print copy of this book sits proudly on the bookshelf of many practitioners and academia, its e-version is now available on the PCPD’s website free of charge, with hyperlinks added to allow swift divert to relevant materials.  Making the book easily accessible to the public helps to enhance the awareness and knowledge of data protection in the community generally, which also indirectly contributes to the decrease in the number of enquiries (a drop of 12%) and complaints (a drop of 7%) received by the PCPD in 2016 as compared with the figures in 2015.

Internally, the book is shared on the intranet of the PCPD and will be updated from time to time.  It has become a useful tool for officers of the enquiries and complaints teams in ensuring consistency and quality in performing their duties.

Complete entry available here.

B3: Sensitisation activities to promote awareness on the legal provisions of the Data Protection Act (Mauritius)

Entry by: Data Protection Office, Mauritius

The Data Protection Office engaged in continuous sensitisation activities to promote awareness on the legal provisions of the Data Protection Act and application of data protection principles in real-life scenarios. The office adopted a customer centric approach by moving towards people. In its mission to remedy the infringements occurring through the mishandling of personal information of our citizens, this office conducted enquiries and investigations with a view to establishing whether a breach has taken place or not under the Data Protection Act.

Why the initiative deserves to be recognised by an award?
This office provided fourteen (14) presentations / sensitisations / trainings on privacy and data protection to data controllers. A ‘‘Data Controllers’ Sensitisation Workshop’’ was also organised where topics including Cloud Computing, Privacy Impact Assessment, Smart Device Apps, Biometric Data, Data Sharing and Security of Personal Data were presented. In addition, two Data Protection Officers participated in a radio program aimed at informing, educating and sensitising listeners and the public in general on their rights and responsibilities.

During the year 2016, the Data Protection Office received a total of eighteen (18) new complaints for investigations. The DPC provided sixteen (16) decisions in 2016. Following an appeal against a decision of the Data Protection Commissioner, the Information and Communication Technologies Appeal Tribunal upheld the decisions delivered by the Data Protection Commissioner.

The sensitisation activities, complaint investigations and decisions of the Data Protection Office contribute in protecting the privacy rights of our citizens and are seen as an effective deterring measure in avoiding the reoccurrence of such breaches again and as such deserve to be recognised.

Complete entry available here.

B4: Digital tool for citizens to report nuisance calls and messages (UK)


 

 

 

 

 

Entry by: Information Commissioner’s Office, UK

For citizens to report nuisance calls and messages to the UK Information Commissioner’s Office (ICO), so that we can take action against those responsible.

Why the initiative deserves to be recognised by an award?
The service is the key source of intelligence to identify and take action against those responsible for nuisance calls and messages in contravention of the Privacy and Electronic Communications Regulations. Its ease of use has led to high numbers of reports; the service allows us to easily manage this volume and use the intelligence without having to deal with each report as an individual case – helping us meet our strategic aims.

The results in numbers:

  • 40,000 reports received in the first 10 weeks;
  • 80% increase in the number of reports received – from an average 2,300 to 4,150 a week;
  • 92% completion rate.
  • Over £2.5m issued in fines since the start of 2016 (using information from the tool and its predecessor).

Comments from users:

  • “We now have somewhere to go to report these unwanted calls in the hope that action will be taken against them. Website is easy and clear to use.”
  • “It’s nicely streamlined, straightforward and without bogging the user down with too much information – important when users may be wanting to make a complaint whilst being a bit flustered due to having been annoyed by unsolicited sales calls.”
  • “New nuisance call complaint form is a great improvement.”

Complete entry available here.

B5: System of Access, Rectification, Cancellation and Opposition of Personal Data of the State of Mexico (SARCOEM) (Infoem, Mexico)

 

 

 

 

 

 

Entry by: Transparency, Public Information Access and Personal Data Protection Institute of Estado de México and municipalities, Infoem, Mexico

Sarcoem is a computer system that allows ARCO rights to be exercised to authorities of the State of Mexico and Municipalities by Internet, to file an appeal against (review), verifying compliance and management to the profiles of various users.

Why the initiative deserves to be recognised by an award?
Sarcoem is an innovative system, there is no reference to a similar system at the global level in the public sector.

It is Infoem development, with level and security measures adequate to carry out the management of requests ARCO, also has Secure Socket Layer certificate.

Sarcoem is an example of efficiency, effectiveness and economy, considering that Infoem has a limited budget for the fulfilment of its obligations compared to other authorities (the general budget of the Institution was about 5´000,000 euros last year, conversion of April 3, 2017), a part of which is used for administration and maintenance of proprietary systems through a Directorate specialized in information technologies.

It is a simple, free and easily accessible system for citizens, available 24 hours 365 days a year. A system with a philosophy of continuous improvement, as its operation is constantly evaluated to increase safety and efficiency measures. Focused to an important target population, since only the State of Mexico had 16’187,608 population in 2015 (last official census).

System with global users, makes possible the exercise of ARCO rights from anywhere in the world by authorities of the State of Mexico and Municipalities.

Complete entry available here.

B6: First ever data privacy summit in the Philippines (Philippines)


 

 

 

 

 

Entry by: National Privacy Commission, Philippines

Privacy.Gov.PH — Government at the Forefront of Protecting the Filipino in the Digital World is the Philippines’ first data privacy summit, held last December 5-6 at Novotel Manila. With over 250 attendees from government agencies and civil groups, it provided a venue for state institutions to familiarize themselves with the fundamentals of data privacy, the Data Privacy Act, and its IRR.

Why the initiative deserves to be recognised by an award?
The privacy summit is the first event organized by the National Privacy Commission, aside from being the first of its kind in the Philippines. It had come at a very crucial time, with the country still reeling from the effects of the “Comeleak” and finding long-term solutions to data privacy and protection concerns. Although short on time and resources, the task force behind the massive two-day event was able to create educational materials and prepare seminars and workshops on compliance and accountability, fueled by a desire to fulfill the Commission’s mandate and achieve as much as it can within its first year of operatons, as the Commission had only begun formal operations in March of 2016.

The event also received positive feedback from the attendees, who rated the event with an average grade of 4.5 out of 5 stars. Among the event’s strong points were its information and educational materials and its explanations of data privacy concepts. Participants commended the event’s relevance and ability to present complicated topics in an easily understandable manner, especially given its status as a start-up agency.

Complete entry available here.

B7: Complex investigation into the unlawful acquisition and use of personal data (UK)

 

 

 

 

 

Entry by: Information Commissioner’s Office UK.

Complex investigation into the unlawful acquisition and use of personal data by 24 major UK charitable organisations. The investigation uncovered widespread unlawful use of donor and supporter personal data, with charities sharing it with commercial third parties in order to undertake detailed investigation into donor income and finances. The charities used the personal data provided by supporters to uncover additional personal data and use it to target donors.

Why the initiative deserves to be recognised by an award?
This work was relevant to every citizen in the UK. Our objective – to stop the unlawful practices – required a careful and considered combination of education and action.

We overcame our key challenge of educating an entire sector about the law despite significant external challenges. That meant facing hostile audiences at conferences, engaging in difficult conversations with some of the biggest charities in the country and working closely with other regulators to present a unified front. All of this while pursuing our investigative lines of enquiry.

We did not forget donors and supporters in our work. We created webpages to explain what some charities were doing and why we were taking action. And we took the unprecedented step to reduce fines as an acknowledgment of donor impact.

There are signs of success. Many of the charities we fined have accepted wrong-doing in public statements and all of those we investigated have stopped the unlawful practices. Media coverage, blogs and comment pieces in mainstream and specialist press, indicate that our actions were necessary and proportionate and have made a difference.

We will continue to monitor the sector and are drafting a report to the Parliamentary select committee on our findings and next steps.

Complete entry available here.

B8: Data Protection self-assessment for SMEs (UK)


 

 

 

 

 

Entry by: Information Commissioner’s Office, UK

Data Protection self-assessment for SMEs
For organisations, particularly small and medium sized enterprises, to quickly and easily assess their compliance with the Data Protection Act in a range of areas, and get targeted guidance on what they can do to improve.

We are currently working on improvements to the tool, expected to go live in May 2017. We would like them to be included as part of this entry and we have detailed them below.

Why the initiative deserves to be recognised by an award?
We undertake regular testing with users on our website. We’d heard that many organisations struggled to know where to start. This tool helps organisations by highlighting key areas, and giving advice based on the organisation’s particular needs.

As part of the ICO’s digital and IT strategy we aim to be digital by default, and more self sufficient when building and maintaining our digital services. The tool provides a service that would usually require input from ICO staff via our helpline, email or post. We have built the technology with common, re-usable components within our open source content management system so that we are able to create new checklists without reliance on third party developers.

The tool receives an average 9,000 visits each month.

Comments from users:

  • “The toolkit allows us to review and identify any data protection gaps and confirm that the processes we have are sound. Our core business is providing a service to patients and part of this is safely handling their data.”- Orthodontic practitioner
  • “The tool was very simple to use and provided a wealth of information. This is a great tool for a beginner or an experienced information practitioner. The toolkit has highlighted weak spots with our information security that we will now work on.”- Consultancy service provider
  • “I recommend any and all companies to use this tool.” – Marketing company group manager

Complete entry available here.

B9: ILITA’s enforcement actions against data traders (Israel)

 

 

 

Entry by: ILITA The Israeli Law, Information and Technology Authority, Israel

ILITA’s enforcement actions against data traders
In 2005 the Israeli population registry was stolen. ILITA conducted a criminal investigation that ended with 5 people convicted, two of which were sentenced to jail. In order to prevent further use of the data, in a complex forensic investigation, which took place in 2016, ILITA found data traders that obtained the illegal information, and terminated their activities. ILITA identified the clients who bought the data, gave them instructions and fined “dis obedient” clients.

Why the initiative deserves to be recognised by an award?
This case presents how ILITA handled different parts of the “data chain” that were all using data which was illegally obtained. ILITA accommodated it’s enforcement tools accordingly to the parts of the chain as follows:

In the year 2005 the Israeli population registry was stolen. ILITA conducted a complex criminal investigation, and thanks to it’s findings, 5 people were convicted, two of which were sentenced
to jail. Jailing the involved data abusers did not prevent using the information by other parties that were exposed to it. In a complex forensic investigation, which took place in 2016, ILITA found data traders that obtained the illegal information, and terminated their activities, by deleting them from the database registrar. ILITA “followed the data” identified the clients who bought it, gave them instructions and issued fines to “dis obedient” clients.

Action against all the data chain components, which included administrative supervision, inquiries instructions, reviews (on some of the customers), shutting down illegal activities and even criminal treatment, is an excellent example of a policy that involves the integration of various regulatory tools and the power that exists in the synergy of our activity, to tackle severe privacy violations.

Complete entry available here.

B10: Crossing the Line: The Indiscriminate Disclosure of Attempted Suicide Information to U.S Border Officials via CPIC (OIPC Ontario, Canada)


 

 

 

 

 

 

 

Entry by: Office of the Information and Privacy Commissioner of Ontario, Canada (OIPC)

Crossing the Line: The Indiscriminate Disclosure of Attempted Suicide Information to U.S Border Officials via CPIC
An OIPC investigation revealed that Ontario police services were disclosing information about suicide attempts to U.S. agencies under an international data-sharing agreement. Subsequent court action and settlement discussions led to privacy-protective changes to national computer systems (Canadian Police Information Centre (CPIC)), the removal of a majority of such Toronto police generated information from CPIC, the suppression of all but a few such entries from U.S. access and fairer CPIC entry and removal procedures.

Why the initiative deserves to be recognised by an award?
A police practice of routinely disclosing attempted suicide information to national police computer systems had led to people being denied entry to the U.S. with attendant financial, emotional and human rights-related costs.

The compliance and enforcement activities of the OIPC and related dispute resolution efforts of the OIPC and the TPS have helped to ensure that the disclosure of this sensitive information will be carefully controlled, while allowing police to share limited information for the purpose of assisting officers in Canada to respond appropriately to subsequent mental health related encounters.

This was made possible by the compliance, enforcement, and dispute resolution efforts of the OIPC, which brought greater clarity and discipline to police disclosure practices. By seeking input from police, privacy, mental health and human rights stakeholders and working collaboratively with the TPS, the OIPC was able to help develop privacy controls beyond those that could have been achieved by litigation alone. Other police services now have the benefit of a comprehensive model that allows them to readily incorporate the new safeguards into their own suicide-related CPIC disclosure procedures. This initiative has also demonstrated what can be achieved when privacy and public safety leaders work together in the public interest.

Complete entry available here.

B11: The First Philippine Data Protection Officers’ Assembly – DPO1 (Philippines)

 

 

 

 

 

Entry by: National Privacy Commission, Philippines

DPO1: The First Philippine Data Protection Officers’ Assembly
Serving as an initiative on compliance and enforcement as well as on education and advocacy, the National Privacy Commission (NPC) has organized DPO1: The First Philippine Data Protection Officers’ Assembly for government on April 5, 2017. In just over a year following its establishment, the NPC was able to convene representatives from 295 government agencies through DPO1 and secure their compliance to designate data protection officers (DPOs). The NPC also launched its official website during the event.

Why the initiative deserves to be recognised by an award?
Through DPO1, the NPC has activated government DPOs, as counterpart privacy watchdogs within their respective agencies. The event equipped them, enabling a quick mastery of their new responsibilities—to champion data privacy and make it an organizational priority. DPO1 also facilitated the creation of a DPO community, armed with the means to raise awareness and elevate public discourse on data privacy.

With a high satisfaction rating (4.5 of 5) among participants, leaders from several sectors already signified their interest to collaborate with the NPC in replicating the DPO1. They include the following sectors: banking and finance, business process outsourcing, health, and education.

Complete entry available here.

B12: Data Protection by Design Award (Catalan, Spain)

 

 

 

 

 

 

Entry byCatalan Data Protection Authority (APDCAT)

Data Protection by Design Award
APDCAT has launched a competition to find an app or technological solution developed anywhere that best showcases “applications or systems that improve the implementation of security measures, facilitate compliance with legal obligations in the field of data protection, strengthen people’s control over their own information and, in general, make the management of privacy easier.”

Why the initiative deserves to be recognised by an award?
PIONEER. In 2012, whereas rapid technological developments and globalisation lead APDCAT to launch this Award with the purpose to encourage producers of the products and applications that are based on the processing of personal data to take into account the right to data protection when developing and designing such products, services and applications. Later, the importance of privacy by design has been reflected in the REGULATION (EU) 2016/679. The competition’s title, Data Protection by Design, consciously reflects the language in Art. 25 of the Regulation 2016/679. First edition. 2013.

PREVENTIVE. The purpose of the Award is to promote a preventive approach, not reactive, to privacy. Seeking solutions to the problems when they have already occurred will become more costly to individuals and development companies in both economic and reputation terms.

RAISE AWARENESS. The incorporation of the privacy by design makes companies more competitive, show its commitment to protect privacy of individuals, and enhance companies’s image, gaining a sustainable competitive advantage. The award pretends to concern these companies of the needs to respect an essential principle: privacy.

DISSEMINATION OF THE PRIVACY CULTURE. The Award gives a public recognition: Although there is only one winner, all applicants are listed publicly at the award ceremony at the Catalan Parliament in June. Consequentially, all applicants receive valuable publicity as a result of entering this competition, providing a substantial incentive.

Complete entry available here.

B13: The joint investigation of the Ashley Madison Breach (Australia, Canada and USA)


 


 

 


 

 

Entry by: Office of the Australian Information Commissioner / Office of the Privacy Commissioner of Canada / U.S Federal Trade Commission

The joint investigation of the Ashley Madison Breach
This is a joint submission by the U.S. Federal Trade Commission, the Office of the Privacy Commissioner of Canada, and the Office of the Australian Information Commissioner on their cooperative investigation and enforcement actions in this case.

Why the initiative deserves to be recognised by an award?
In the digital age, privacy issues can impact millions of people around the world. This is an example of regulators working together across borders to ensure that the privacy rights of individuals are respected no matter where they live. The investigation shows that cross-border cooperation and enforcement is the future for privacy regulation in the global consumer age. This cooperative approach provides an excellent model for enforcement of consumer privacy rights.

Complete entry available here.

B14: Necessity Toolkit (EDPS, European Union)

 

 

 

 

 

 

 

 

Entry by: European Data Protection Supervisor

Assessing the necessity of measures that limit the fundamental right to the protection of personal data: A Toolkit (Necessity Toolkit)
The toolkit aims to help the EU legislators to better assess the necessity of new legislative measures which limit the right to data protection and other fundamental rights, such as the right to privacy. It provides a practical step-by-step checklist, exemplifying the criteria for applying the necessity principle.

Why the initiative deserves to be recognised by an award?
The initiative is first of its kind in providing help for the EU legislators when they check the compliance of new legislative measures.

The toolkit details in practice and step-by-step the application by the EU legislators of the necessity principle which should be respected when new laws involve the processing of personal data. Moreover, it sheds light into other complex neighbouring notions, such as the appropriateness and proportionality of a measure, and help distinguish them. Therefore, it is at the same time a compliance and education tool.

The toolkit facilitates an informed policy-making across the various sectors, ranging from digital trade to public security.

It is generic also in that it could be used by other national legislators in the EU and beyond, to the extent the principle of necessity is enshrined in many national legal orders. The toolkit could also be used by data protection authorities when they provide advice to the legislator on new policy measures limiting the right to the protection of personal data.

Complete entry available here.

B15: Access Rights and Responsibilities Guide (Ireland)

 

 

 

 

 

 

 

 

Entry by: Data Protection Commissioner, Ireland

Access Requests account for the greatest number of complaints to the Irish DPC every year, accounting for 56% of all complaints received. We decided that a renewed awareness raising campaign was needed, so that access rights and responsibilities would be highlighted in advance of GDPR. The PDF guide that we published, along with the infographic ‘check list’ for individuals and organisations has been praised for its clear use of language, and its comprehensible format.

Why the initiative deserves to be recognised by an award?
We think this work deserves recognition as it was conceived in response to the needs of our stakeholder body, and represents a successful shift in format towards the kind of clarity that individuals and organisations have been seeking. We are prioritising plain, clear language and an easily digestible format. Our belief is that the more comprehensible the guidance, the greater the levels of compliance. We have really put a lot of effort into developing a style and format that meets the needs of our stakeholders, and we plan to take this forward into the future.

Complete entry available here.

B16: First private sector audit (British Columbia, Canada)

 

 

 

 

 

 

 

 

Entry by:  Office of the Information and Privacy Commissioner for British Columbia, Canada

This initiative was the first private sector audit undertaken by the Office of the Information and Privacy Commissioner (OIPC). It followed a complaint to our Office about a medical clinic in the Lower Mainland. Beginning in June 2016, auditors examined the organization’s privacy management program and its use of video and audio surveillance. The key finding was that the clinic is not authorized to collect personal information through its video and audio surveillance system.

Why the initiative deserves to be recognised by an award?
The subject of the audit – surveillance – is timely and important. An award would underscore its relevance. Video surveillance affects how we behave when we believe we’re being watched. It inhibits our freedom of expression, association, and privacy – all essential to democracy.

This was the first audit of a private sector business that our Office has undertaken in our Audit & Compliance Program.

Conducted at a private medical clinic in BC that had installed several video and audio recorders, its goal was to determine the business’ compliance with legislative requirements relating to collection, use, disclosure, disposal and overall protection of personal information.

The audit was undertaken to encourage all private businesses in B.C. to reflect on their own video surveillance practices and amend them if necessary. To assist them, the OIPC also released a guidance document entitled “Guide to Using Overt Video Surveillance.”

This report resulted in significant media coverage. We believe it and the guidance document were instructive to other private sector businesses in BC. For these reasons, we believe that this initiative deserves to be recognized by one of your awards.

Complete entry available here.