Entries submitted (as on 21.04.2017)

C1: Online privacy education modules (New Zealand)
C2: ARCADES Project – Introducing dAta pRoteCtion AnD privacy issuEs at schoolS in the European Union (Poland)
C3: “Your data –your concern”. Effective protection of personal data. Educational activity addressed to students and teachers (Poland)
C4: “Key to the world of the net!” (Hungary)
C5: A comprehensive guidebook entitled “Personal Data (Privacy) Law in Hong Kong – a Practical Guide on Compliance” (Hong Kong)
C6: Fundamentals on Data Protection (Mauritius)
C7: Data Protection for secondary education (Mauritius)
C8: “Information and Privacy” Winter School (Albania)
C9: Supporting NGOs to disseminate privacy and personal data protection culture (Morocco)
C10: Comic book for children on privacy issues (Morocco)
C11: National Privacy Award “Koun3labal” (Morocco)
C12: First ever data privacy summit in the Philippines (Philippines)
C13: Online information and education campaign (Philippines)
C14: Data Protection self-assessment for SMEs (UK)
C15: “Data Security Draft Regulations” (Israel)
C16: Educating stakeholders about the duty to report child abuse and neglect (OIPC Ontario, Canada)
C17: Challenge “Value your personal data” (INAI, Mexico)
C18: Guidance on Personal Data Secure Erasure (INAI, Mexico)

C1: Online privacy education modules (New Zealand)


 

 

 

Entry by: Office of the Privacy Commissioner, New Zealand

Online privacy education modules which are free and accessible to anyone with a computer.

Why the initiative deserves to be recognised by an award?*
The online privacy training initiative has been an excellent resource for organisations seeking to upskill their employees on New Zealand’s Privacy Act and privacy in general. From the feedback received, it has been particularly helpful to health sector agencies because of the sensitivity of health information and having to have a high standard in personal information handling because of the consequences to patients of getting it wrong.

The online privacy training modules has enabled the Office of the Privacy Commissioner to remotely deliver high quality privacy training across the country. It is a model that can be adopted and applied in other data protection jurisdictions around the world.

* Non-competition entry: New Zealand has exempted itself from the competition as the ICDPPC Chair, who is judging the competition, is also the New Zealand Commissioner. This entry is for illustrative purposes only.

Complete entry available here.

C2: ARCADES Project – Introducing dAta pRoteCtion AnD privacy issuEs at schoolS in the European Union (Poland)

 

 

 

 

Entry by: Inspector General for Personal Data Protection (GIODO)

ARCADES Project – Introducing dAta pRoteCtion AnD privacy issuEs at schoolS in the European Union: The Project’s aim was to introduce at schools in the EU the data protection and privacy issues in order to shape informed and responsible attitudes towards data protection and privacy among school children and teens (6-19 years old). The Publication with the unified set of teaching aids including data protection principles, lessons’ scenarios and other materials was prepared.

Why the initiative deserves to be recognised by an award?
The project’s results are likely to have long – term impact as the publication The European Handbook for Teaching Privacy and Data Protection at Schools (available in four languages: Polish, English, Slovenian and Hungarian), could be transferable to other European countries. The publication could inspire teachers to undertake similar activities on their national ground as nowadays, taking into account rapid technological development, there is a great need to educate in the field of privacy and data protection from an early stage. The project’s aim was to enable teachers to benefit from the organised seminar and to upgrade their knowledge of how to introduce data protection rules in schools and how to teach about privacy.

Complete entry available here.

C3: “Your data –your concern”. Effective protection of personal data. Educational activity addressed to students and teachers (Poland)

 

 

 

 

Entry by: Inspector General for Personal Data Protection (GIODO)

 “Your data –your concern”. Effective protection of personal data. Educational activity addressed to students and teachers: The aim of the Programme is to expand the educational offer of primary, middle, high schools and the centres for teachers’ vocational training of the content related to the protection of personal data and the right to privacy. Two-day training as well as educational materials are provided for teachers, empowering them to conduct lessons devoted to data protection and privacy issues.

Why the initiative deserves to be recognised by an award?
The Programme “Your data – Your concern” engages more than 200 educational institutions each school year. We receive positive feedback from teachers which proves that this initiative is important and that the data protection knowledge is strongly needed to be presented in schools. Therefore, the Programme supplies necessary educational information to schools and equips teachers with necessary educational materials.

Additionally, the new element of the Programme, which is developed this year – Educational Board Game – links more than 40 schools which compete with themselves.

Also this 7th edition encompasses online lectures for teachers. This is a series of live online lectures entitled “Lessons with GIODO”. The first lecture was titled “Video surveillance in schools” and was broadcasted on March 9th 2017 r.

Complete entry available here.

C4: “Key to the world of the net!” (Hungary)

 

 

 

 

 

 

Entry by: National Authority for Data Protection and Freedom of Information, Hungary

Within the framework of the DPA’s children’s online rights project we have published a study promoting legally conscious internet use of children by means of fundamental rights protection measures. The study is accompanied by a DPA-initiated music video with a young Hungarian singer aiming to raise awareness among young people. All materials are also available in English.

Why the initiative deserves to be recognised by an award?
The new internet-based culture develops novel behavioural forms which need to be researched and analysed. There is a great need to educate adults dealing with teenagers as well as to raise awareness among children on the conscious and responsible way of internet usage. We truly believe that the various topics of the given study attract attention and tries to offer useful and applicable solutions for the problems and the accompanying handbook designed for children helps  them to educate themselves appropriately.  The singer preforming the music video seems to be also suitable to deliver the right messages to the youth. We have also tried to involve as many international real-life examples, cases and researches as well as best practices as we could to broaden the basis of the discussion.

We are continuing this project in 2017 now concentrating on the age group of children under 10. A similar handbook or study will be published with specific issues (e.g. online children beauty competitions, spying games etc.)

Complete entry available here.

C5: A comprehensive guidebook entitled “Personal Data (Privacy) Law in Hong Kong – a Practical Guide on Compliance” (Hong Kong)

 

 

 

 

 

 

 

Entry by: Privacy Commissioner for Personal Data, Hong Kong

A comprehensive guidebook entitled “Personal Data (Privacy) Law in Hong Kong – a Practical Guide on Compliance”
The book is written with a view to explaining the conceptual, legal and practical frameworks of personal data privacy protection in Hong Kong, in the hope that readers, whether professionals or otherwise, will find it user-friendly to delve into the most relevant statutory provisions for their need or interest in the topics.

Why the initiative deserves to be recognised by an award?
This publication serves the dual aim of providing a comprehensive compliance guide and source of reference materials for practitioners on the one hand, and discharging the PCPD’s duty to promote awareness and understanding of the Personal Data (Privacy) Ordinance on the other.

Coming straight from the PCPD, this publication is official, all-inclusive, practical and the first of its kind in the region.  While print copy of this book sits proudly on the bookshelf of many practitioners and academia, its e-version is now available on the PCPD’s website free of charge, with hyperlinks added to allow swift divert to relevant materials.  Making the book easily accessible to the public helps to enhance the awareness and knowledge of data protection in the community generally, which also indirectly contributes to the decrease in the number of enquiries (a drop of 12%) and complaints (a drop of 7%) received by the PCPD in 2016 as compared with the figures in 2015.

Internally, the book is shared on the intranet of the PCPD and will be updated from time to time.  It has become a useful tool for officers of the enquiries and complaints teams in ensuring consistency and quality in performing their duties.

Complete entry available here.

C6: Fundamentals on data protection (Mauritius)

Entry by: Data Protection Office, Mauritius

‘Fundamentals on Data Protection’ is a resource for teachers in primary schools to educate students on the fundamentals of protecting their personal information.

Why the initiative deserves to be recognised by an award?
The emergence of social networks is undeniably changing the way one communicates and how one finds and shares information. Children and youngsters, who are much exposed to social networks, require specific protection with regard to their personal data as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. These guidelines help in promoting such awareness and understanding. On top of that, following their publication, the Ministry of Education has decided to include data protection as a subject in the curriculum for a certain grade and so, they merit to be recognised.

Complete entry available here.

C7: Data Protection for secondary education (Mauritius)

Entry by: Data Protection Office, Mauritius

‘Data Protection for secondary education’ to raise awareness in the field of data protection among young people.

Why the initiative deserves to be recognised by an award?
The emergence of social networks is undeniably changing the way one communicates and how one finds and shares information. Children and youngsters, who are much exposed to social networks, require specific protection with regard to their personal data as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. These guidelines help in promoting such awareness and understanding. On top of that, following their publication, the Ministry of Education has decided to include data protection as a subject in the curriculum for a certain grade and so, they merit to be recognised.

Complete entry available here.

C8: “Information and Privacy” Winter School (Albania)

 

 

 

 

 

 

Entry by: Information and Data Protection Commissioner, Albania

The Information and Data Protection Commissioner in cooperation with Tirana University organized the first edition of “Information and Privacy” Winter School which was held by 23 – 27 January 2017. It was attended by 60 participants. During these 5 days, students were trained by the staff of the Commissioner with regard to the most important topics on the right to information and privacy protection. The “Information and Privacy” winter school was accredited by the Ministry of Education.

Why the initiative deserves to be recognised by an award?
“Information and Privacy” Winter School comes after a series of activities that the Commissioner’s Office held in different universities in Albania where students and the academic staff discussed on the situation of the right to information and the protection of personal data in Albania. Students and academics have shown interest during those open lectures about privacy protection on internet, surveillance society and their new digital rights. With this in mind, the Commissioner Mr. Dervishi and Tirana University Rector Mr. Koni, signed a cooperation agreement, focusing on developing a Winter School for students, lectured by the Commissioner’s Office staff and well known academics. The success of the school in terms of interest shown by the students during the school days as well as later was phenomenal, which prompted the Commissioner’s Office to double this initiative by proposing a summer school within this academic year.

Complete entry is available here.

C9: Supporting NGOs to disseminate privacy and personal data protection culture (Morocco)

 

 

 

Entry by: CNDP, Morocco

The Moroccan DPA has dedicated a budget of 100 000MAD to support NGOs active in the privacy field.

Why the initiative deserves to be recognised by an award?
It remains an efficient way to build an ecosystem capable of spreading privacy and personal data protection values.

The winners could serve as relays working on disseminating privacy principals within the civil society actors and the large public.

Complete entry available here.

C10: Comic book for children on privacy issues (Morocco)


 

 

 

 

 

 

Entry by: CNDP, Morocco

It is a graphic novel on every day’s life situations dealing with privacy issues.

Why the initiative deserves to be recognised by an award?
By releasing this educative graphic novel, we can reach the young generation and inculcate privacy values and principals from an early age.

Through the imaginative process that comic books involves, children have the opportunity to better understand privacy issues that they would face in their daily life and become more aware of it.

Complete entry available here.

C11: National Privacy Award “Koun3labal” (Morocco)

 

 

 

 

 

Entry by: CNDP, Morocco

National Privacy Award, called “Koun3labal” which means, “Be aware. This prize rewarded the best YouTube videos on privacy and data protection.

Why the initiative deserves to be recognised by an award?
“Koun3labal” falls under the CNDP’s digital education strategy. Indeed, this Prize has rewarded videos produced “by youth, for youth”. It is a way of encouraging peer education among young people and Moroccan Podcasters.

The award is the first of its kind in Africa and MENA region recognize privacy actors, and to enhance human rights in Morocco.

More than 20 videos participated in this competition, totalling more than 200 000 views within the Moroccan audience.

Complete entry available here.

C12: First ever data privacy summit in the Philippines (Philippines)

 

 

 

 

 

 

Entry by: National Privacy Commission, Philippines

Privacy.Gov.PH — Government at the Forefront of Protecting the Filipino in the Digital World is the Philippines’ first data privacy summit, held last December 5-6 at Novotel Manila. With over 250 attendees from government agencies and civil groups, it provided a venue for state institutions to familiarize themselves with the fundamentals of data privacy, the Data Privacy Act, and its IRR.

Why the initiative deserves to be recognised by an award?
The privacy summit is the first event organized by the National Privacy Commission, aside from being the first of its kind in the Philippines. It had come at a very crucial time, with the country still reeling from the effects of the “Comeleak” and finding long-term solutions to data privacy and protection concerns. Although short on time and resources, the task force behind the massive two-day event was able to create educational materials and prepare seminars and workshops on compliance and accountability, fueled by a desire to fulfill the Commission’s mandate and achieve as much as it can within its first year of operations, as the Commission had only begun formal operations in March of 2016.

The event also received positive feedback from the attendees, who rated the event with an average grade of 4.5 out of 5 stars. Among the event’s strong points were its information and educational materials and its explanations of data privacy concepts. Participants commended the event’s relevance and ability to present complicated topics in an easily understandable manner, especially given its status as a start-up agency.

Complete entry available here.

C13: Online information and education campaign (Philippines)

 

 

 

 

 

 

Entry by: National Privacy Commission, Philippines

The National Privacy Commission’s online information and education campaign utilizes social media to maximize its limited resources and reach as many people as possible by providing compelling content to raise awareness, elevate public discourse, and ensure that every Filipino understands their right to data privacy, and to hold accountable those who violate it. They are some of the Commission’s most potent tools in achieving its goal of building a culture of privacy in the Philippines.

Why the initiative deserves to be recognised by an award?
In a country where the concepts of data privacy and protection have yet to find solid ground in the minds of industry leaders and the general public alike — despite being victims of the largest personal data breach in a government-held database in the world — the NPC’s online information and awareness campaign attempts to introduce the need for good personal data privacy hygiene practices to the everyday Filipino. It capitalizes on the Filipino population on Facebook, a whopping 60 million users, by using references from popular culture and current events to help make privacy and personal information household terms and an everyday concern.

Through a constant stream of daily content and compelling messages, the Commission aims to concretize the concepts of data privacy and protection to the ordinary citizen, explaining how the very real dangers of ineffective or inadequate privacy practices can affect their personal and professional lives. It is also an avenue for the Commission to address inquiries and concerns. Overall, the online platforms are designed to be consistently engaging in order to demystify data privacy and really communicate the message of the Commission — that data privacy isn’t just for lawyers or IT people, it is for everyone.

Complete entry available here.

C14: Data Protection self-assessment for SMEs (UK)

 

 

 

 

 

 

Entry by: Information Commissioner’s Office, UK

Data Protection self-assessment for SMEs
For organisations, particularly small and medium sized enterprises, to quickly and easily assess their compliance with the Data Protection Act in a range of areas, and get targeted guidance on what they can do to improve.

We are currently working on improvements to the tool, expected to go live in May 2017. We would like them to be included as part of this entry and we have detailed them below.

Why the initiative deserves to be recognised by an award?
We undertake regular testing with users on our website. We’d heard that many organisations struggled to know where to start. This tool helps organisations by highlighting key areas, and giving advice based on the organisation’s particular needs.

As part of the ICO’s digital and IT strategy we aim to be digital by default, and more self sufficient when building and maintaining our digital services. The tool provides a service that would usually require input from ICO staff via our helpline, email or post. We have built the technology with common, re-usable components within our open source content management system so that we are able to create new checklists without reliance on third party developers.

The tool receives an average 9,000 visits each month.

Comments from users:

  • “The toolkit allows us to review and identify any data protection gaps and confirm that the processes we have are sound. Our core business is providing a service to patients and part of this is safely handling their data.”- Orthodontic practitioner
  • “The tool was very simple to use and provided a wealth of information. This is a great tool for a beginner or an experienced information practitioner. The toolkit has highlighted weak spots with our information security that we will now work on.”- Consultancy service provider
  • “I recommend any and all companies to use this tool.” – Marketing company group manager

Complete entry available here.

C15: “Data Security Draft Regulations” (Israel)

 

 

Entry by: ILITA The Israeli Law, Information and Technology Authority

“Data Security Draft Regulations”
During the years 2016-2017 ILITA drafted and promoted the “Data Security Draft Regulations” to determine the principals of data security that must be implemented in database management activities. The principals are compatible with international standards. ILITA was successful in convincing the Israeli Knesset to adopt the suggested mechanisms and the Knesset enacted the regulations on March 21st, 2017, that apply on public and private sector.

Following is a short description of the obligations prescribed by the regulations:

  • Mechanisms for physical and logical security
  • Developing work procedures in organizations to ensure data protection
  • Inner evaluation and classification processes to determine the sensitivity of the data processed by the organization (low, medium and high), and applying appropriate safeguards according to the level of  sensitivity.
  • Reduced duties for individuals (as opposed to organisations) that process personal information.
  • Breach notification.

Why the initiative deserves to be recognised by an award?
The regulations, which are the initiative of ILITA, which is also the body that supervises their implementation, establish organizational mechanisms and substantial requirements (technological neutrality) aimed at making data security part of the organization’s management routine.

The regulations reflect the work of balanced and adaptable regulations, which was determined after an in-depth study of legislation, standards and parallel Israeli and international guidelines, and after extensive consultation with the Israeli public, and in particular the stake holders that will be effected by the regulations.

The new regulations are exceptional due to the fact that they apply on all types of processing, subject to Israeli law, in all sectors of the economy: public and private.

The regulations were designed in a modular format, which applies obligations according to the level of risk created by the organization’s information processing activity.

The significant success of the regulations is that they are flexible, concrete and specific to a degree that gives organizations regulatory certainty and practical tools that are simple to implement. With the entry into force of the regulations in the spring of 2018, we expect a new era in which the protection of privacy will be stronger than ever.

Complete entry available here.

C16: Educating stakeholders about the duty to report child abuse and neglect (OIPC Ontario, Canada)


 

 

 

 

 

 

 

Entry by: Office of the Information and Privacy Commissioner of Ontario, Canada (OIPC)

Collaboration between Ontario Information and Privacy Commission (OIPC) and the Ontario Advocate for Children and Youth (PACY) to educate stakeholders about the duty to report child abuse and neglect
Health providers, police, teachers and social service workers sometimes refuse to provide information to child protection workers when they suspect a risk of harm to children. They often do not report this information because they mistakenly view Ontario’s privacy laws as a barrier to such disclosures. The OIPC collaborated on a resource to clarify this and other misunderstandings about privacy and to educate professionals on their duty to report this critical information under the law.

Why the initiative deserves to be recognised by an award?
This education initiative is a testament to what can be achieved when regulators work together in the public interest. Together, we were able to change perceptions around privacy and reinforce that it should never stand in the way of reporting a risk of harm to a child. The Yes, You Can. Dispelling the Myths About Sharing Information with Children’s Aid Societies booklet represents a paradigm shift in the way professionals view privacy and removes any misperceptions they have that may disrupt the flow of critical information to child protection workers. The OIPC saw a need to provide guidance and seized this educational opportunity to help professionals working with children meet their responsibilities to, arguably, the most vulnerable members of society. Our joint collaboration with the Provincial Advocate for Children and Youth effected real change in the professional and private lives of everyday Ontarians.

By raising awareness and dispelling myths about privacy, Ontario’s children’s aid societies are in a better position to get more of the important information they need to help children at risk.

Complete entry available here.

C17: Challenge “Value your personal data” (INAI, Mexico)

 

 

 

 

Entry by: INAI, Mexico

The contest entitled Challenge “Value your personal data” (Reto “Valora tus datos personales”) convened the Mexican developer’s community to create a Smartphone application able to analyze the risks of providing personal data, in order to create awareness among citizens of the importance of protecting their personal information in a didactic and tangible way.

Why the initiative deserves to be recognised by an award?
The contest organized by the INAI resulted in the development of an application that promotes the protection of personal data in a didactic way, making the data subjects aware of the value of this personal information. The INAI created an arithmetic formula that allows to model the risk of providing personal data in exchange for products or services, in an approximate and intuitive way.

The app’s purpose is to simulate the hypothetical cost that the personal data of a data subject providing his/her personal data to a data controller could have. This app weighs the value of the data in accordance with the sensitivity level of each data (personal, sensitive, the most sensitive). It also weighs the risk perception that the data subject has over the data controller through one algorithm that considers the factors mentioned above and assigns a hypothetical value based on a fixed amount (monetary) given to each factor.

Complete entry available here.

C18: Guidance on Personal Data Secure Erasure (INAI, Mexico)

 

 

 

 

 

 

 

 

Entry by: INAI, Mexico

Guidance on Personal Data Secure Erasure
The initiative consisted in the creation of a guidance directed to data controllers from the public and private sectors, on methods and techniques for suppression of information, in accordance with international standards and best practices. This document was published in digital and printed format.

Why the initiative deserves to be recognised by an award?
The Guidance on Personal Data Secure Erasure describes the main methods and techniques that should be considered to carry out the process of deleting personal data in a secure way, aligned to a Personal Data Secure Management System, which contemplates actions for secure erasure processes such as:

  • To define the scope, the objectives and policies in the processing of personal data.
  • To have an inventory of personal data in the processing systems.
  • To manage the storage media involved in the processing of personal data.
  • To establish deadlines for the preservation of personal data and storage media.
  • To have an overview of the legal and contractual responsibilities for the storage and disposal of storage media.
  • To count on reviews and audits.
  • To document those actions.

Furthermore, the guidance provides comparative tables regarding the advantages and disadvantages of the different physical and logical methods, as well as security controls depending on the storage media. Therefore, this guidance is an analysis and synthesis exercise based on standards and best practices that provides operational advantages, beyond the simple execution of secure erasure methods. With this action, the INAI promotes compliance with the obligations regarding personal data, under the best standards and reducing the cost of the application of the law, facilitating to the data controllers, easy-to-use material for the fulfillment of their obligations.

Complete entry available here.