Entries submitted (as on 1.05.2017)

C1: Online privacy education modules (New Zealand)
C2: ARCADES Project – Introducing dAta pRoteCtion AnD privacy issuEs at schoolS in the European Union (Poland)
C3: “Your data –your concern”. Effective protection of personal data. Educational activity addressed to students and teachers (Poland)
C4: “Key to the world of the net!” (Hungary)
C5: A comprehensive guidebook entitled “Personal Data (Privacy) Law in Hong Kong – a Practical Guide on Compliance” (Hong Kong)
C6: Fundamentals on Data Protection (Mauritius)
C7: Data Protection for secondary education (Mauritius)
C8: “Information and Privacy” Winter School (Albania)
C9: Supporting NGOs to disseminate privacy and personal data protection culture (Morocco)
C10: Comic book for children on privacy issues (Morocco)
C11: National Privacy Award “Koun3labal” (Morocco)
C12: First ever data privacy summit in the Philippines (Philippines)
C13: Online information and education campaign (Philippines)
C14: Data Protection self-assessment for SMEs (UK)
C15: “Data Security Draft Regulations” (Israel)
C16: Educating stakeholders about the duty to report child abuse and neglect (OIPC Ontario, Canada)
C17: Challenge “Value your personal data” (INAI, Mexico)
C18: Guidance on Personal Data Secure Erasure (INAI, Mexico)
C19: The First Philippine Data Protection Officers’ Assembly – DPO1 and National Privacy Commission Website (Philippines)
C20: “Privacy-Proof School 2.0” (Italy)
C21: Educational video series – Digital Footprints and Be Smart Online  (Hong Kong)
C22: PAW Educational Posters (Hong Kong)
C23: Student Ambassador for Privacy Protection Programme (Hong Kong)
C24: “Be SMART Online” Thematic Website Enhancement (Hong Kong)
C25: “The Six Data Protection Principles under the Personal Data (Privacy) Ordinance” Animation (Hong Kong)
C26: Competition for 18-25 years old students : “Trophées EDUCNUM” (France)
C27: Personal Data Competency framework for School Students – Intended to Educators (France)
C28: Tools and tips for managing personal passwords safely (France)
C29: LINC, for Laboratoire d’innovation numérique de la CNIL is the new innovation and foresight tool of the CNIL (France)
C30: Access & Privacy Rules: A Councillor’s Guide (Nova Scotia, Canada)
C31: Privacy Breach Management- Are You Ready? (Nova Scotia, Canada)
C32: “Good intentions” – images of children online (Norway)
C33: New resources aimed at improving records management in the health sector (UK)
C34: Training sessions for high school students and academics (Mali)
C35: “Your personal data worth, take care of them” (Uruguay)
C36: EU Data Protection mobile app (EDPS, European Union)
C37: IdentityTheft.gov (USA)
C38: 18 Practical Cards – ‘Guide on Privacy and safety in Internet’  (Spain)
C39: Minors, Internet and Technology – Growing and Living Together in a Digital World (Catalonia, Spain)
C40: Necessity Toolkit (EDPS, European Union)
C41: Video campaign (Ireland)
C42: Twitter account (Ireland)
C43: Access Rights and Responsibilities Guide (Ireland)
C44: First private sector audit (British Columbia, Canada)
C45: Investigation into mobile device management (British Columbia, Canada)
C46: Release of Ashley Madison case findings (Canada)

C1: Online privacy education modules (New Zealand)


 

 

 

Entry by: Office of the Privacy Commissioner, New Zealand

Online privacy education modules which are free and accessible to anyone with a computer.

Why the initiative deserves to be recognised by an award?*
The online privacy training initiative has been an excellent resource for organisations seeking to upskill their employees on New Zealand’s Privacy Act and privacy in general. From the feedback received, it has been particularly helpful to health sector agencies because of the sensitivity of health information and having to have a high standard in personal information handling because of the consequences to patients of getting it wrong.

The online privacy training modules has enabled the Office of the Privacy Commissioner to remotely deliver high quality privacy training across the country. It is a model that can be adopted and applied in other data protection jurisdictions around the world.

* Non-competition entry: New Zealand has exempted itself from the competition as the ICDPPC Chair, who is judging the competition, is also the New Zealand Commissioner. This entry is for illustrative purposes only.

Complete entry available here.

C2: ARCADES Project – Introducing dAta pRoteCtion AnD privacy issuEs at schoolS in the European Union (Poland)

 

 

 

 

Entry by: Inspector General for Personal Data Protection (GIODO)

ARCADES Project – Introducing dAta pRoteCtion AnD privacy issuEs at schoolS in the European Union: The Project’s aim was to introduce at schools in the EU the data protection and privacy issues in order to shape informed and responsible attitudes towards data protection and privacy among school children and teens (6-19 years old). The Publication with the unified set of teaching aids including data protection principles, lessons’ scenarios and other materials was prepared.

Why the initiative deserves to be recognised by an award?
The project’s results are likely to have long – term impact as the publication The European Handbook for Teaching Privacy and Data Protection at Schools (available in four languages: Polish, English, Slovenian and Hungarian), could be transferable to other European countries. The publication could inspire teachers to undertake similar activities on their national ground as nowadays, taking into account rapid technological development, there is a great need to educate in the field of privacy and data protection from an early stage. The project’s aim was to enable teachers to benefit from the organised seminar and to upgrade their knowledge of how to introduce data protection rules in schools and how to teach about privacy.

Complete entry available here.

C3: “Your data –your concern”. Effective protection of personal data. Educational activity addressed to students and teachers (Poland)

 

 

 

 

Entry by: Inspector General for Personal Data Protection (GIODO)

 “Your data –your concern”. Effective protection of personal data. Educational activity addressed to students and teachers: The aim of the Programme is to expand the educational offer of primary, middle, high schools and the centres for teachers’ vocational training of the content related to the protection of personal data and the right to privacy. Two-day training as well as educational materials are provided for teachers, empowering them to conduct lessons devoted to data protection and privacy issues.

Why the initiative deserves to be recognised by an award?
The Programme “Your data – Your concern” engages more than 200 educational institutions each school year. We receive positive feedback from teachers which proves that this initiative is important and that the data protection knowledge is strongly needed to be presented in schools. Therefore, the Programme supplies necessary educational information to schools and equips teachers with necessary educational materials.

Additionally, the new element of the Programme, which is developed this year – Educational Board Game – links more than 40 schools which compete with themselves.

Also this 7th edition encompasses online lectures for teachers. This is a series of live online lectures entitled “Lessons with GIODO”. The first lecture was titled “Video surveillance in schools” and was broadcasted on March 9th 2017 r.

Complete entry available here.

C4: “Key to the world of the net!” (Hungary)

 

 

 

 

 

 

Entry by: National Authority for Data Protection and Freedom of Information, Hungary

Within the framework of the DPA’s children’s online rights project we have published a study promoting legally conscious internet use of children by means of fundamental rights protection measures. The study is accompanied by a DPA-initiated music video with a young Hungarian singer aiming to raise awareness among young people. All materials are also available in English.

Why the initiative deserves to be recognised by an award?
The new internet-based culture develops novel behavioural forms which need to be researched and analysed. There is a great need to educate adults dealing with teenagers as well as to raise awareness among children on the conscious and responsible way of internet usage. We truly believe that the various topics of the given study attract attention and tries to offer useful and applicable solutions for the problems and the accompanying handbook designed for children helps  them to educate themselves appropriately.  The singer preforming the music video seems to be also suitable to deliver the right messages to the youth. We have also tried to involve as many international real-life examples, cases and researches as well as best practices as we could to broaden the basis of the discussion.

We are continuing this project in 2017 now concentrating on the age group of children under 10. A similar handbook or study will be published with specific issues (e.g. online children beauty competitions, spying games etc.)

Complete entry available here.

C5: A comprehensive guidebook entitled “Personal Data (Privacy) Law in Hong Kong – a Practical Guide on Compliance” (Hong Kong)

 

 

 

 

 

 

 

Entry by: Privacy Commissioner for Personal Data, Hong Kong

A comprehensive guidebook entitled “Personal Data (Privacy) Law in Hong Kong – a Practical Guide on Compliance”
The book is written with a view to explaining the conceptual, legal and practical frameworks of personal data privacy protection in Hong Kong, in the hope that readers, whether professionals or otherwise, will find it user-friendly to delve into the most relevant statutory provisions for their need or interest in the topics.

Why the initiative deserves to be recognised by an award?
This publication serves the dual aim of providing a comprehensive compliance guide and source of reference materials for practitioners on the one hand, and discharging the PCPD’s duty to promote awareness and understanding of the Personal Data (Privacy) Ordinance on the other.

Coming straight from the PCPD, this publication is official, all-inclusive, practical and the first of its kind in the region.  While print copy of this book sits proudly on the bookshelf of many practitioners and academia, its e-version is now available on the PCPD’s website free of charge, with hyperlinks added to allow swift divert to relevant materials.  Making the book easily accessible to the public helps to enhance the awareness and knowledge of data protection in the community generally, which also indirectly contributes to the decrease in the number of enquiries (a drop of 12%) and complaints (a drop of 7%) received by the PCPD in 2016 as compared with the figures in 2015.

Internally, the book is shared on the intranet of the PCPD and will be updated from time to time.  It has become a useful tool for officers of the enquiries and complaints teams in ensuring consistency and quality in performing their duties.

Complete entry available here.

C6: Fundamentals on data protection (Mauritius)

Entry by: Data Protection Office, Mauritius

‘Fundamentals on Data Protection’ is a resource for teachers in primary schools to educate students on the fundamentals of protecting their personal information.

Why the initiative deserves to be recognised by an award?
The emergence of social networks is undeniably changing the way one communicates and how one finds and shares information. Children and youngsters, who are much exposed to social networks, require specific protection with regard to their personal data as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. These guidelines help in promoting such awareness and understanding. On top of that, following their publication, the Ministry of Education has decided to include data protection as a subject in the curriculum for a certain grade and so, they merit to be recognised.

Complete entry available here.

C7: Data Protection for secondary education (Mauritius)

Entry by: Data Protection Office, Mauritius

‘Data Protection for secondary education’ to raise awareness in the field of data protection among young people.

Why the initiative deserves to be recognised by an award?
The emergence of social networks is undeniably changing the way one communicates and how one finds and shares information. Children and youngsters, who are much exposed to social networks, require specific protection with regard to their personal data as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. These guidelines help in promoting such awareness and understanding. On top of that, following their publication, the Ministry of Education has decided to include data protection as a subject in the curriculum for a certain grade and so, they merit to be recognised.

Complete entry available here.

C8: “Information and Privacy” Winter School (Albania)

 

 

 

 

 

 

Entry by: Information and Data Protection Commissioner, Albania

The Information and Data Protection Commissioner in cooperation with Tirana University organized the first edition of “Information and Privacy” Winter School which was held by 23 – 27 January 2017. It was attended by 60 participants. During these 5 days, students were trained by the staff of the Commissioner with regard to the most important topics on the right to information and privacy protection. The “Information and Privacy” winter school was accredited by the Ministry of Education.

Why the initiative deserves to be recognised by an award?
“Information and Privacy” Winter School comes after a series of activities that the Commissioner’s Office held in different universities in Albania where students and the academic staff discussed on the situation of the right to information and the protection of personal data in Albania. Students and academics have shown interest during those open lectures about privacy protection on internet, surveillance society and their new digital rights. With this in mind, the Commissioner Mr. Dervishi and Tirana University Rector Mr. Koni, signed a cooperation agreement, focusing on developing a Winter School for students, lectured by the Commissioner’s Office staff and well known academics. The success of the school in terms of interest shown by the students during the school days as well as later was phenomenal, which prompted the Commissioner’s Office to double this initiative by proposing a summer school within this academic year.

Complete entry is available here.

C9: Supporting NGOs to disseminate privacy and personal data protection culture (Morocco)

 

 

 

Entry by: CNDP, Morocco

The Moroccan DPA has dedicated a budget of 100 000MAD to support NGOs active in the privacy field.

Why the initiative deserves to be recognised by an award?
It remains an efficient way to build an ecosystem capable of spreading privacy and personal data protection values.

The winners could serve as relays working on disseminating privacy principals within the civil society actors and the large public.

Complete entry available here.

C10: Comic book for children on privacy issues (Morocco)


 

 

 

 

 

 

Entry by: CNDP, Morocco

It is a graphic novel on every day’s life situations dealing with privacy issues.

Why the initiative deserves to be recognised by an award?
By releasing this educative graphic novel, we can reach the young generation and inculcate privacy values and principals from an early age.

Through the imaginative process that comic books involves, children have the opportunity to better understand privacy issues that they would face in their daily life and become more aware of it.

Complete entry available here.

C11: National Privacy Award “Koun3labal” (Morocco)

 

 

 

 

 

Entry by: CNDP, Morocco

National Privacy Award, called “Koun3labal” which means, “Be aware. This prize rewarded the best YouTube videos on privacy and data protection.

Why the initiative deserves to be recognised by an award?
“Koun3labal” falls under the CNDP’s digital education strategy. Indeed, this Prize has rewarded videos produced “by youth, for youth”. It is a way of encouraging peer education among young people and Moroccan Podcasters.

The award is the first of its kind in Africa and MENA region recognize privacy actors, and to enhance human rights in Morocco.

More than 20 videos participated in this competition, totalling more than 200 000 views within the Moroccan audience.

Complete entry available here.

C12: First ever data privacy summit in the Philippines (Philippines)

 

 

 

 

 

 

Entry by: National Privacy Commission, Philippines

Privacy.Gov.PH — Government at the Forefront of Protecting the Filipino in the Digital World is the Philippines’ first data privacy summit, held last December 5-6 at Novotel Manila. With over 250 attendees from government agencies and civil groups, it provided a venue for state institutions to familiarize themselves with the fundamentals of data privacy, the Data Privacy Act, and its IRR.

Why the initiative deserves to be recognised by an award?
The privacy summit is the first event organized by the National Privacy Commission, aside from being the first of its kind in the Philippines. It had come at a very crucial time, with the country still reeling from the effects of the “Comeleak” and finding long-term solutions to data privacy and protection concerns. Although short on time and resources, the task force behind the massive two-day event was able to create educational materials and prepare seminars and workshops on compliance and accountability, fueled by a desire to fulfill the Commission’s mandate and achieve as much as it can within its first year of operations, as the Commission had only begun formal operations in March of 2016.

The event also received positive feedback from the attendees, who rated the event with an average grade of 4.5 out of 5 stars. Among the event’s strong points were its information and educational materials and its explanations of data privacy concepts. Participants commended the event’s relevance and ability to present complicated topics in an easily understandable manner, especially given its status as a start-up agency.

Complete entry available here.

C13: Online information and education campaign (Philippines)

 

 

 

 

 

 

Entry by: National Privacy Commission, Philippines

The National Privacy Commission’s online information and education campaign utilizes social media to maximize its limited resources and reach as many people as possible by providing compelling content to raise awareness, elevate public discourse, and ensure that every Filipino understands their right to data privacy, and to hold accountable those who violate it. They are some of the Commission’s most potent tools in achieving its goal of building a culture of privacy in the Philippines.

Why the initiative deserves to be recognised by an award?
In a country where the concepts of data privacy and protection have yet to find solid ground in the minds of industry leaders and the general public alike — despite being victims of the largest personal data breach in a government-held database in the world — the NPC’s online information and awareness campaign attempts to introduce the need for good personal data privacy hygiene practices to the everyday Filipino. It capitalizes on the Filipino population on Facebook, a whopping 60 million users, by using references from popular culture and current events to help make privacy and personal information household terms and an everyday concern.

Through a constant stream of daily content and compelling messages, the Commission aims to concretize the concepts of data privacy and protection to the ordinary citizen, explaining how the very real dangers of ineffective or inadequate privacy practices can affect their personal and professional lives. It is also an avenue for the Commission to address inquiries and concerns. Overall, the online platforms are designed to be consistently engaging in order to demystify data privacy and really communicate the message of the Commission — that data privacy isn’t just for lawyers or IT people, it is for everyone.

Complete entry available here.

C14: Data Protection self-assessment for SMEs (UK)

 

 

 

 

 

 

Entry by: Information Commissioner’s Office, UK

Data Protection self-assessment for SMEs
For organisations, particularly small and medium sized enterprises, to quickly and easily assess their compliance with the Data Protection Act in a range of areas, and get targeted guidance on what they can do to improve.

We are currently working on improvements to the tool, expected to go live in May 2017. We would like them to be included as part of this entry and we have detailed them below.

Why the initiative deserves to be recognised by an award?
We undertake regular testing with users on our website. We’d heard that many organisations struggled to know where to start. This tool helps organisations by highlighting key areas, and giving advice based on the organisation’s particular needs.

As part of the ICO’s digital and IT strategy we aim to be digital by default, and more self sufficient when building and maintaining our digital services. The tool provides a service that would usually require input from ICO staff via our helpline, email or post. We have built the technology with common, re-usable components within our open source content management system so that we are able to create new checklists without reliance on third party developers.

The tool receives an average 9,000 visits each month.

Comments from users:

  • “The toolkit allows us to review and identify any data protection gaps and confirm that the processes we have are sound. Our core business is providing a service to patients and part of this is safely handling their data.”- Orthodontic practitioner
  • “The tool was very simple to use and provided a wealth of information. This is a great tool for a beginner or an experienced information practitioner. The toolkit has highlighted weak spots with our information security that we will now work on.”- Consultancy service provider
  • “I recommend any and all companies to use this tool.” – Marketing company group manager

Complete entry available here.

C15: “Data Security Draft Regulations” (Israel)

 

 

Entry by: ILITA The Israeli Law, Information and Technology Authority

“Data Security Draft Regulations”
During the years 2016-2017 ILITA drafted and promoted the “Data Security Draft Regulations” to determine the principals of data security that must be implemented in database management activities. The principals are compatible with international standards. ILITA was successful in convincing the Israeli Knesset to adopt the suggested mechanisms and the Knesset enacted the regulations on March 21st, 2017, that apply on public and private sector.

Following is a short description of the obligations prescribed by the regulations:

  • Mechanisms for physical and logical security
  • Developing work procedures in organizations to ensure data protection
  • Inner evaluation and classification processes to determine the sensitivity of the data processed by the organization (low, medium and high), and applying appropriate safeguards according to the level of  sensitivity.
  • Reduced duties for individuals (as opposed to organisations) that process personal information.
  • Breach notification.

Why the initiative deserves to be recognised by an award?
The regulations, which are the initiative of ILITA, which is also the body that supervises their implementation, establish organizational mechanisms and substantial requirements (technological neutrality) aimed at making data security part of the organization’s management routine.

The regulations reflect the work of balanced and adaptable regulations, which was determined after an in-depth study of legislation, standards and parallel Israeli and international guidelines, and after extensive consultation with the Israeli public, and in particular the stake holders that will be effected by the regulations.

The new regulations are exceptional due to the fact that they apply on all types of processing, subject to Israeli law, in all sectors of the economy: public and private.

The regulations were designed in a modular format, which applies obligations according to the level of risk created by the organization’s information processing activity.

The significant success of the regulations is that they are flexible, concrete and specific to a degree that gives organizations regulatory certainty and practical tools that are simple to implement. With the entry into force of the regulations in the spring of 2018, we expect a new era in which the protection of privacy will be stronger than ever.

Complete entry available here.

C16: Educating stakeholders about the duty to report child abuse and neglect (OIPC Ontario, Canada)


 

 

 

 

 

 

 

Entry by: Office of the Information and Privacy Commissioner of Ontario, Canada (OIPC)

Collaboration between Ontario Information and Privacy Commission (OIPC) and the Ontario Advocate for Children and Youth (PACY) to educate stakeholders about the duty to report child abuse and neglect
Health providers, police, teachers and social service workers sometimes refuse to provide information to child protection workers when they suspect a risk of harm to children. They often do not report this information because they mistakenly view Ontario’s privacy laws as a barrier to such disclosures. The OIPC collaborated on a resource to clarify this and other misunderstandings about privacy and to educate professionals on their duty to report this critical information under the law.

Why the initiative deserves to be recognised by an award?
This education initiative is a testament to what can be achieved when regulators work together in the public interest. Together, we were able to change perceptions around privacy and reinforce that it should never stand in the way of reporting a risk of harm to a child. The Yes, You Can. Dispelling the Myths About Sharing Information with Children’s Aid Societies booklet represents a paradigm shift in the way professionals view privacy and removes any misperceptions they have that may disrupt the flow of critical information to child protection workers. The OIPC saw a need to provide guidance and seized this educational opportunity to help professionals working with children meet their responsibilities to, arguably, the most vulnerable members of society. Our joint collaboration with the Provincial Advocate for Children and Youth effected real change in the professional and private lives of everyday Ontarians.

By raising awareness and dispelling myths about privacy, Ontario’s children’s aid societies are in a better position to get more of the important information they need to help children at risk.

Complete entry available here.

C17: Challenge “Value your personal data” (INAI, Mexico)

 

 

 

 

Entry by: INAI, Mexico

The contest entitled Challenge “Value your personal data” (Reto “Valora tus datos personales”) convened the Mexican developer’s community to create a Smartphone application able to analyze the risks of providing personal data, in order to create awareness among citizens of the importance of protecting their personal information in a didactic and tangible way.

Why the initiative deserves to be recognised by an award?
The contest organized by the INAI resulted in the development of an application that promotes the protection of personal data in a didactic way, making the data subjects aware of the value of this personal information. The INAI created an arithmetic formula that allows to model the risk of providing personal data in exchange for products or services, in an approximate and intuitive way.

The app’s purpose is to simulate the hypothetical cost that the personal data of a data subject providing his/her personal data to a data controller could have. This app weighs the value of the data in accordance with the sensitivity level of each data (personal, sensitive, the most sensitive). It also weighs the risk perception that the data subject has over the data controller through one algorithm that considers the factors mentioned above and assigns a hypothetical value based on a fixed amount (monetary) given to each factor.

Complete entry available here.

C18: Guidance on Personal Data Secure Erasure (INAI, Mexico)

 

 

 

 

 

 

 

 

Entry by: INAI, Mexico

Guidance on Personal Data Secure Erasure
The initiative consisted in the creation of a guidance directed to data controllers from the public and private sectors, on methods and techniques for suppression of information, in accordance with international standards and best practices. This document was published in digital and printed format.

Why the initiative deserves to be recognised by an award?
The Guidance on Personal Data Secure Erasure describes the main methods and techniques that should be considered to carry out the process of deleting personal data in a secure way, aligned to a Personal Data Secure Management System, which contemplates actions for secure erasure processes such as:

  • To define the scope, the objectives and policies in the processing of personal data.
  • To have an inventory of personal data in the processing systems.
  • To manage the storage media involved in the processing of personal data.
  • To establish deadlines for the preservation of personal data and storage media.
  • To have an overview of the legal and contractual responsibilities for the storage and disposal of storage media.
  • To count on reviews and audits.
  • To document those actions.

Furthermore, the guidance provides comparative tables regarding the advantages and disadvantages of the different physical and logical methods, as well as security controls depending on the storage media. Therefore, this guidance is an analysis and synthesis exercise based on standards and best practices that provides operational advantages, beyond the simple execution of secure erasure methods. With this action, the INAI promotes compliance with the obligations regarding personal data, under the best standards and reducing the cost of the application of the law, facilitating to the data controllers, easy-to-use material for the fulfillment of their obligations.

Complete entry available here.

C19: The First Philippine Data Protection Officers’ Assembly – DPO1 and National Privacy Commission Website (Philippines)

 

 

 

 

 

Entry by: National Privacy Commission, Philippines

The First Philippine Data Protection Officers’ Assembly – DPO1 and National Privacy Commission Website
Serving as an initiative on compliance and enforcement as well as on education and advocacy, the National Privacy Commission (NPC) has organized DPO1: The First Philippine Data Protection Officers’ Assembly for government on April 5, 2017. In just over a year following its establishment, the NPC was able to convene representatives from 295 government agencies through DPO1 and secure their compliance to designate data protection officers (DPOs). The NPC also launched its official website during the event.

Why the initiative deserves to be recognised by an award?
Through DPO1, the NPC has activated government DPOs, as counterpart privacy watchdogs within their respective agencies. The event equipped them, enabling a quick mastery of their new responsibilities—to champion data privacy and make it an organizational priority. DPO1 also facilitated the creation of a DPO community, armed with the means to raise awareness and elevate public discourse on data privacy.

With a high satisfaction rating (4.5 of 5) among participants, leaders from several sectors already signified their interest to collaborate with the NPC in replicating the DPO1. They include the following sectors: banking and finance, business process outsourcing, health, and education.

Complete entry available here.

C20: “Privacy-Proof School 2.0” (Italy)

 

 

 

 

 

 

 

 

Entry by: Data protection Commission, Italy

“Privacy-Proof School 2.0”
In 2016 our Authority worked on a Project aiming at strengthening the campaign carried out by our DPA in 2014-2016 – addressed to young people for a safer and responsible use of social media.  With the re-opening of schools in autumn 2016 a vademecum “Privacy-Proof School 2.0” aiming at providing both students and educators  with relevant information on privacy protection principles to be applied in schools has been delivered to more than 69,000 schools.

Why the initiative deserves to be recognised by an award?
We believe that the initiative would deserve to be recognised by an award mainly because:

  • It involved multiple actors and was addressed to a very large number of people
  • It was a very low cost – high performance information campaign: it reached primary, secondary and high schools, plus families and other targeted groups
  • It can be relaunched in multiple formats and in different periods
  • It has a direct short term and long term impact on students’ life

Complete entry available here and more information here.

C21: Educational video series – Digital Footprints and Be Smart Online (Hong Kong)

 

 

 

 

 

 

 

Entry by: Privacy Commissioner for Personal Data, Hong Kong

Educational video series – Digital Footprints and Be Smart Online
Two series of educational video were launched in 2016 and 2017 respectively, aiming to explain the importance of respecting personal data privacy of others and the privacy risks associated with digital footprints, as well as providing general advice on use of information and communications technology, in a humorous and lively way by using fictional characters. The videos are also uploaded on social media platforms for reaching the wider audience.

Why the initiative deserves to be recognised by an award?
There is little doubt that the use of audio-visual materials for educational purpose is an effective means to deliver the message especially to the young.

To cultivate a culture of “Protect and Respect Personal Data”, it is of utmost importance for public educational programmes to adopt effective and impactful means to convey messages, and ensure those messages are up-to-date. PCPD has been making effort in producing and using videos for educational and publicity purposes so as to provide up-to-date advice and reminder to meet the evolving demand on educating the public on data privacy issues.

The educational videos also demonstrate a continued effort of riding on existing educational initiatives and creating synergies on both online and offline publicity programmes. The ongoing educational efforts targeting young generation are apparently strengthened by the use of educational videos providing advice on the latest usage in ICT with data privacy implications.

The educational videos are shared on PCPD website and thematic sites, facebook pages and Youtube channels. They are also included in our public seminars and are highly well received by participants.

Complete entry available here.

C22: PAW Educational Posters (Hong Kong)

 

 

 

 

 

 

 

 

Entry by: Privacy Commissioner for Personal Data, Hong Kong

PAW Educational Posters
To echo the theme of Privacy Awareness Week 2016 (“PAW 2016”), the Privacy Commissioner for Personal Data, Hong Kong (“PCPD”) specially designed four posters covering topics on children privacy, phone scam, privacy setting and sending emails to convey the messages of protecting own personal data and respecting those of the others in daily life. These downloadable posters are provided to the public as well as Asia Pacific Privacy Authorities (“APPA”) members.

Why the initiative deserves to be recognised by an award?
These bright and colourful posters are designed to convey messages about privacy in a clear and straightforward manner. The use of comic characters makes them more appealing and gives the public a stronger impression.

The posters serve as a major educational and promotional tool, as they are displayed in the educational talks to senior citizens, DPOC activities and other PCPD’s promotional and educational events. The posters allow the public to have a general picture of the privacy issues in the daily life and raise their awareness of privacy effectively.

These posters have also been widely adopted by the APPA members as a means of promotion during the PAW 2016 with much appreciation on the design and messages conveyed.

Complete entry available here.

C23: Student Ambassador for Privacy Protection Programme (Hong Kong)

 

 

 

 

 

 

Entry by: Privacy Commissioner for Personal Data, Hong Kong

Student Ambassador for Privacy Protection Programme
It is one of the annual campaigns of the Privacy Commissioner for Personal Data, Hong Kong (“PCPD”). Through organising interactive interschool competition and campus promotions such as campus TV, sharing sessions and exhibition, etc., secondary school students are encouraged to learn the importance of protecting personal data privacy and share their experience among peers.

Why the initiative deserves to be recognised by an award?
Given the constraint on resources, it would pose challenges to the PCPD in promoting personal data protection by visiting every school in Hong Kong.   After participating in this Programme, students of the partner schools are required to gather information on the protection of personal data themselves from the PCPD’s website and other resources channels, through which they can learn and understand the importance of protecting personal data, before they can help promote the vigilance to their peers. At the same time, the PCPD provides support to the partner schools by various means including organising briefing sessions. Besides, the PCPD encourages the partner schools to nominate teachers as personal data protection leaders, who are expected to provide additional support to their students.

By leveraging the efforts of teachers and students of participating schools, with the effective utilisation of educational resources available, the Programme has proven to be a great success with the number of partner schools increasing from 31 in 2011 to 125 in 2016.

Complete entry available here.

C24: “Be SMART Online” Thematic Website Enhancement (Hong Kong)

 

 

 

 

 

 

 

 

Entry by: Privacy Commissioner for Personal Data, Hong Kong

“Be SMART Online” Thematic Website Enhancement
To enhance both the content and accessibility of the “Be SMART Online” thematic website of the Privacy Commissioner for Personal Data, Hong Kong (“PCPD”), a website enhancement project was carried out in 2016/17 to incorporate more detailed information and tips for protecting online personal data privacy. The project has been completed with the launch of three new sections and a mini-site – “Think Privacy! Be Smart Online”.

Why the initiative deserves to be recognised by an award?
As a unique thematic website that promotes online personal data privacy in Hong Kong, it is essential for the “Be SMART Online” thematic website to keep providing the most up-to-date resources and useful tips to the members of the public to safeguard their own personal data. This enhancement project has included fruitful resources on the prevailing ICT-related privacy issues, and developed an interactive mini-site to guide the reviewers to look for further information.

The project, by enhancing both the content and accessibility, has generated significant increase in website traffic. The number of visits to the thematic website in the first quarter of 2017 has increased by 37.5% compared to the fourth quarter of 2016, and recorded a three-fold increase over the same period last year.

The accessibility of the thematic website has been recognised and won the Gold Award in the “Web Accessibility Recognition Scheme 2016” that was jointly organised by the Office of the Government Chief Information Officer and the Equal Opportunities Commission in Hong Kong SAR.

The website has also been specifically introduced to students, elderly and members of the public as well as representatives of organisations during talks and public outreach occasions.

Complete entry available here.

C25: “The Six Data Protection Principles under the Personal Data (Privacy) Ordinance” Animation (Hong Kong)

 

 

 

 

 

 

 

Entry by: Privacy Commissioner for Personal Data, Hong Kong

“The Six Data Protection Principles under the Personal Data (Privacy) Ordinance” Animation
It is the first animation produced by the Privacy Commissioner for Personal Data, Hong Kong (“PCPD”). It introduces the key definitions under the Ordinance, such as “personal data”, “data users” and “data subjects”, and illustrates the entire life cycle of a piece of personal data. It also elaborates the six data protection principles (“DPPs”) that data users/controllers have to comply with.

Why the initiative deserves to be recognised by an award?
Animation is a creative and effective approach to illuminate the six DPPs, as it is more eye-catching, dynamic and entertaining than reading plain text. Viewers’ attention can be drawn easily and held for a relatively longer period of time, which helps creating a stronger impact and vivid impression.

Besides, animation can reduce viewers’ time and effort in learning, as it creates a more relaxing and interactive learning atmosphere, which encourages them to assimilate the knowledge and the messages involved.

The entire life cycle of a piece of personal data and the six DPPs can be a complex and abstract topic to viewers. Under the clear guidance of the narrator in the animation, viewers can explore the subject step by step and pay close attention to the key ideas highlighted.

Through a story-based example, viewers can have a better understanding of the close relationship between personal data privacy and their daily life.

The animation is played in our workshops, seminars and talks and viewed by our target audience ranging from organisations, students, the elderly to the general public, and it plays an essential role in introducing the six DPPs.

Complete entry available here.

C26: Competition for 18-25 years old students : “Trophées EDUCNUM” (France)

 

 

 

 

 

 

 

 

Entry by: Data Protection Commission (CNIL), France

Competition for 18-25 years old students : “Trophées EDUCNUM”
Young people develop many practises on the Internet and social media but they aren’t always aware of the risks for their private life and personal data. That’s why the CNIL and the Collective of stakeholders for Digital education which is composed of more than 60 member structures organize in 2017 the third edition of a competition for students to raise awareness among young people on the proper use of the web.

Why the initiative deserves to be recognised by an award?
Such an initiative would deserve to be recognised by an award because we do think it is an excellent way to give young people such messages on good practises respectful of private life to develop on the web. Children are particularly vulnerable in the digital world. So educating them in a responsible way, teaching them how to protect their private life as in real world should be a priority of public policies, in order that they can keep their data safe on the Internet. The initiative of the CNIL is very original because it allows students to work together, in multidisciplinary teams, with the help of their teacher. This kind of competition, in this innovative format, still doesn’t exist in other countries except in France! An international award would give more publicity to this initiative and some other DPA could be inspired by this action and may develop new types of original actions, in partnership with other actors.

Complete entry available here.

C27: Personal Data Competency framework for School Students – Intended to Educators (France)

 

 

 

 

 

 

 

Entry by: Data Protection Commission (CNIL), France

Personal Data Competency framework for School Students – Intended to Educators
Because having citizens become informed and responsible actors in the digital era concerns urgently all countries without distinction, CNIL proposed to data protection authorities from the Digital Education WG to design a Competency framework for students specifically dedicated to data protection and privacy. It thus created a first and innovative common base of concrete and operational competences for dissemination and use in official study programs and training for educators, regardless of the particular discipline taught.

Why the initiative deserves to be recognised by an award?
Many events in cooperation with schools, teachers and institutional partners are being held to launch specific campaigns and consultations aiming to raise awareness of the Competency Framework on the national scene.

6 months after the international adoption of these common core documents, DPAs have generally published them on their website or got promoted via social networks, made official contacts with their national or regional minister of education or the prime minister to raise awareness in the scholarly community about the key contents of the international framework. Some DPAs have conducted a review of teaching resources available to schools to determine where the existing curriculum currently reflected the information contained in the framework. Moreover, others are reported to be in the process of developing additional lesson plans and building in material for the competency framework.

As part of its partnership agreement signed between CNIL and the Ministry of Education, the international data protection competency framework will be referenced among the tools and other updated frameworks by the French ministry so as to be included in the school curricula.

(Available in English, French, Spanish and translated in other national languages: Polish, Hungarian, Albanian…)

Complete entry available here.

C28: Tools and tips for managing personal passwords safely (France)

 

 

 

 

 

Entry by: Data Protection Commission (CNIL), France

Tools and tips for managing personal passwords safely
At a time when many services now need a password to access them, and with data security under greater threat, the French Data Protection Authority (CNIL) is adopting a recommendation on passwords to guarantee minimum security in this respect. It is also providing businesses and citizens alike with practical tools : a password generator and a poster in French and in English to promote good practices!

Why the initiative deserves to be recognised by an award?
Using a strong password is one of the main security best practice which can reduce the risk of personal data breach! The CNIL consider this essential issue and informs regularly organisations and citizens on “how to protect their information in few seconds ?” and “what simple tools can they use to minimize the risks ?”.

Respond to these questions by efficient tools is fundamental because with digital uses on the rise, the sheer number of accounts and passwords that users now have to juggle is proving an ever more complex task. If they do not take care of the way they manage these passwords, users place their personal data at risk:

  1. using the same password to access different services can compromise sensitive accounts – not least their main email address;
  2. the tendency to share passwords increases the risk of identity theft;
  3. the tendency to create passwords using personal information (date of birth, children’s first names, company name, etc.) makes them more vulnerable, especially in a context where it is easy to retrieve information about people online (social engineering);
  4. to overcome the difficulty remembering passwords, the tendency is to create overly simple ones a few characters long, often including common words, or to write them down somewhere on paper.

And yet, many users are not aware of the basic security steps and techniques for managing this confidential information – when they have an ever greater number of accounts and increasingly sensitive information to protect.

Complete entry available here.

C29: LINC, for Laboratoire d’innovation numérique de la CNIL is the new innovation and foresight tool of the CNIL (France)

 

 

 

 

 

Entry by: Data Protection Commission (CNIL), France

LINC, for Laboratoire d’innovation numérique de la CNIL is the new innovation and foresight tool of the CNIL: a triple project based on: an online media; a physical space, where we can organise workshops, conferences and meetings with innovation actors (entrepreneurs, researchers, artists, writers); and  a research and experimentation platform, to develop and test new tools for privacy.

Why the initiative deserves to be recognised by an award?
Having an innovation and foresight team inside a national data protection is probably quite a unique initiative around the world. The different facets of the LINC project are all based on several key core assumptions, mainly trying to :

  • embody the idea that a DPA can have a second “voice” to be a part of the global conversation around ethics and society issues, a voice supplementing the traditional “regulatory” one, with all its (normal and useful) constraints;
  • avoid the spread of a (baseless) opinion that a regulator’s job is basically to kill or at least prevent or slow innovation;
  • create a “demilitarized zone” where the regulator can interact with innovation ecosystems actors away from an overlooking vantage point and right “in the middle of the playing field”.

The whole LINC project, piloted and designed by CNIL innovation and foresight team, is creating the condition for the growing inclusion of the regulator in the innovation ecosystem, and not only to create some tedious points of contact with these actors. This is a game changing opportunity for regulators to nudge the entrepreneur’s views of the role of regulation, and to make ethical issues an ecosystemic debate.

Complete entry available here.

C30: Access & Privacy Rules: A Councillor’s Guide (Nova Scotia, Canada)

 

 

 

 

 

 

 

Entry by: Office of the Information and Privacy Commissioner for Nova Scotia (Canada)

Access & Privacy Rules: A Councillor’s Guide
Municipal councillors in Nova Scotia frequently have very limited knowledge of the access and privacy rules that apply to their municipalities. The OIPC Nova Scotia produced a plain language pamphlet that set out the essential access and privacy rules for councillors and addressed some of the errors commonly committed by municipal councils.    The pamphlet was distributed to every councillor in Nova Scotia immediately after a recent province wide municipal election.

Why the initiative deserves to be recognised by an award?
Nova Scotia has 52 municipalities all subject to our access and privacy laws. Compliance with access and privacy laws in these small municipalities is profoundly influenced by the local municipal councillors. It is very common for these councillors to have no knowledge about the law and so they make frequent errors that undermine the public’s right to know and the public’s right to have their privacy properly protected.  Municipalities are small places, where everyone knows everyone else.  A privacy breach or inappropriate use of data can have a devastating effect on individuals.  Another significant fact is that many provincial politicians begin their careers as municipal councillors.  Therefore, a project aimed at improving the knowledge and understanding of councillors could have a lasting positive effect on the robust protection of privacy rights in the province.  This was the first time our office had directly communicated with town councillors, the pamphlet was widely distributed and the feedback we received from several towns and individual councillors was very positive.

It is a small project but one that significantly raised awareness about the need to protect privacy and will hopefully influence these individuals in their future political careers.

Complete entry available here.

C31: Privacy Breach Management- Are You Ready? (Nova Scotia, Canada)

 

 

 

 

 

 

 

 

Entry by: Office of the Information and Privacy Commissioner for Nova Scotia (Canada)

Privacy Breach Management- Are You Ready?
This year the OIPC Nova Scotia developed and delivered a workshop series entitled, “Privacy Breach Management – Are You Ready?”. The course was interactive requiring participants to manage a series of breach scenarios.  Using a privacy breach protocol template, participants developed their own privacy breach management protocol as part of the workshop.  Participants were provided with a breach management workbook containing all of the essential tools for managing a privacy breach.

Why the initiative deserves to be recognised by an award?
The OIPC Nova Scotia is a small office consisting of 6 staff and the Commissioner. We have limited resources which we try to focus on the areas of most need.   This workshop was one of the most successful this office has ever delivered.  We reached over 50 public bodies in 12 sessions.  Participants consistently rated the session as one they would highly recommend to others.  As a result of this workshop, these 50+ public bodies now have the tools and knowledge to properly manage a privacy breach – a huge accomplishment for a small office and an important step in protecting the privacy of Nova Scotians.

Complete entry available here.

C32: “Good intentions” – images of children online (Norway)

 

 

 

 

 

 

 

Entry by: Data protection Authority, Norway

“Good intentions” – images of children online
Today, children’s development is fully documented, whether the children are with family or friends, at school, in kindergarten or taking part in leisure activities. The pictures are easily shared – even online – using digital tools, and it happens in an instant. However, there are many reasons to reflect on this practice. We wanted to raise awareness on the child’s right to privacy through a seminar, new films and guidelines.

Why the initiative deserves to be recognised by an award?
The Norwegian DPA and The Norwegian Centre for ICT in Education identified a growing problem and managed to raise awareness on the topic through a very successful campaign. We aimed at some specific target groups, and made a brochure with guidelines about how to handle pictures of children and what to think through before sharing them with others. We also made an animated information film for these groups. Our seminar and all the interest that we managed to create in the media helped spreading our main message: always ask the child before you publish pictures or other personal data of the child online.

We were also able to make important agents that are in a position to reach exposed children aware of the subject and our guidelines.

The interest in this topic has been overwhelming. Brochures with guidelines can be ordered free of charge. Since February 2017, we have distributed almost 6000 brochures, in addition to those downloaded from our website.

All content is available and free, being licensed under Creative Commons. Any other country that wishes to translate and adopt the content would be most welcome to do so.

Complete entry available here.

C33: New resources aimed at improving records management in the health sector (UK)

 

 

 

 

 

 

Entry by: Information Commissioner’s Office, UK

New resources aimed at improving records management in the health sector
Health organisations handle some of the most sensitive personal data and patients have the right to expect that their information will be looked after.

Our audits identified a worrying trend of weaknesses and failures in this area, including medical records being found in garages and lofts. We created a suite of specialist guidance and practical support to help improve the sector’s records management culture.

Why the initiative deserves to be recognised by an award?
The highly sensitive nature of the personal data handled by the health sector means its proper management is vital. The potential consequences of bad practice can be devastating for individuals.

After identifying recurring problems through our audit and enforcement work, this ICO project aimed to tackle the root causes of an issue of huge public interest. Appropriately for the sector, it works on the principle that prevention is better than cure.

The ICO’s detailed, sector-specific resources represent the chance to influence and reinforce an improved culture of data protection by providing people at all levels of an organisation with the tools they need.

Organisations were keen to improve. They wanted to get better. But they needed our help.

This project provides that help and will prevent a significant number of future data security breaches from happening.

That benefits the organisations themselves, the ICO as regulator and, most importantly, patients, whose medical records and sensitive personal information will be more secure as a result.

Complete entry available here.

C34: Training sessions for high school students and academics (Mali)

 

 

 

 

 

Entry by: Personal Data Protection Authority (APDP), Mali

The Authority’s contribution to digital education focused on:

  • The organization of training sessions for high school students and academics from Mali
  • the candidates’ knowledge check at the end of the training session
  • the creation of a rubric called “digital education” on the Authority’s website, which will centralize all activities carried out in this field, publications (articles, fact sheets)
  • the sharing of the resolution adopting the reference framework for training pupils of education to the protection of personal data to the highest authorities of the country.

Why the initiative deserves to be recognised by an award?
Such an initiative deserves to be crowned by taking into account certain realities

  • the protection of personal data is a new concept in Mali (launch of the Authority’s activities in March 2016);
  • Malian citizens and residents, especially young people, are not aware of the dangers to which they are exposed; 

In this respect, the Authority deserves to be encouraged in view of the efforts made in digital education in one year of existence. Efforts will continue to establish a culture of protection of personal data in Mali.

Complete entry available here.

C35: “Your personal data worth, take care of them” (Uruguay)

 

 

 

 

 

 

 

 

Entry by: Personal Data Regulatory and Control Unit (URCDP), Uruguay

“Your personal data worth, take care of them” is an educational proposal aimed at children, parents and teachers that introduces personal data protection through a holistic view. It is developed under two lines of action: (1) Technical training for teachers and tools that are used in classrooms. (2) A contest for children in which they use the theme to develop creative proposals and at the same time are emerging as agents of social change.

Why the initiative deserves to be recognised by an award?
This initiative is developed under different dimensions, allowing its transformation into a replicable model:

  • Inter-institutional approach. The initiative is led by URCDP in coordination with the governing body of education (CEIP), Ceibal Plan, the e-government and information society agency (Agesic) and the official information centre (Impo). This creates a strong synergy between formal education and data protection as a public policy.
  • Comprehensive perspective. It incorporates elements such as capacity building, school as a social institution that replicates good practices in the community, the teachers with the ability to integrate the subject in curricular activities, the child as an agent of social change among peers and families, the dissemination of rights and the adoption of responsible practices.

Sustainability. In order to educate and prepare next generations, it is necessary to this subject into formal education on a permanent basis. For this reason, this initiative has been maintained over time, improving it every year and extending it both in its coverage and in its scope. For the 2017 edition, the first online professional refresher course, certified for all teachers in the country, will be launched, and a proposal will be created to integrate the subject into the school curriculum.

Complete entry available here.

C36: EU Data Protection mobile app (EDPS, European Union)

 

 

 

 

 

 

 

Entry by: European Data protection Supervisor

EU Data Protection mobile app
The EU Data Protection mobile app was an in-house exercise at the EDPS, involving all data protection and communication units. The app has been considered as a real novelty, representing an innovative and informative way in which to promote and improve the legislative process, especially in relation to the important topic of data protection.

The app was also a useful tool during the trilogue phase of negotiations on the General Data Protection Regulation (2015-2016). It allowed users to easily compare the proposed texts from the Commission, the Parliament and the Council alongside EDPS recommendations. The app was updated in July 2016 with the final texts, to allow transparent comparison with previous legislation.

The EDPS wants data protection to go digital. Technology continues to develop and data protection must develop with it. By creating the app we were able to increase the transparency of the legislative process for all those interested, inside and outside the EU, whilst embracing technological change.

Why the initiative deserves to be recognised by an award?
The EDPS aims to be an epicentre for creative ideas and innovative solutions, and to benefit from new technologies to make data protection more accessible. The EU occupies a privileged position as the point of reference for much of the world on privacy and data protection. But for the EU to continue being a credible leader in the digital age, it must act on its own fundamental principles of privacy and data protection, and it must act quickly.

After many years of talk, the reform of the EU data protection rules was more urgent than ever. It was therefore vital to make data protection easier, clearer and less bureaucratic, so that it will underpin the digital world now and into the future.

Individuals, public authorities, companies and researchers needed a rulebook which is unambiguous, comprehensive and robust enough to last two decades and that can be enforced as required by the European and national courts as well as by truly independent data protection authorities.

The EDPS wanted to be a proactive and influential partner in the discussions between the European Commission, Parliament and Council on the data protection reform, in particular in the final trilogue. We have helped legislators to find pragmatic solutions to strengthen the roles of individuals and supervisory authorities, and the accountability of controllers, while simplifying existing formal requirements where necessary. Data protection needed to be more dynamic and less bureaucratic.

Complete entry available here.

C37: IdentityTheft.gov (USA)

 

 

 

 

Entry by: U. S Federal Trade Commission

The FTC launched the enhanced IdentityTheft.gov (robodeidentidad.gov in Spanish), a free, one-stop resource people can use to report and recover from identity theft. Identity theft victims can use the site to create a personal recovery plan, get pre-filled letters and forms to send to credit bureaus and businesses, and create an account to track progress and update their recovery plans. Over 500,000 people have filed complaints via the site.

Why the initiative deserves to be recognised by an award?
The initiative is an innovative effort that combines education, reporting, and recovery in an automated yet personalized website. Consumers report their problem, and are given a step-by-step personalized plan for recovering. They can access and print pre-filled letters to credit bureaus and other relevant parties to put their recovery plan into action. Consumers can log back on to the website to continue their plans and they can adapt their plans to the changing situation.

Since the launch to mid-April 2017, identitytheft.gov has received over 500,000 complaints. Over 430,000 activated accounts on the website, with access to response plans for recovering from identity theft.

Complete entry available here.

C38: 18 Practical Cards – ‘Guide on Privacy and safety in Internet’  (Spain)


 

 

 

 

 

Entry by: Data Protection Commissioner, Spain

The Spanish Data Protection Agency (AEPD) publishes 18 practical cards to make aware the users, in particular to a group especially vulnerable as it is that of the minors, of the importance of protecting its personal information, offering advices and practical recommendations, also this guide complements itself with six tutorials videos in whom it shows how to get access to the configurations of privacy and safety of some of the most popular Internet services.

Why the initiative deserves to be recognised by an award?
An important part of the most popular services in Internet uses a large amount of information and personal data that the users themselves provide. The Spanish DPA thinks that the privacy and the safety are fundamental aspects that must be kept in mind to minimize the risks that can go so far as to take place in a hyper connected world.

The publication, available both in web version and in PDF, is accompanied of six video tutorials that show how to access to the configurations of privacy and safety of some of the most popular services of Internet.

The Spanish DPA hopes that this initiative should be useful to the Internet users and should allow a practical approach to the different contents, so that the final goal, to be aware and offers practical resources for citizens, especially for minors, could be got.

Complete entry available here.

C39: Minors, Internet and Technology – Growing and Living Together in a Digital World (Catalan, Spain)


 

 

 

 

 

 

Entry by: Catalan Data Protection Agency, Spain

Minors, Internet and Technology – Growing and Living Together in a Digital World
The purpose is to raise the awareness of young people and their environment about the need for responsible use of personal information when using the new technologies and Internet. We generate debate and involve minors, schools and families in identifying and disseminating common guidelines to grow and live in a world full of technologies which offers many opportunities but also involves challenges and risks.

Why the initiative deserves to be recognised by an award?
PARTICIPATORY PROCESS. The project is designed in co-operation with Department of Education of the Catalan Government.

TRANSPARENCY. In order to disseminate and share, exchanges of experiences and helping to build up something of a community around these goals, APDCAT launched a website for this http://www.menorsiprivacitat.cat/

JOINT WORK: Three pillars to get closer to the students:

  1. A positive attitude to the use of Internet and the new technologies: the starting-point is the conviction that the digital experience is constructive. It fosters positive development in young people as regards all aspects that form part of their present and future personality and their attitude towards the use of the new technologies, which, now and forever, will form part of many of their life experiences.
  2. A process of thought and reflection: we want to know what young people think and what interests and worries they have regarding the use of new technologies and Internet. We take as our starting point the conviction that, to define healthy digital habits, we need to listen to them.
  3. Continuing action: if we are talking about the digital society, actions must be continuous, and results already achieved must be shared with parents and society with a final Congress.

Complete entry available here.

C40: Necessity Toolkit (EDPS, European Union)

 

 

 

 

 

 

 

 

Entry by: European Data Protection Supervisor

Assessing the necessity of measures that limit the fundamental right to the protection of personal data: A Toolkit (Necessity Toolkit)
The toolkit aims to help the EU legislators to better assess the necessity of new legislative measures which limit the right to data protection and other fundamental rights, such as the right to privacy. It provides a practical step-by-step checklist, exemplifying the criteria for applying the necessity principle.

Why the initiative deserves to be recognised by an award?
The initiative is first of its kind in providing help for the EU legislators when they check the compliance of new legislative measures.

The toolkit details in practice and step-by-step the application by the EU legislators of the necessity principle which should be respected when new laws involve the processing of personal data. Moreover, it sheds light into other complex neighbouring notions, such as the appropriateness and proportionality of a measure, and help distinguish them. Therefore, it is at the same time a compliance and education tool.

The toolkit facilitates an informed policy-making across the various sectors, ranging from digital trade to public security.

It is generic also in that it could be used by other national legislators in the EU and beyond, to the extent the principle of necessity is enshrined in many national legal orders. The toolkit could also be used by data protection authorities when they provide advice to the legislator on new policy measures limiting the right to the protection of personal data.

Complete entry available here.

C41: Video campaign (Ireland)

 

 

 

 

 

Entry by: Data Protection Commissioner, Ireland

The DPC launched a video campaign highlighting the rights and responsibilities attached to electronic direct marketing. The video took the form of a promoted campaign, which is a new departure for the DPC, and used gentle humour to engage our audience. The campaign has had marked success, with almost 360,000 views on YouTube over ten days, and close to 2million impressions.

Why the initiative deserves to be recognised by an award?
We are very proud of Data Protection Dave, and we think that the campaign deserves recognition because of its innovative approach to communications privacy messaging. We are faced by a target audience who are predisposed to view data protection as a legalistic world – certainly important – but not always as relatable to them as it should be. This video really seeks to dispel that notion, and make data protection a household concept. Dave is engaging, light, informative and relatable and we think he marks a new departure for the way in which DPAs will seek to push out their messages in the future.

Complete entry available here.

C42: Twitter account (Ireland)

 

 

 

 

 

 

Entry by: Data Protection Commissioner, Ireland

In November 2016, the Irish DPC launched its first ever Twitter account, as a tool for engaging stakeholders and extending the reach of our message to an even wider audience. Since its launch, the account has gone from strength to strength, with the ICDPPC itself citing it as the fastest growing DPA Twitter account in the world. In almost six months since launch, the account has attracted over 1,500 followers and garnered in excess of 550,000 impressions for our outgoing tweets.

Why the initiative deserves to be recognised by an award?
We believe that the account deserves recognition for the way in which it generates and utilises content, and its extraordinary success in extending that information to the widest possible audience. With over 550,000 impressions in almost six months, @DPCIreland has successfully increased awareness around data protection in general, and GDPR readiness in particular. We look forward to continuing to build this initiative in the run-up to May 2018 and on into GDPR implementation.

Complete entry available here.

C43: Access Rights and Responsibilities Guide (Ireland)

 

 

 

 

 

 

 

 

Entry by: Data Protection Commissioner, Ireland

Access Requests account for the greatest number of complaints to the Irish DPC every year, accounting for 56% of all complaints received. We decided that a renewed awareness raising campaign was needed, so that access rights and responsibilities would be highlighted in advance of GDPR. The PDF guide that we published, along with the infographic ‘check list’ for individuals and organisations has been praised for its clear use of language, and its comprehensible format.

Why the initiative deserves to be recognised by an award?
We think this work deserves recognition as it was conceived in response to the needs of our stakeholder body, and represents a successful shift in format towards the kind of clarity that individuals and organisations have been seeking. We are prioritising plain, clear language and an easily digestible format. Our belief is that the more comprehensible the guidance, the greater the levels of compliance. We have really put a lot of effort into developing a style and format that meets the needs of our stakeholders, and we plan to take this forward into the future.

Complete entry available here.

C44: First private sector audit (British Columbia, Canada)

 

 

 

 

 

 

 

 

Entry by:  Office of the Information and Privacy Commissioner for British Columbia, Canada

This initiative was the first private sector audit undertaken by the Office of the Information and Privacy Commissioner (OIPC). It followed a complaint to our Office about a medical clinic in the Lower Mainland. Beginning in June 2016, auditors examined the organization’s privacy management program and its use of video and audio surveillance. The key finding was that the clinic is not authorized to collect personal information through its video and audio surveillance system.

Why the initiative deserves to be recognised by an award?
The subject of the audit – surveillance – is timely and important. An award would underscore its relevance. Video surveillance affects how we behave when we believe we’re being watched. It inhibits our freedom of expression, association, and privacy – all essential to democracy.

This was the first audit of a private sector business that our Office has undertaken in our Audit & Compliance Program.

Conducted at a private medical clinic in BC that had installed several video and audio recorders, its goal was to determine the business’ compliance with legislative requirements relating to collection, use, disclosure, disposal and overall protection of personal information.

The audit was undertaken to encourage all private businesses in B.C. to reflect on their own video surveillance practices and amend them if necessary. To assist them, the OIPC also released a guidance document entitled “Guide to Using Overt Video Surveillance.”

This report resulted in significant media coverage. We believe it and the guidance document were instructive to other private sector businesses in BC. For these reasons, we believe that this initiative deserves to be recognized by one of your awards.

Complete entry available here.

C45: Investigation into mobile device management (British Columbia, Canada)

 

 

 

 

 

 

 

 

Entry by: Office of the Information and Privacy Commissioner for British Columbia, Canada

Our investigation into mobile device management in the BC government was conducted concurrently with an audit by the BC Auditor General. The two reports were presented simultaneously at a joint news conference by Information and Privacy Commissioner Drew McArthur and BC Auditor General Carol Bellringer. The offices worked together to create a guidance document for the general public, which was successfully promoted on social and news media.

Why the initiative deserves to be recognised by an award?
The government of BC has issued more than 12,000 mobile phones to ministry employees, many of whom manage personal information of BC residents every day in the course of their work. The potential for a privacy breach, whether accidental or intentional, is very high. This initiative represents a highly successful collaboration between two independent Officers of the Legislature to proactively address the government’s management of personal information. Each office conducted its own investigation on the topic of mobile device management in the BC government, then presented the findings together at a joint news conference. The two offices also worked together on a guidance document for the public that provided 15 top tips for mobile device security and privacy. The approach amplified the results for each office, generating significant media coverage and public awareness of this issue.

Complete entry available here.

C46: Release of Ashley Madison case findings (Canada)

 

 

 

Entry by: Privacy Commissioner of Canada

In August 2016, the Office of the Privacy Commissioner of Canada (OPC) and its Australian counterpart launched the results of a joint investigation into a breach of the computer networks of Avid Life Media, the company behind AshleyMadison.com. The OPC used the opportunity to deliver messages about privacy protection to all businesses. This advice was highlighted in communications materials and broadly picked up in coverage that included almost 800 articles with a reach of more than 128 million.

Why the initiative deserves to be recognised by an award?
The AshleyMadison.com investigation illustrates how a high profile case can be leveraged to effectively educate businesses on the importance of sound privacy and security policies and practices.

This issue garnered the highest level of media interest in OPC history. We were pleased that the announcement resulted in coverage focused less on the sensational nature of the case, as one might have expected, but more on messaging around security safeguards, the need to respect privacy laws and the lessons for all businesses.

Some 788 articles, with a total reach of 128.1 million, were identified immediately after the announcement. The report was covered by major wire services and top tier publications such as the New York Times, BBC, Sydney Morning Herald and Globe and Mail.

The media interest, promotion via social media, and stakeholder outreach initiatives such as the deconstruction event resulted in a significant number of web hits for our online materials – the report of findings was by far the most viewed among those posted in 2016 (more than double the second most-viewed report) and the takeaways document was by far our most viewed issue-specific guidance for business (over five times more than the next most-viewed.)

We believe these communications and outreach successes have served to educate a broad range of businesses about their privacy responsibilities and will ultimately lead to better privacy protection for individuals in Canada, Australia, the U.S. and around the globe.

Complete entry available here.