Entries submitted

C1: Guidelines for obtaining meaningful consent (Canada, Office of the Information and Privacy Commissioner for British Columbia; Office of the Information and Privacy Commissioner of Alberta; Office of the Privacy Commissioner of Canada)
C2: Guidance on inappropriate data practices (Canada, Office of the Privacy Commissioner)
C3: Reporting Health Privacy Breaches under PHIPA; support to health custodians (Canada, Information and Privacy Commissioner of Ontario)
C4: Guidance on the Use of Automated Licence Plate Recognition Systems by Police (Canada, Information and Privacy Commissioner of Ontario)
C5: Smart cities (Canada, Information and Privacy Commissioner of Ontario)
C6: PIA software (France, CNIL)
C7: PCPD’s initiatives on the implementation of General Data Protection Regulation (GDPR) (Hong-Kong, PCPD)
C8: ‘Preparing Ireland for the GDPR’ Awareness Initiative (Ireland, Data Protection Commission)
C9: GDPR Awareness raising conference and workshop (Ireland, Data Protection Commission)
C10: GDPR readiness guide for SMEs (Ireland, Data Protection Commission)
C11: Electronic system for exercising the rights of access, rectification, cancellation and opposition (Mexico, INAI)
C12: Privacy Trust Mark (New-Zealand, Office of the Privacy Commissioner)
C13: Data Analytics Guidance (New-Zealand, Office of the Privacy Commissioner)
C14: Software development with Data Protection by Design and by Default (Norway, Datatilsynet)
C15: Artificial intelligence and Privacy (Norway, Datatilsynet)
C16: FACILITA (Spain, Spanish Data Protection Agency)
C17: Lawful Basis Tool (United Kingdom, ICO)
C18: FTC Recommends Steps to Improve Mobile Device Security Update Practices (United States of America, FTC)

 

C1: Guidelines for obtaining meaningful consent (Canada DPAs)

Entry by: Office of the Information and Privacy Commissioner for British Columbia; Office of the Information and Privacy Commissioner of Alberta; Office of the Privacy Commissioner of Canada.

Description of the initiative:

The increasingly complex digital environment – with technological innovations such as big data, the IoT and AI – is posing challenges for privacy protection and the consent model. The consent guidance sets out practical and actionable advice to help provide clarity and certainty for organizations to ensure they obtain meaningful consent. The guidance will also help Canadians to understand their privacy rights under the law – and what they can expect from businesses that handle their personal information.

Why the initiative deserves to be recognised by an award?

There are two things that this guidance achieves that set it apart and make it deserving of an ICDPPC Global Privacy and Data Protection Award. First, it responds directly to our stakeholders’ needs, gauged through an over-two-year consultation. Second, it bridges an important gap between broad and principle-based legislation and actual, concrete compliance expectations in an age of rapid technological change.

-One-

During extensive public consultation, we heard clearly that the increasingly complex digital environment – with technological innovations such as big data, the IoT and AI – is posing challenges for privacy protection and the consent model. Stakeholders overwhelmingly called on the OPC to provide more guidance.

We responded directly with practical and actionable guidance regarding what organizations should do to ensure that they obtain meaningful consent.

-Two-

Though technology neutral, Canada’s laws were adopted when routine, predictable, transparent one-on-one interactions between organizations and individuals were the norm. This is no longer. As regulators, we see our role as including giving guidance that clarifies legislative requirements and sets expectations regarding how the law should generally be interpreted and applied.

This gives organizations an adequate level of certainty to be able to act with confidence that that action complies with privacy requirements.

Complete entry available here.

 

C2: Guidance on inappropriate data practices (Canada, OPC)

Entry by: Office of the Privacy Commissioner of Canada

Description of the initiative:

Under Canadian private sector privacy law, even with consent, an organization must still show that its purposes for collecting, using or disclosing personal information in the first place are ones that a reasonable person would consider appropriate in the circumstances.

This guidance document sets out a series of “no-go zones” which the Office of the Privacy Commissioner generally considers offside of Canada’s federal private sector privacy law.

Why the initiative deserves to be recognised by an award?

Clearly defining inappropriate uses of personal data serves two important purposes. First, it protects individuals. Second is plays an important role in maintaining trust in the digital economy.

-One-

Individuals should not be expected to shoulder the heaviest burden when it comes to deconstructing complex data flows in order to make informed decisions on whether or not to provide consent; in other words, though consent must remain important, it cannot serve as the only mechanism of privacy protection

-Two-

This guidance plays an important role in mitigating the risk that consumers will lose trust in the digital economy, thus hindering its growth, and they may not enjoy all the benefits afforded by innovation.

Having a specific list of no-go zones in a guidance document provides the flexibility to periodically revisit and update the list to keep pace with rapid change and innovation, which the OPC intends to do.

Finally, while created primarily with the Canadian legislative context in mind, the list transcends any given piece of legislation, and would serve as useful guidance to any company, regardless of location, of practices that should not be undertaken.

Complete entry available here.

 

C3: Reporting Health Privacy Breaches under PHIPA; support to health custodians (Canada, Information and Privacy Commissioner of Ontario)

Entry by: Information and Privacy Commissioner of Ontario (IPC)

Description of the initiative:

Last year, it became mandatory for health information custodians to notify our office of health privacy beaches and to track breach statistics as part of a new annual reporting requirement. The IPC developed guidance materials to advise under what circumstances breaches must be reported. A secure online form was developed so that breaches could be reported to our office electronically and a statistics submission website was also created so that statistics could be submitted electronically.

Why the initiative deserves to be recognised by an award?

The development of the professional guidelines, webinar, and upgraded online reporting resources has helped health information custodians (HIC), and the wider health care sector in Ontario to have:

  • a clear and easy understanding of the new requirements
  • greater clarity and consistency regarding the reporting mechanisms
  • a streamlined and consistent approach to managing different kinds of health information breaches
  • consistent and accurate reporting of breaches across the entire health sector
  • a better understanding of what circumstances warrant a report to our office
  • chance to identify potential privacy risks and patterns of accidental and non-accidental breaches
  • the incentive to develop policies and programs to pre-emptively prevent breaches and deter unauthorized access
  • the opportunity to address key concerns and ask for further advice and assistance beyond what is in the immediate guidance materials

It should also be emphasized that these guidance resources not only benefit HICs and the health care sector, but they benefit all Ontarians in ensuring health care providers remain accountable with regard to the handling of patients’ personal health information.

Complete entry available here

 

C4: Guidance on the Use of Automated Licence Plate Recognition Systems by Police (Canada, Information and Privacy Commissioner of Ontario)

Entry by: Office of the Information and Privacy Commissioner of Ontario, Canada (OIPC)

Description of the initiative:

The OIPC’s document, Guidance on the Use of Automated Licence Plate Recognition Systems by Police Services, outlines the key obligations police services have under Ontario’s public sector privacy legislation in their use of ALPR systems for public safety purposes. The guidance includes best practices for using ALPR systems in a privacy-protective manner and discusses issues, including:

  • overview of ALPR technology
  • privacy implications of ALPR systems
  • benefits of Privacy Impact Assessments
  • implementation guidelines

Why the initiative deserves to be recognised by an award?

Guidance on the Use of Automated Licence Plate Recognition Systems by Police Services is the first guide of its kind in Canada and serves as a baseline for the policies and procedures for establishing ALPR systems.

The OIPC consulted with the OPP to ensure the guidance’s applicability, utility, and relevance to police services across the province.  Our research and consultation work began in 2015 and was completed in 2017.

Today, more than 20 police services in Ontario follow the OIPC guidance. Many Ontario police services are transparent about their use of ALPR and compliance with our guidance.  For example, the London Police Service’s ALPR website shares news, videos, the OIPC guide, and other general information about the system, emphasizing the service’s commitment to compliance.

Lastly, many of the principles and best practices discussed in the guidance have broad application to other surveillance technologies, such as police body worn cameras and school bus stop-arm cameras.

Complete entry available here

 

C5: Smart cities (Canada, Information and Privacy Commissioner of Ontario)

Entry by: Information and Privacy Commissioner of Ontario (IPC)

Description of the initiative:

The IPC has taken a leadership role in ensuring that municipalities are prepared for the emergence of smart city technologies, and their inherent privacy risks. The need for strong privacy protections must be a constant. This was the message our office and privacy protection authorities from across the country recently delivered to the Government of Canada. The IPC also developed guidance to help the public understand how smart cities can affect an individual’s privacy.

Why the initiative deserves to be recognised by an award?

  • Ontario’s cities have seen a rise in the launch of smart city initiatives, with injection of federal funding, the arrival of Sidewalk Labs and a general push for innovation given increasing strain on cities.
  • We recognisedthis trend and prioritized this issue for proactive engagement. In just four months:
    • We gained cross-Canada support to lobby the federal government via an open letter, and secured a commitment from the minister that privacy would be an important review criteria
    • This open letter had an impact beyond the Smart City Challenge. Sidewalk Labs was in the process of developing a data governance framework and relied on certain recommendations from the open letter including a commitment to conduct PIAs and TRAs. We continue to engage with Sidewalk Toronto as the project proceeds.
    • Drafted a fact sheet for the public.
    • Attended three smart city conferences/ learning events to study the technologies, and ethical considerations.
    • Delivered eight speeches on smart cities to private sector, public sector, civil society and the public, raising awareness among decision makers.
    • Proactively contacted a municipality regarding a news item describing a smart initiative that raised privacy questions and worked to resolve the issues.

Complete entry available here

 

C6: PIA software (France, CNIL)

Entry by: CNIL (France)

Description of the initiative:

The PIA tool is a free and open source software helping data controllers to carry out data protection impact assessments; this tool helps building and demonstrating compliance to the GDPR, and eases the use of the PIA guides published by CNIL.

Why the initiative deserves to be recognised by an award?

The PIA software is a novel and successful approach to foster the use of DPIA, which are a new instrument of the GDPR.

In less than eight months, the tool has received very positive feedback. It has been downloaded more than 70 000 times, and is used both by SMEs and large organisations.

An active open community has also been created: initially published in 2 languages (French and English), 12 additional language versions were produced by the community (and 6 language translations were verified by national DPAs) and submitted on the Github platform. Today, more and more people and organisations participate actively in its improvement.

In this regard, the tool is the first of its kind, and it paves the way for a new kind of collaboration between DPAs.

Complete entry available here

 

C7: PCPD’s initiatives on the implementation of General Data Protection Regulation (GDPR) (Hong-Kong, PCPD)

Entry by: Privacy Commissioner for Personal Data, Hong Kong (PCPD)

Description of the initiative:

The European Union (EU)’s new data protection law, GDPR, came into force on 25 May 2018. EU is Hong Kong’s second largest trading partner, and hence since 2017 PCPD has implemented the below:

 

  • A comparative study on the GDPR and Hong Kong’s Personal Data (Privacy) Ordinance (PDPO)
  • Published a booklet on key features of GDPR
  • GDPR themed educational activities
  • Media interviews/articles concerning GDPR
  • A dedicated web page

Why the initiative deserves to be recognised by an award?

As the GDPR constitutes significant developments of data protection law, the new regulatory framework includes some requirements that are not found under the PDPO.  Benefiting from the PCPD’s GDPR-themed initiatives, local SMEs, corporates, government departments, public bodies and legal professionals have got to start navigating  to ascertain if and how the new law is applicable to them, and to keep up with the latest developments.

The wide spectrum of the target recipients of the publicity and education initiatives, from government offices to professional associations, covering online publicity initiatives and offline face-to-face training, made it effective to convey the essence of the GDPR to all sectors.

Complete entry available here.

 

C8: Preparing Ireland for the GDPR’ Awareness Initiative (Ireland, Data Protection Commission)

Entry by: Data Protection Commission, Ireland

Description of the initiative:

In 2017, the DPC launched a major initiative ‘Preparing Ireland for the GDPR’ to raise awareness of the GDPR. This initiative identified and coordinated a number of communication strands aimed at raising awareness among the business community and the public. National surveys carried in May 2017 and May 2018 demonstrated a doubling of awareness of GDPR in Ireland during this period. By May 2018 over 90% of business were aware of the GDPR.

Why the initiative deserves to be recognised by an award?

The DPC commissioned surveys in May 2017 and May 2018 to provide concrete metrics to measure the impact of the “Preparing Ireland for the GDPR” awareness initiative. The survey results show a remarkable two-fold increase in GDPR awareness amongst SME businesses in Ireland (90% in May 2018) compared to last year (44% in May 2017). In addition, in 2018 compared to 2017, five times more SME business executives demonstrated knowledge of the consequences of GDPR for their organisations, along with a two-fold increase in pre-compliance activity in the small to medium enterprise sector.

Both our GDPRandYOU.ie guidance and our video adverts have been cited by the National Adult Literacy Agency of Ireland as exemplifying the principles of accessibility and understandability.

A lot of thought and effort was invested by the DPC in developing and coordinating the type of campaign that would have meaningful impact for stakeholders, that would be of real assistance to those organisations and individuals seeking to comply with the GDPR and, more generally, to raise public awareness of data protection rights.

The DPC “Preparing Ireland for the GDPR” initiative made a very significant contribution to achieving an extraordinary level of GDPR awareness among Irish business and the public. Over 80% of the Irish public were reached by our campaign, leading to GDPR awareness of over 90% in business community.

Complete entry available here

 

C9: GDPR Awareness raising conference and workshop (Ireland, Data Protection Commission)

Entry by: Data Protection Commission, Ireland

Description of the initiative:

In January 2018 the DPC hosted a landmark international conference on ‘Delivering Accountability under the GDPR’.

This free and practical hands-on event – which was run in conjunction with Centre for Information Policy Leadership(CIPL)  – highlighted and demonstrated accountability in practice, through interactive discussions and presentations for almost 500 attendees from SMEs and the Public Sector, led by leading global privacy specialists and professionals.

The slides and presentations materials from the Conference were published online as a permanent learning resource to be accessed by any organisation free of charge.

Why the initiative deserves to be recognised by an award?

This was a landmark international conference that allowed almost 500 delegates from all sectors to benefit from the experience and expertise of leading global privacy specialists, including senior representatives from the DPC, the Center for Information Policy Leadership, Apple, Facebook, Mastercard Worldwide, HP, Accenture, Google, and Arthur Cox, among others.

The conference was free-of-charge, and presentation materials were made published online as a permanent freely available resource.

Delegates benefitted from practical, hands-on workshops and exercises, and had the opportunity to shape the conversation by submitting questions through their phones directly onto the conference screen.

The DPC undertook this initiative in order to create a valuable learning event for those organisations that were most anxious about the introduction of the GDPR – SMEs and public sector organisations. The DPC is proud to have provided a unique event that allowed these organisations to gain expert, yet practical, training and insight from leading global experts.

The feedback the DPC received following this conference was overwhelmingly positive, and we expect to organise similar events in the future.

Complete entry available here

 

C10: GDPR readiness guide for SMEs (Ireland, Data Protection Commission)

Entry by: Data Protection Commission, Ireland

Description of the initiative:

In order to assist SMEs in Ireland with their GDPR preparations, in December 2017 the DPC published ‘Preparing your organisation for the GDPR – a guide for SMEs’. This digital publication was made available free-of-charge in a downloadable PDF format on the DPC’s GDPR microsite, GDPRandYou.ie.

The guide also incorporated a checklist, which was also available for download in isolation. The guide was prepared in consultation with the Irish Small Firms Association.

Why the initiative deserves to be recognised by an award?

The guide was developed in response to the need to assist the SME sector to prepare for the GDPR. The readiness guide was prepared in consultation with the Irish Small Firms Association which help ensure that it was of real value to Irish SMEs.

The SME guide has proven to be a valuable resource to the DPC in driving compliance and awareness among SMEs. Organisations engaging with DPC are routinely referred to guide as a good practice compliance guide.

The SME guide, free to download, has been widely shared and disseminated on social media and feedback has been overwhelmingly positive

The SME guide has even been disseminated by other organisations, as detailed at point f below.

Complete entry available here

 

C11: Electronic system for exercising the rights of access, rectification, cancellation and opposition (Mexico, INAI)

Entry by: National Institute for Transparency, Access to Information and Personal Data Protection (INAI Mexico)

Description of the initiative:

The electronic system for exercising the rights of access, rectification, cancellation and opposition (ARCO rights) integrated to the National Transparency Platform (NTP), allows citizens to exercise these rights, before more than 8,000 authorities belonging to the Executive, Legislative, Judicial Branches and autonomous bodies of the three levels of federal, state and municipal government. This, through an approved and accessible format for the entire country, which is available 365 days a year.

Why the initiative deserves to be recognised by an award?

Through a single Platform, two human rights can be exercised: access to information and the protection of personal data. This platform permits the exercise of these rights, before more than 8,000 authorities of the Executive, Legislative, Judicial branches and autonomous bodies at the federal level, as well as within Mexico’s 32 states. This, through an approved and accessible format for the entire country. (In accordance with the World Bank, Mexico’s population is approximately 128 million inhabitants).

The Platform is a unique tool of its kind, as it can be used from any device with Internet access, by providing citizens with the opportunity to exercise the right to the protection of personal data electronically.

Likewise, it is important to recognize the homologation of the formats -at federal level- established for each ARCO right, the distinction between the data subject and the legal representative as the applicant, as well as the recognition between the rights of a data subject, a minor, a deceased or of a person condemned to interdiction.

Finally, it is necessary to recognize the collaborative work between the local supervisory authorities and the INAI as the general manager of the NTP.

Complete entry available here

 

C12: Privacy Trust Mark (New-Zealand, Office of the Privacy Commissioner)

Entry by: Office of the Privacy Commissioner New Zealand

Description of the initiative:

The Privacy Trust Mark was designed to recognise privacy excellence in products and services. The trust mark demonstrates that a “privacy by design” approach was used and it’s intended to give consumer confidence. As organisations collect an increasing amount of information, and the consequences of accidental or malicious misuse of that information increase, it becomes more important to be able to identify products that are outstanding in the way they handle personal information.

Why the initiative deserves to be recognised by an award?

The Privacy Trust Mark project deserves to be awarded an ICDPPC Award because it promotes privacy positive behaviours by agencies and assists individuals to recognise products and services that are privacy enhancing. The Privacy Trust Mark is the only trust mark in New Zealand recognising privacy positive behaviours and only one of a handful of trust marks globally that  are administered by data protection bodes. The Privacy Trust Mark is therefore world leading.

The Privacy Trust Mark allows agencies to show how well they have taken account of privacy values in the design of their product or service. It allows individuals to engage more confidently with the products and services they buy, and improves privacy practice across agencies through raising awareness of good privacy practice.

The Privacy Trust Mark enables our Office to proactively recognise outstanding work in privacy that goes beyond mere compliance. Not only does it allow our office to single out exceptional products, it:

  • Values actions that go beyond applying the Privacy Act;
  • Improves public awareness of privacy positive behaviour;
  • Encourages open and early engagement with our Office by agencies; and
  • Presents our Office as more than punitive body.

Complete entry available here

 

C13: Data Analytics Guidance (New-Zealand, Office of the Privacy Commissioner)

Entry by: Office of the Privacy Commissioner New Zealand

Description of the initiative:

The New Zealand Privacy Commissioner and the Government Chief Data Steward have jointly developed six key principles to support safe and effective data analytics. These six principles are intended to help agencies, and guide our thinking on data analytics activities, including algorithmic decision-making. Using these principles in systems and thinking means stronger, more secure, and safer data use.

Why the initiative deserves to be recognised by an award?

There is no similar guidance available.  The use of data analytics is widespread and growing and there is a recognised need for clear principles to guide use. This is a significant step in the creation of an ethical framework for data analytics and data use by two key stakeholders: the Privacy Commissioner and the Government Chief Data Steward.

Complete entry available here

 

C14: Software development with Data Protection by Design and by Default (Norway, Datatilsynet)

Entry by: The Norwegian Data Protection Authority

Description of the initiative:

We have developed these guidelines to help organizations understand and comply with the requirement of data protection by design and by default in article 25 of the General Data Protection Regulation. We have cooperated with security professionals and software developers in public and private sector among others. These guidelines are primary intended for developers, software architects, project managers, testers, data protection officers and security advisors.

Why the initiative deserves to be recognised by an award?

The guidelines have to be specific and clear so that organisations that develop software, applications, services, systems etc. and follow the guide, and later on can get their processing activities certified and get a privacy seal or mark according to article 25 (3).

The framework is not meant to be a substitute for a company’s methodology for software development, but it is a supplement to ensure that privacy and security are included in the methodology.

There is abundant technical literature that focuses on security by design when developing software. Relatively little has however been written about data protection by design and by default when developing software. While working on this guide, we have used Software Development LifeCycle (SDLC), Microsoft Security Development Lifecycle (SDL) and ENISA; Privacy and Data Protection by Design – from policy to engineering, as a starting point, and explored how to incorporate privacy principles, subject rights, and the requirements of the GDPR into every step of the process.

The guidelines has already become a gold standard for developers and adopted by three universities in Norway. We think it is because the guide is specific, clear and have checklists that can be used directly by the different developer professions.

Complete entry available here

 

C15: Artificial intelligence and Privacy (Norway, Datatilsynet)

Entry by: The Norwegian Data Protection Authority

Description of the initiative:

This report looks at two of the hottest topics at the moment, Artificial intelligence and the GDPR. We aim to raise awareness on how artificial intelligence works and how it can challenge the right to privacy and data protection. We explore what aspects of the GDPR that may affect the development and use of artificial intelligence. What rights do the user have when being the subject of decision making by AI based systems?

Why the initiative deserves to be recognised by an award?

The report arrived with perfect timing to make it a good counterbalance to the AI debates focusing mainly on efficiency and results. It makes a complexed topic accessible, seen from both the technical and legal side. The report is not only focused on problems, but also outlines some tools and recommendations for usage, development and research.

AI and privacy is a good primer and toolkit for anyone working on, or interested in this topic. It has gathered attention from parts of the government that wants to use the technology, developers, as well as companies and institutions that research and develop the underlying technology.

We decided to translate the report into English to make it available to more than just Norway, we would also welcome others to translate it to new languages for availability.

The report has been promoted as highly recommended reading by the Future of privacy forum, extending its reach outside of EU as well.

We believe that an award would help expose this very useful “tool” to an even wider audience, something that would be a great benefit for privacy and data protection.

Complete entry available here

 

C16: FACILITA (Spain, Spanish Data Protection Agency)

Entry by: Spanish Data Protection Agency

Description of the initiative:

The initiative consists in a tool made by the Spanish Data Protection Agency (AEPD). It is called FACILITA and it has been developed for supporting the controllers and processors in the adaptation process to the new European regulation of data protection (GDPR), in particular the small and micro enterprises (SMEs) and professionals.

Why the initiative deserves to be recognised by an award?

The GDPR supposes a new model of fulfilment for the controllers and processors of processing of personal data that, at the same time, implies an effort of adaptation for these bodies, especially, if they are small and micro enterprises (SMEs) and self-workers.

FACILITA has been designed to help SMEs that, for the most part of them, do not need complex adaptation mechanisms to GDPR due to the processing of personal data are in a low-risk level.

FACILITA has been selected to be present to the award for the following reasons:

  • The objective pursued and the purpose for which it has been developed.
  • It is free and easy to use.
  • It is sustainable.
  • The large number of users of FACILITA.
  • It is also available in English.

The impact caused on the protection of the rights of the data subjects: in Spain there are 2.8 million companies (Report of the General Directorate of Industry and Small and Medium-Sized Enterprises based on data from the Ministry of Employment and Social Security to February 2017), of which 99.8% are SMEs and self-employed, and 94% micro-enterprises of 9 workers or less and self-workers.

Complete entry available here

 

C17: Lawful Basis Tool (United Kingdom, ICO)

Entry by: Information Commissioner’s Office (ICO), United Kingdom

Description of the initiative:

The ICO has developed an interactive, web based guidance tool to assist data controllers in assessing which lawful basis within the GDPR is likely to be most appropriate for processing that they intend to carry out.

Why the initiative deserves to be recognised by an award?

This tool represents a new and innovative way to deliver regulatory support and guidance to organisations. It builds on the approach and success of the ICO self-assessment toolkits and is particularly tailored to the needs of small and micro organisations. During the implementation phase of the GDPR a significant proportion of stakeholder queries that the ICO received related to Article 6. This interactive tool demonstrates that the ICO is a responsive and flexible regulator and that we are always learning and striving to develop the most useful resources to support data controllers in maintaining the very highest standards of data protection practice.

Complete entry available here

 

C18: FTC Recommends Steps to Improve Mobile Device Security Update Practices (USA, FTC)

Entry by: Federal Trade Commission (FTC, USA)

Description of the initiative:

A new FTC report finds that the complexity of the mobile ecosystem means that the security update process for patching operating system software on some mobile devices is intricate and time-consuming. The report recommends that manufacturers consider taking additional steps to get more security updates to user devices faster. It also recommends that manufacturers consider telling users how long a device will receive security updates and when update support is ending.

Why the initiative deserves to be recognised by an award?

Consumers use their mobile devices for a wide range of activities and want to have confidence that when they use them they will be secure.  The report found, however, significant differences in how the industry deploys security updates and that more needs to be done to make it easier for consumers to ensure their devices are secure.

Security researchers and government agencies agree that it is important to install security updates that patch vulnerabilities in the device’s operating system. Many of these devices, however, remain without important security updates for long periods– either because no update is issued at all, because approving and deploying a patch is a lengthy process, or because users do not install available updates. The FTC report examines certain manufacturers’ security update practices and offers recommendations on how to improve the security update process.

A key finding of the report is that support periods, the time during which a device receives operating system updates, and update frequency vary widely, even among devices that cost the same, are made by the same company, or are serviced by the same carrier. A device may receive security updates for many years – or, in some instances, may not receive any updates at all.

Complete entry available here