Entries submitted (as on 1.05.2017)

A1: Privacy Research Fund + Privacy Research Symposium (New Zealand)
A2: De-identification guidelines for structured data (OIPC Ontario, Canada)
A3: “Corpus luris” (INAI, Mexico)
A4: Big data, artificial intelligence (AI), machine learning and data protection (UK)
A5: PrivacyCon 2017 (USA)
A6: Discussion paper on potential enhancements to consent under the Personal Information Protection and Electronic Documents Act (PIPEDA) (Canada)

A1: Privacy Research Fund + Privacy Research Symposium (New Zealand)

 

 

 

Entry by: Office of the Privacy Commissioner, New Zealand

Privacy Research Fund + Privacy Research Symposium: The Privacy Commissioner established a contestable fund of NZ$75,000 to support privacy research projects under which 4 projects were funded with the results presented publicly in a Privacy Research Symposium held as the centrepiece of a special Privacy Research Week. https://privacy.org.nz/further-resources/privacy-research/.

Why the initiative deserves to be recognised by an award?*
The Privacy Research Fund was a successful experiment for the office in using a modest sum of money to build capacity outside the Office of the Privacy Commissioner to better understand privacy and deliver solutions to privacy problems. It built on the assumption that the Office of the Privacy Commissioner does not have all the answers and other stakeholders in the research community have an important part to play in achieving our goals.

The Privacy Research Symposium was a successful event that achieved its goals. However, there were three special aspects setting it part from regular OPC events:

  • Bringing together the research community and creating new connections amongst that community
  • Branding a series of 4 events, only 2 of which were OPC organised, into a coherent Privacy Research Week: the strength of the branding apparent in attendees travelling from overseas to participate

* Non-competition entry: New Zealand has exempted itself from the competition as the ICDPPC Chair, who is judging the competition, is also the New Zealand Commissioner. This entry is for illustrative purposes only.

Complete entry available here.

A2: De-identification guidelines for structured data (OIPC Ontario, Canada)


 

 

 

 

 

 

 

Entry by: Office of the Information and Privacy Commissioner of Ontario, Canada (OIPC)

De-identification guidelines for structured data
The OIPC’s guidance document, De-identification Guidelines for Structured Data, introduces government institutions to the basic concepts and techniques of de-identification, and provides a step-by-step process for de-identifying data sets that contain personal information. It offers direction on a risk-based approach to de-identification and discusses key issues, including:

  • direct and indirect identifiers
  • public, non-public and semi-public release models
  • different re-identification attacks
  • measuring and calculating re-identification risks
  • common de-identification techniques
  • de-identification governance

Why the initiative deserves to be recognised by an award?
De-identification is a complex and technically challenging topic, with a vast body of literature on sophisticated techniques to remove personal information and advanced metrics to analyse and measure re-identification risk. What makes De-identification Guidelines for Structured Data deserving of recognition is that it distills a high level of operational detail and guidance materials into a straightforward process that can be understood and followed by someone with limited technical knowledge. The document does this by focusing only on the most relevant and commonly used techniques and metrics. For example, it only discusses the de-identification techniques of masking, generalization and suppression, and it only supports “prosecutor” risk where an adversary knows or can know whether a target individual is in the data set. The result is a document that may act as a baseline for discussions among experts and non-experts, alike. In no small measure, this is because our guidelines are the first of their kind in Canada to use plain language to explain sophisticated de-identification concepts and technical processes, with the benefit of being useful to a very wide audience.

Complete entry available here.

A3: “Corpus luris” (INAI, Mexico)


 

 

 

 

Entry by: INAI, Mexico

The “Corpus Iuris” on personal data protection is an electronic tool based on a search engine which allows the identification of:

  • International instruments on personal data protection, privacy, intimacy, and habeas data in the different human rights systems: American, European, African, the United Nations, as well as in specialized bodies, such as the Special Rapporteur on the right to Privacy of the UN.
  • Jurisprudential criteria that international jurisdictional bodies have issued regarding these rights.

Why the initiative deserves to be recognised by an award?
In the first place, it is useful to have a computer-based tool through which the jurisdictional and administrative authorities can have access to the criteria for the application of the legislation in this subject, allowing them to improve the argumentation in specific cases of application of the law. Also, in Ibero-American countries, this tool is particularly important to achieve an adequate level of conventionality through an exercise of legal interpretation in which the application of international human rights norms is privileged over domestic provisions, when the latter provide lower protection of human rights.

On the other hand, it is also useful to provide individuals and society in general with relevant and updated information related to the right of personal data protection, to the provided mechanisms for its exercise and defense, as well as to the different criteria issued in this subject by international organizations. This, to ensure that the data subject has the necessary information to fully exercise her/his rights to personal data protection, privacy, and informational self-determination.

Complete entry available here.

A4: Big data, artificial intelligence (AI), machine learning and data protection (UK)


 

 

 

 

 

Entry by: Information Commissioner’s Office, UK

Big data, artificial intelligence (AI), machine learning and data protection
The Information Commissioner’s Office (ICO) undertook extensive desk based research, workshops with business and discussions with government and other relevant stakeholders in order to inform its discussion paper on the data protection implications of big data, AI and machine learning.

Why the initiative deserves to be recognised by an award?
Comprehensive: The ICO’s updated paper ‘Big data, AI, machine learning and data protection’ is one of the few resources available which really does cover the waterfront of data protection implications in this context in detail. For instance, while matters such as transparency and consent are commonly covered in similar papers, very few also discuss issues such as data controllership and subject access rights.

Positive: Some similar publications focus on the supposed incompatibility between data protection and big data. The ICO believes that is the wrong conversation to have. Instead, this paper not only supports the view that data protection is compatible with big data, it also emphasises the opportunities and benefits to be seized in terms of innovation, trust and data quality. This approach has been welcomed by a number of commentators (see links in f. below).

Useful: The updated paper’s clear structure and increased focus on practical guidance set it apart as a document that not only informs but also helps. The chapter on compliance tools and the annex on privacy impact assessments are particularly valuable for practitioners to use as a reference prior to and during big data projects.

Complete entry available here.

A5: PrivacyCon 2017 (USA)


 

 

Entry by: U.S. Federal Trade Commission

PrivacyCon 2017 brought together a diverse group of stakeholders, including whitehat researchers, academics, industry representatives, consumer advocates, and government regulators, to discuss the latest research and trends related to consumer privacy and data security.

Why the initiative deserves to be recognised by an award?
The event uniquely gathers Privacy and Security researchers to showcase empirical work to policymakers. The event provides policymakers with access to cutting edge research, and in turn allows researchers to understand better how their work assists policymakers.

Complete entry available here.

A6: Discussion paper on potential enhancements to consent under the Personal Information Protection and Electronic Documents Act (PIPEDA) (Canada)

 

 

 

Entry by: Privacy Commissioner of Canada

The Discussion paper on potential enhancements to consent under the Personal Information Protection and Electronic Documents Act (PIPEDA) forms the basis of consultations held by the Office of the Privacy Commissioner of Canada to consider challenges to PIPEDA’s consent model arising from new technologies and business models.  It supports the development of solutions that would enable individuals to exercise control over their personal information where it is meaningful, while addressing situations where consent is impracticable.

Why the initiative deserves to be recognised by an award?
The concept of individual consent is a critical, yet complex, cornerstone of data protection law and international regulation of personal information. Inter-state conventions enact it as a core principle (e.g. Convention 108), while second and third generation privacy laws insist on its primacy (e.g. various provincial laws in Canada and state laws in EU).

Given that importance, the OPC consulted with interested parties and the public in 2016-2017 to map out the landscape of this concept as formulated in Canada, while also drawing on developments underway over the horizon. The resulting position paper is accessible, clearly argued and sets up the implications for privacy governance in a sensible, pragmatic way.

For this, the authors deserve great credit, as the splinter issues and spin-off questions from such a project are potentially infinite. Their focus on the individual in the whole consent debate is laudable, and the development team for the paper draws on decades of personal experience in national and international data protection work, extending across both the public and private sectors.

Complete entry available here.