Entries submitted

A1: Albanian postal stamp (Albania, Information and Data Protection Commissioner)
A2: GDPR awareness campaign: “De Privacywet van A tot Z” – “La nouvelle loi vie privée de A à Z” (Belgium, Data Protection Authority)
A3: A clear and accessible “Privacy policy for children and teenagers”, in line with the GDPR transparency requirements (Belgium, Data Protection Authority)
A4: Partnership privacy in education in Flanders (Belgium, Data Protection Authority and Flemish Supervisory Committee)
A5: Guidelines for obtaining meaningful consent (Canada, British Columbia, Alberta DPAs and OPC)
A6: Guidance on inappropriate data practices (Canada, Office of the Privacy Commissioner)
A7: OIPC Fact sheets (Canada, Office of the Information and Privacy Commissioner of Ontario)
A8: Guidance on the Use of Automated Licence Plate Recognition Systems by Police (Canada, Office of the Information and Privacy Commissioner of Ontario)
A9: Smart cities (Canada, Office of the Information and Privacy Commissioner of Ontario)
A10: Assessing the necessity of measures that limit the fundamental right to the protection of personal data: A Toolkit (Necessity Toolkit) (European Union, EDPS)
A11: Educap city program (France, CNIL)
A12: « Incoweb-Les Incollables » (Unbeatable!) (France, CNIL)
A13: CNIL and Inria scientific article (France, CNIL)
A14: Exhibition “TerraData : nos vies à l’ère du numérique” about Big Data (France, CNIL)
A15: Personal Data Alphabet (Georgia, Office of the Personal Data Protection Inspector)
A16: Pedagogical methods to teach elementary pupils on how to be a self-critical digital citizen (Germany, Rhineland-Palatinate DPA)
A17: PCPD’s initiatives on the implementation of General Data Protection Regulation (GDPR) (Hong-Kong, Privacy Commissioner for Personal Data PCPD)
A18: The Privacy Campaign for Small and Medium Enterprises (SME) (Hong-Kong, PCPD)
A19: Privacy Campaign for Primary Schools 2018 (Hong-Kong, PCPD)
A20: The 39th International Conference of Data Protection and Privacy Commissioners (39th ICDPPC) (Hong-Kong, PCPD)
A21: A Chinese book on data protection law in Hong Kong – “Watch out! This is My Personal Data Privacy” (Hong-Kong, PCPD)
A22: NAIH project (studies and campaign) on the safe and conscious internet use of children (Hungary, National Authority for Data Protection and Freedom of Information)
 A23: ‘Preparing Ireland for GDPR’ Awareness Initiative (Ireland, Data Protection Commission)
 A24: GDPR Awareness raising conference and workshop (Ireland, Data Protection Commission)
A25: GDPR readiness guide for SMEs (Ireland, Data Protection Commission)
A26: From Global to Local: Sharenting in Israel (Israel, PPA)
A27: Privacy Meets Creativity (Israel, PPA)
A28: Media Campaign: What You Don’t Share Offline, Don’t Share Online! (Israel, PPA)
A29: Introductory Guide to the Data Protection Act 2017 (Mauritius, Data Protection Office)
A30: Interactive Guide for Data Subjects (Mexico, INAI)
A31: Monitor of Transparency and Protector of my Personal Data Program (Mexico, INFOEM)
A32: CNDP virtual library (Morocco, CNDP)
A33: Fact sheets on Privacy issues (Morocco, CNDP)
A34: International Conference of Privacy and data Protection in Africa and Extraordinary Assembly of the African Network of Data Protection Authorities (RAPDP) (Morocco, CNDP)
A35: Privacy Trust Mark (New-Zealand, Office of the Privacy Commissioner)
 A36: Animation (Mohawk Media) (New-Zealand, Office of the Privacy Commissioner)
A37: Public enquiries: a complementary solution (New-Zealand, Office of the Privacy Commissioner)
A38: Data Analytics Guidance (New-Zealand, Office of the Privacy Commissioner)
A39: Privacy ABC (New-Zealand, Office of the Privacy Commissioner)
A40: Software development with Data Protection by Design and by Default (Norway, Datatilsynet)
A41: Artificial intelligence and Privacy (Norway, Datatilsynet)
A42: Raising awareness on the protection of personal data in the schools (Turkey, Turkish Personal Data Protection Authority)
A43: Your Data Matters (United Kingdom, ICO)
A44: Lawful Basis Tool (United Kingdom, ICO)

 

A1: Albanian postal stamp (Albania, Information and Data Protection Commissioner)

 Entry by: Information and Data Protection Commissioner of Albania

Description of the initiative:

On 28 December 2017, on the occasion of 28 January – Data Protection Day, the Albanian postal stamp was issued. The accomplishment of this stamp was an initiative of the Commissioner’s Office. The State Commission of the Postal Stamp considered the requests and suggestions of the Office of the Commissioner and included the proposed stamp as part of the agenda to be issued in the course of 2017.

Why the initiative deserves to be recognised by an award?

Issuing the stamp on the occasion of the Data Protection Day is an initiative of the Commissioner’s Office for which a two-year period was needed and an exceptional work of several institutions in order to accomplish it. This stamp joins the great collection of international stamps which highlights the relevance of data protection in our times, as well as recalls the 28th of January – the Data Protection Day.

Complete entry available here.

 

A2: GDPR awareness campaign: “De Privacywet van A tot Z” – “La nouvelle loi vie privée de A à Z” (Belgium DPA)

Entry by: Belgian Data Protection Authority

Description of the initiative:

The Youth Platform “Ik beslis-Je decide” has prepared an educational package to inform children and youngsters (aged 12-16) about the new General Data Protection Regulation:

The package includes:

  • A short animation video which introduces the basic principles of GDPR, included in an educational bloc on the “ik beslis- Je decide” website
  • An educational sheet for teachers to prepare a thematic course on data protection and GDPR
  • A class book, for the students to complete, to illustrate the basics of data sharing in practice
  • An educational poster

The educational package was launched and made available on the 29th of January, via press and social media. The Secretary of State for Privacy and the Minister for Media presented the package at a press conference, organized in a school. Students got to see the video and had the possibility to discuss the issue of data protection. The Secretary of State and the Minister shared tips and good practices to protect the students’ data.

The campaign was aimed at (1) children and youngster and (2) teachers.

Via the educational information sharing channels, the package was presented to the entire school network in Flanders and Wallonia.

https://www.ikbeslis.be/ouders-leerkrachten/lesmateriaal

Why the initiative deserves to be recognised by an award?

The educational tool aims to explain the basics of data protection, not only in a theoretical way, but by letting children experience the practice of data sharing via the completion of the “old-fashioned” class book. When completing the booklet, children are invited to read the small print and to discover the loopholes of data sharing. The teacher takes the role of a vigilant data broker, who tries to market their data. How do children feel about this? This could be the starting point for a class discussion which makes children think of their sharing behaviour.

Complete entry available here.

 

A3: A clear and accessible “Privacy policy for children and teenagers”, in line with the GDPR transparency requirements (Belgium DPA)

Entry by: Belgian Data Protection Authority

Description of the initiative:

The team “Je décide/Ik beslis”, in charge of providing materials/tips related to children and teenagers’ privacy, came up with the idea of developing a layered privacy policy that would be easily understandable and usable for the young users of the “Je décide/ik beslis) website.

The goal of the project is to meet the transparency requirement of the GDPR by making sure that the personal data processing’s are explained in a clear and didactical way, by using simple and concise language and visuals (see links and image below). Throughout this project, we involved kids and their parents in order to get feedback from them and improve the clarity of the policy. Alongside this privacy policy for kids, we kept a more detailed version of the privacy notice for adults.

Why the initiative deserves to be recognised by an award?

We came up with the idea for this awareness project when we realized that most privacy policies targeting children and teenagers had the same flaws: they are full of complex words, presented in a linear format, and difficult to read.

Drawing from these observations and having the responsibility to set up good practises in data protection especially for vulnerable audiences, we decided to re-draft our own privacy policy to make it as easy to read and understand as possible, by children as well as adults (see links and image below). Throughout this project, we involved kids and their parents in order to get feedback from them and improve the clarity of the policy.

This privacy policy can be used as an example for other websites which target a young audience. At the moment, we are aiming to re-redraft our main website‘s privacy policy (https://www.autoriteprotectiondonnees.be/) on the basis of the format developed for the privacy policy for kids on the “je décide/ik beslis” website.

Complete entry available here.

 

A4: Partnership privacy in education in Flanders (Belgium, Data Protection Authority and Flemish Supervisory Committee)

Entry by: Gegevensbeschermingsautoriteit (Belgian DPA) and Flemish Supervisory Committee (VTC)

Description of the initiative:

To improve privacy and information security in nursery, primary and secondary schools in Flanders, a unique partnership was set up between the data protection supervisory authorities (Flemish Supervisory Committee (VTC) and Belgian DPA), the Flemish Agency for Educational Services (AgODi), the educational networks and the software suppliers.

The seeds of this collaboration were already planted in 2013 and grew into an agreement between all actors and a practical guide for schools in 2018.

Why the initiative deserves to be recognised by an award?

The cooperation of the two competent supervisory authorities, the central Flemish education administration, the participation of all educational networks and the software suppliers, the quality result, information which is accessible to the target group as well as very openly shared, a source of inspiration for other sectors. More than enough reasons to nominate this project, this partnership.

The result of this unique and successful collaboration was bundled into a website http://www.privacyinonderwijs.be. The intention is to further expand this website. At present, the following documents are available for consultation:

  • the brochure ‘In 7 stappen naar gegevensbescherming in onderwijsinstellingen’ (7 Steps to Data Protection in Educational Institutions)
  • the extensive and technical brochure ‘Wegwijs in de GDPR voor onderwijsinstellingen op basis van een tekst van de DPA’ (Guide to the GDPR for educational institutions on the basis of a text from the DPA)
  • a register template already containing generic processing operations and including a breach register
  • a declaration of intent, already submitted to major software suppliers for education, to use the processing agreement template
  • the processing agreement template
  • a FAQ section that still needs to be completed on the basis of further cooperation.

Complete entry form available here

 

A5: Guidelines for obtaining meaningful consent (Canada, British Columbia, Alberta DPAs and OPC)

Entry by: Office of the Information and Privacy Commissioner for British Columbia; Office of the Information and Privacy Commissioner of Alberta; Office of the Privacy Commissioner of Canada.

Description of the initiative:

The increasingly complex digital environment – with technological innovations such as big data, the IoT and AI – is posing challenges for privacy protection and the consent model. The consent guidance sets out practical and actionable advice to help provide clarity and certainty for organizations to ensure they obtain meaningful consent. The guidance will also help Canadians to understand their privacy rights under the law – and what they can expect from businesses that handle their personal information.

Why the initiative deserves to be recognised by an award?

There are two things that this guidance achieves that set it apart and make it deserving of an ICDPPC Global Privacy and Data Protection Award. First, it responds directly to our stakeholders’ needs, gauged through an over-two-year consultation. Second, it bridges an important gap between broad and principle-based legislation and actual, concrete compliance expectations in an age of rapid technological change.

-One-

During extensive public consultation, we heard clearly that the increasingly complex digital environment – with technological innovations such as big data, the IoT and AI – is posing challenges for privacy protection and the consent model. Stakeholders overwhelmingly called on the OPC to provide more guidance.

We responded directly with practical and actionable guidance regarding what organizations should do to ensure that they obtain meaningful consent.

-Two-

Though technology neutral, Canada’s laws were adopted when routine, predictable, transparent one-on-one interactions between organizations and individuals were the norm. This is no longer. As regulators, we see our role as including giving guidance that clarifies legislative requirements and sets expectations regarding how the law should generally be interpreted and applied.

This gives organizations an adequate level of certainty to be able to act with confidence that that action complies with privacy requirements.

Complete entry available here.

 

A6: Guidance on inappropriate data practices (Canada, OPC)

Entry by: Office of the Privacy Commissioner of Canada

Description of the initiative:

Under Canadian private sector privacy law, even with consent, an organization must still show that its purposes for collecting, using or disclosing personal information in the first place are ones that a reasonable person would consider appropriate in the circumstances.

This guidance document sets out a series of “no-go zones” which the Office of the Privacy Commissioner generally considers offside of Canada’s federal private sector privacy law.

Why the initiative deserves to be recognised by an award?

Clearly defining inappropriate uses of personal data serves two important purposes. First, it protects individuals. Second is plays an important role in maintaining trust in the digital economy.

-One-

Individuals should not be expected to shoulder the heaviest burden when it comes to deconstructing complex data flows in order to make informed decisions on whether or not to provide consent; in other words, though consent must remain important, it cannot serve as the only mechanism of privacy protection

-Two-

This guidance plays an important role in mitigating the risk that consumers will lose trust in the digital economy, thus hindering its growth, and they may not enjoy all the benefits afforded by innovation.

Having a specific list of no-go zones in a guidance document provides the flexibility to periodically revisit and update the list to keep pace with rapid change and innovation, which the OPC intends to do.

Finally, while created primarily with the Canadian legislative context in mind, the list transcends any given piece of legislation, and would serve as useful guidance to any company, regardless of location, of practices that should not be undertaken.

Complete entry available here.

 

A7: OIPC Fact sheets (Canada, Office of the Information and Privacy Commissioner of Ontario)

Entry by: Office of the Information and Privacy Commissioner of Ontario, Canada (OIPC)

Description of the Initiative:

The OIPC fact sheets, Big Data and Your Privacy Rights and Smart Cities and Your Privacy Rights raise awareness of important technology trends and the potential impacts on the general public. Written in clear, accessible language, the fact sheets provide an overview of the technologies, explain the potential benefits and privacy risks of their use by government organizations, and describe how privacy can be protected when using these technologies.

Why the initiative deserves to be recognised by an award?

The fact sheets represent a proactive effort to explain important technology trends and their impacts directly to members of the public in a clear, accessible way. They seek to influence public understanding and to help frame key privacy issues for public discussion on these important topics. They support digital literacy and act as resources to support meaningful engagement with government leaders.

Both publications address timely and urgent issues, and are the first of their kind to be released in Canada by a privacy authority. They have served as a model for other data protection authorities to emulate in their own jurisdictions.

These publications are also part of a broader advocacy effort by our office to engage with all stakeholders on the privacy and security risks of new information technologies.

Complete entry available here

 

A8: Guidance on the Use of Automated Licence Plate Recognition Systems by Police (Canada, Office of the Information and Privacy Commissioner of Ontario)

Entry by: Office of the Information and Privacy Commissioner of Ontario, Canada (OIPC)

Description of the initiative:

The OIPC’s document, Guidance on the Use of Automated Licence Plate Recognition Systems by Police Services, outlines the key obligations police services have under Ontario’s public sector privacy legislation in their use of ALPR systems for public safety purposes. The guidance includes best practices for using ALPR systems in a privacy-protective manner and discusses issues, including:

  • overview of ALPR technology
  • privacy implications of ALPR systems
  • benefits of Privacy Impact Assessments
  • implementation guidelines

Why the initiative deserves to be recognised by an award?

Guidance on the Use of Automated Licence Plate Recognition Systems by Police Services is the first guide of its kind in Canada and serves as a baseline for the policies and procedures for establishing ALPR systems.

The OIPC consulted with the OPP to ensure the guidance’s applicability, utility, and relevance to police services across the province.  Our research and consultation work began in 2015 and was completed in 2017.

Today, more than 20 police services in Ontario follow the OIPC guidance. Many Ontario police services are transparent about their use of ALPR and compliance with our guidance.  For example, the London Police Service’s ALPR website shares news, videos, the OIPC guide, and other general information about the system, emphasizing the service’s commitment to compliance.

Lastly, many of the principles and best practices discussed in the guidance have broad application to other surveillance technologies, such as police body worn cameras and school bus stop-arm cameras.

Complete entry available here

 

A9: Smart cities (Canada, Office of the Information and Privacy Commissioner of Ontario)

Entry by: Information and Privacy Commissioner of Ontario (IPC)

Description of the initiative:

The IPC has taken a leadership role in ensuring that municipalities are prepared for the emergence of smart city technologies, and their inherent privacy risks. The need for strong privacy protections must be a constant. This was the message our office and privacy protection authorities from across the country recently delivered to the Government of Canada. The IPC also developed guidance to help the public understand how smart cities can affect an individual’s privacy.

Why the initiative deserves to be recognised by an award?

  • Ontario’s cities have seen a rise in the launch of smart city initiatives, with injection of federal funding, the arrival of Sidewalk Labs and a general push for innovation given increasing strain on cities.
  • We recognised this trend and prioritized this issue for proactive engagement. In just four months:
    • We gained cross-Canada support to lobby the federal government via an open letter, and secured a commitment from the minister that privacy would be an important review criteria
    • This open letter had an impact beyond the Smart City Challenge. Sidewalk Labs was in the process of developing a data governance framework and relied on certain recommendations from the open letter including a commitment to conduct PIAs and TRAs. We continue to engage with Sidewalk Toronto as the project proceeds.
    • Drafted a fact sheet for the public.
    • Attended three smart city conferences/ learning events to study the technologies, and ethical considerations.
    • Delivered eight speeches on smart cities to private sector, public sector, civil society and the public, raising awareness among decision makers.
    • Proactively contacted a municipality regarding a news item describing a smart initiative that raised privacy questions and worked to resolve the issues.

Complete entry available here

 

A10: Assessing the necessity of measures that limit the fundamental right to the protection of personal data: A Toolkit (Necessity Toolkit) (European Union, EDPS)

Entry by: European Data Protection Supervisor

Description of the initiative:

The toolkit aims to help the European legislators to better assess the necessity of new legislative measures that might limit the right to data protection and other fundamental rights such as the right to privacy. The Necessity Toolkit provides for an extremely practical step-by-step checklist, by specifying the criteria for the application of the necessity principle.

Why the initiative deserves to be recognised by an award?

This initiative has already been submitted last year. However, given the important acknowledgment the toolkit has received since its publication (which occurred a few days before the submission), the EDPS has considered to re-submit the initiative.

The necessity toolkit is the first of its kind in providing help for EU legislators when evaluating the compliance of new legislative measures. It provides for practical and step-by-step guidance on the necessity principle’s application by EU legislators when any new law involves the processing of personal data. It also highlights the complexity of other notions such as the appropriateness and proportionality of a measure, and contributes to distinguish them.

The toolkit can also be used by national legislators within the EU and beyond, as the principle of necessity is enshrined in many national legal frameworks. Moreover, national data protection authorities could make use of the toolkit when providing advice to national legislators on measures which could undermine the right to the protection of personal data.

Therefore, the toolkit not only is a compliance, but also an educational tool. It also majorly contributes to creating public awareness, by practically exemplifying the utility of the necessity principle’s application to the law making process.

Complete entry form available here.

 

A11: Educap’city Program (France, CNIL)

Entry by: CNIL (France)

Description of the initiative:

The Educap’city Program aims to raise young public (9-14) awareness of his rights.

The CNIL and the Defender of Rights will receive 400 young people and their educators on the 20th of June. Each team of 6 children will have to answer 6 challenges about their rights, how to exercise them, how to protect their personal data… The question of the CNIL will focus on passwords. Goodies and posters will be given to children at the end of the event.

Why the initiative deserves to be recognised by an award?

This original initiative brings together two French Authorities which are specialized in defending young people rights. In the digital world, to protect one’s private life and to know how to exercise one’s rights is an important issue for young people.

Complete entry available here.

 

A12: « Incoweb-Les Incollables » (Unbeatable!) (France, CNIL)

Entry by: CNIL (France)

Description of the initiative:

CNIL issued a new interactive Quiz called “Your Privacy is secret!” aimed at young people aged 10 to 14 inviting them to test their knowledge and check along with 30 questions their understanding on how to protect their privacy online; it provides players a final scoring complemented by wide resources adapted to the unsuccessful replies. 3000 copies of “Les Incollables” (“Unbeatable”) were delivered to schools in cooperation with the French Ministry of Education in 2017.

Why the initiative deserves to be recognised by an award?

The Incoweb version of “Les Incollables” ‘Unbeatable” which amounted to more than 100 000 uploadings in 2017 is  one of the best resources benefiting from funny specific illustrations of the hero “Mister potatoe” developed by Martin Vidberg, a famous graphist at young people and at adults in daily French newspapers (Le Monde,…).

It looks like a very handy fan equipped with questions/answers on Privacy designed for a playful session while gaining awareness at teenagers and their families during a long journey or for reviewing best Privacy practices.

The set of topical fact sheets and resources linked to the Incoweb game provides a continuum in awareness-raising information for player, see for instance:

Use a secured passwords, be unbeatable on hackers, Recognize a sponsored advertisement, Fight against phishing, Use pseudonyms, set up an account…

Complete entry available here.

 

A13: CNIL and Inria scientific article (France, CNIL)

Entry by: CNIL (France)

Description of the initiative:

CNIL and Inria (French public entity for scientific research on digital sciences and technologies) reward a scientific article in the field of computer or information science dedicated to the protection of personal data or privacy and written in French or in English.

Why the initiative deserves to be recognised by an award?

It is an opportunity to raise awareness and promote research on privacy and data protection within the scientific community, quite particularly as regards the evolutions led by the General Data Protection Regulation (GDPR).

In particular the development of Privacy by design, accountability and necessary development of technical tools allowing in particular to guarantee the security of the data and individuals rights.

Complete entry available here.

 

A14: Exhibition “TerraData : nos vies à l’ère du numérique” about Big Data (France, CNIL)

Entry by: CNIL (France)

Description of the initiative:

The exhibition focuses on a strong topicality of our society: the stakes of the exponential development of digital technology.

Four main questions define the itinerary of the visit:

  • What is data?
  • How is data processed?
  • What impact does data have?
  • Where is data leading us?

The new technologies are deciphered in a colorful, modern and interactive scenographic universe. About thirty tables serve as a support for audiovisuals, multimedia and graphic arts, to understand a world in the midst of an economic and cultural revolution.

The French Data Protection Authority has strongly and happily cooperated from the very beginning with Universcience to create the exhibition (interview of the president, providing of historical and digital contents, DP law advising, etc.).

Why the initiative deserves to be recognised by an award?

This exhibition is a unique and very efficient pedagogical tool to understand Data Protection issues. It is designed for a wide public and it allows to understand Big Data in a playful way. It is a travelling exhibition available in English, Italian and French, and it could be adapted in other languages. It is accessible to all disabled people.

Complete entry available here

 

A15: Personal Data Alphabet (Georgia, Office of the Personal Data Protection Inspector)

Entry by: Office of the Personal Data Protection Inspector of Georgia

Description of the initiative:

Personal Data Alphabet is an online platform bringing together 26 examples of personal data attached to each letter of the English alphabet. It illustrates potential risks connected to data and the ways to protect them in plain language. Alphabet helps individuals realise that the list of personal data is so extensive that at least one example stands behind each letter of the alphabet. It also assists individuals in understanding the importance of personal data protection.

Why the initiative deserves to be recognised by an award?

First of all, Personal Data Alphabet is a novel and original concept that aims to reach a wide audience and contribute to raising public awareness on personal data protection.  Secondly, the form of this multimedia tool is creative and easily accessible to the public; it is also written in plain language that ensures information to be available to a large number of individuals of various ages and profession.

The Alphabet can be used as an informational material in different settings and may be tailored to various audiences. It can be adapted and/or transformed in different formats (e.g., printed, quiz game, puzzle) and used for various purposes – for example, currently its integration into secondary school education program in Georgia is being discussed. It is also possible to adjust the Alphabet and re-assemble it in other languages.

Complete entry available here

 

A16: Pedagogical methods to teach elementary pupils on how to be a self-critical digital citizen (Germany, Rhineland-Palatinate DPA)

Entry by: Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Rheinland-Pfalz (LfDI)

Description of the initiative:

In 2018, the LfDI worked out pedagogical methods to teach elementary pupils on how to be a self-critical digital citizen. One of today’s main challenges is to enable the youngest generation to build a broad base of knowledge on how to protect oneself in the internet and on how to use devices connected to the internet. The workshops mainly focus on the dangers of the internet and on these of an uncritical digital generation.

Why the initiative deserves to be recognised by an award?

Hence, many parents just introduce their kids to digital devices without educating them on possible dangers, it should be the schools to impart this important knowledge. The age with which children start to use smartphones and tablets tends to be even earlier today than a couple of years ago. Since the LfDI Rhineland-Palatinate is a pioneer on the topic of digital education in terms of data protection at an early stage, we hope to raise awareness of the importance of digital education in elementary schools. The methods we worked out are licensed under CC 4.0 by LfDI RLP. Therefore, at least the German speaking data protection authorities could potentially benefit from our work and, hopefully, create similar initiatives. Moreover, with the help of the award we hope to have a strong instrument to convince the government of the importance of integrating data protection in the curriculums.

Complete entry available here

 

A17: PCPD’s initiatives on the implementation of General Data Protection Regulation (GDPR) (Hong-Kong, PCPD)

Entry by: Privacy Commissioner for Personal Data, Hong Kong (PCPD)

Description of the initiative:

The European Union (EU)’s new data protection law, GDPR, came into force on 25 May 2018. EU is Hong Kong’s second largest trading partner, and hence since 2017 PCPD has implemented the below:

  • A comparative study on the GDPR and Hong Kong’s Personal Data (Privacy) Ordinance (PDPO)
  • Published a booklet on key features of GDPR
  • GDPR themed educational activities
  • Media interviews/articles concerning GDPR
  • A dedicated web page

Why the initiative deserves to be recognised by an award?

As the GDPR constitutes significant developments of data protection law, the new regulatory framework includes some requirements that are not found under the PDPO.  Benefiting from the PCPD’s GDPR-themed initiatives, local SMEs, corporates, government departments, public bodies and legal professionals have got to start navigating  to ascertain if and how the new law is applicable to them, and to keep up with the latest developments.

The wide spectrum of the target recipients of the publicity and education initiatives, from government offices to professional associations, covering online publicity initiatives and offline face-to-face training, made it effective to convey the essence of the GDPR to all sectors.

Complete entry available here.

 

A18: The Privacy Campaign for Small and Medium Enterprises (SME) (Hong-Kong, PCPD)

Entry by: Privacy Commissioner for Personal Data, Hong Kong (PCPD)

Description of the initiative:

This territory-wide privacy protection initiative organized by the PCPD aims to raise awareness and to enhance understanding of the Personal Data (Privacy) Ordinance (PDPO) among the SME through a mix of innovative and traditional means and the engagement of different stakeholders.

Why the initiative deserves to be recognised by an award?

Given the limited resources and manpower, it has always been a challenge for SME to comply with the requirements of the PDPO or to attend to any related training.  By using innovative measures and engaging relevant stakeholders, the above issues have been addressed, and the message of the importance of data protection is also successfully penetrated to SME through this territory-wide data protection education initiative. Notably, just a phone call away, our specialised team of officers offer handy practical advice to SME operators.

Complete entry available here.

 

A19: Privacy Campaign for Primary Schools 2018 (Hong-Kong, PCPD)

Entry by: Privacy Commissioner for Personal Data, Hong Kong (PCPD)

Description of the initiative:

The ever-evolving digital technology is affecting children currently and in future.   Many children are creating a “virtual me” and the digital footprints they leave can impact on their future adult lives.  The PCPD therefore has to keep up with the pace of change to raise children’s awareness of personal data privacy online. By introducing this new education initiative, we would like to reach out to primary school students (ages 6-12) as well as their teachers and parents to keep them informed and engaged on personal data protection during the childhood education.

Why the initiative deserves to be recognised by an award?

  • Overwhelming response was received for the two competitions within a month:
    • Some 4,000 entries were received from students;
    • 117 schools participated in the Campaign promotion in campuses; and
    • Over 740 students joined the student talks.

A total of over 93,000 people participated in the Campaign, including students, parents and teachers. This is an example of a fun and cost-effective way to promote children privacy.

  • Intensive promotion and publicity of the Campaign was carried out (both online and offline, e.g. advertorials and ads on newspapers and school publications, banner ads on websites, facebook and Youtube channels etc.) to promote the message of “Data Protection in Your Hand” to the students, parents, teachers and members of the public:
    • Total number of readers reached on printed publications was 4,600,000;
    • Total number of reaches via online publicities was over 1,524,000.
  • Besides students, parents and teachers were also involved in the education campaign. The message of personal data protection would hence be able to be further disseminated and built into the wider community.

Complete entry available here

 

A20: The 39th International Conference of Data Protection and Privacy Commissioners (39th ICDPPC) (Hong-Kong, PCPD)

Entry by: Privacy Commissioner for Personal Data, Hong-Kong (PCPD)

Description of the initiative:

The PCPD successfully hosted the 39th ICDPPD in September 2017 in Hong Kong.  The Conference has brought more than 750 representatives from data protection authorities, government and business leaders and academia from over 60 countries or regions for in-depth discussions on emerging issues on data protection and addressing future challenges. Diverse social events were also offered to showcase the vibrancy and niceties of Hong Kong with a unique blend of East-meets-West culture.

Why the initiative deserves to be recognised by an award?

The ICDPPC was held again in Hong Kong in 2017 after 18 years, and Hong Kong was so far the only Asian city that had hosted the event. The Conference was included as one of the celebration events of the 20th anniversary of the establishment of the Hong Kong SAR.   With the theme “Connecting West with East in Protecting and Respecting Data Privacy”, the PCPD has brought the Asia values and data protection regulations under the spotlight, and also the commonalities and differences amongst the data protection regimes in Asia, as well as how they address the privacy challenges brought about by technological advancement.  The Conference has brought more than 750 representatives to attend, making it as one of the most well-attended ICDPPC conferences. Sixty world renowned speakers, panellists and moderators were also invited to share their insights during the Conference.

The Conference has well demonstrated the theme “Connecting West with East” from the conference programme to the social events. The well mix of East-meets-West culture and the hospitality to overseas delegates had made the event one of the most remarkable conferences to the participants.

Complete entry is available here

 

A21: A Chinese book on data protection law in Hong Kong – “Watch out! This is My Personal Data Privacy” (Hong-Kong, PCPD)

Entry by: Privacy Commissioner for Personal Data, Hong Kong (PCPD)

Description of the initiative:

The PCPD published a book in Chinese entitled “Watch out! This is My Personal Data Privacy” (《注意! 這是我的個人資料私隱》), providing a user-friendly guidance on the requirements under the Personal Data (Privacy) Ordinance in Hong Kong (the Ordinance), supplemented with inspirational cases, to raise the awareness of the protection of and respect for personal data privacy.

Why the initiative deserves to be recognised by an award?

  • It is probably the first Chinese book in Hong Kong with a theme specified in personal data privacy.
  • The book is a breakthrough from the PCPD’s tradition on publishing guide book in English with lots of legalistic terms and references. Rather, the book is written in simple and easy-to-understand language, aiming to reach out to the local community at large.
  • The book won the Merit Award of “Mono / Duotone Color Book” Group under “Book Printing” Category of the 29th Hong Kong Print Awards, the largest and most representative competition for the publishing, printing and graphic design industry in Hong Kong.
  • It is also one of the short-listed books under the “secondary school” group to run for the “15th Top 10 Best Book Awards” in Hong Kong.
  • The book has been specifically introduced to members of the public, schools and representatives of organisations during talks and recommended by book reviews at various media platforms.

Complete entry available here

 

A22: NAIH project (studies and campaign) on the safe and conscious internet use of children (Hungary, National Authority for Data Protection and Freedom of Information)

Entry by: Hungarian National Authority for Data Protection and Freedom of Information

Description of the initiative:

NAIH project (studies and campaign) on the safe and conscious internet use of children:

  • Key to the World of the Net! – Study of NAIH on the Internet habits of children between 10 and 16
  • A Small Key to the World of the Net  –  Study focused on children under 10
  • Awareness campaign with Tamás Vastag’s song in 2014
  • Joining the ARCADES project of the EU whereby reference books on data protection were published for teachers

Why the initiative deserves to be recognised by an award?

The Hungarian DPA focuses on the protection of the personal data of children because the rapid development of IT, internet and telecommunication technologies have brought about radical changes in the world almost in all aspects of life.

The new culture develops novel behavioural forms which we, adults, need to recognize, understand as well as to prepare the so-called “Z generation” to dangers arising out of them, too. The aim of the studies and the campaign of the NAIH was always the same: to help children and youths—directly and by way of assistance from adults responsible for their upbringing—live consciously in the world of the Internet, not only be smart but also knowledgeable at using these devices, and also to take responsibility for others in virtual reality, as well.

We think that our work (studies, campaign) regarding the conscious internet use of children is essential and relevant both for children and parents in this world meshed by the internet.

Complete entry available here

 

A23: Preparing Ireland for the GDPR’ Awareness Initiative (Ireland, Data Protection Commission)

Entry by: Data Protection Commission, Ireland

Description of the initiative:

In 2017, the DPC launched a major initiative ‘Preparing Ireland for the GDPR’ to raise awareness of the GDPR. This initiative identified and coordinated a number of communication strands aimed at raising awareness among the business community and the public. National surveys carried in May 2017 and May 2018 demonstrated a doubling of awareness of GDPR in Ireland during this period. By May 2018 over 90% of business were aware of the GDPR.

Why the initiative deserves to be recognised by an award?

The DPC commissioned surveys in May 2017 and May 2018 to provide concrete metrics to measure the impact of the “Preparing Ireland for the GDPR” awareness initiative. The survey results show a remarkable two-fold increase in GDPR awareness amongst SME businesses in Ireland (90% in May 2018) compared to last year (44% in May 2017). In addition, in 2018 compared to 2017, five times more SME business executives demonstrated knowledge of the consequences of GDPR for their organisations, along with a two-fold increase in pre-compliance activity in the small to medium enterprise sector.

Both our GDPRandYOU.ie guidance and our video adverts have been cited by the National Adult Literacy Agency of Ireland as exemplifying the principles of accessibility and understandability.

A lot of thought and effort was invested by the DPC in developing and coordinating the type of campaign that would have meaningful impact for stakeholders, that would be of real assistance to those organisations and individuals seeking to comply with the GDPR and, more generally, to raise public awareness of data protection rights.

The DPC “Preparing Ireland for the GDPR” initiative made a very significant contribution to achieving an extraordinary level of GDPR awareness among Irish business and the public. Over 80% of the Irish public were reached by our campaign, leading to GDPR awareness of over 90% in business community.

Complete entry available here

 

A24: GDPR Awareness raising conference and workshop (Ireland, Data Protection Commission)

Entry by: Data Protection Commission, Ireland

Description of the initiative:

In January 2018 the DPC hosted a landmark international conference on ‘Delivering Accountability under the GDPR’.

This free and practical hands-on event – which was run in conjunction with Centre for Information Policy Leadership(CIPL)  – highlighted and demonstrated accountability in practice, through interactive discussions and presentations for almost 500 attendees from SMEs and the Public Sector, led by leading global privacy specialists and professionals.

The slides and presentations materials from the Conference were published online as a permanent learning resource to be accessed by any organisation free of charge.

Why the initiative deserves to be recognised by an award?

This was a landmark international conference that allowed almost 500 delegates from all sectors to benefit from the experience and expertise of leading global privacy specialists, including senior representatives from the DPC, the Center for Information Policy Leadership, Apple, Facebook, Mastercard Worldwide, HP, Accenture, Google, and Arthur Cox, among others.

The conference was free-of-charge, and presentation materials were made published online as a permanent freely available resource.

Delegates benefitted from practical, hands-on workshops and exercises, and had the opportunity to shape the conversation by submitting questions through their phones directly onto the conference screen.

The DPC undertook this initiative in order to create a valuable learning event for those organisations that were most anxious about the introduction of the GDPR – SMEs and public sector organisations. The DPC is proud to have provided a unique event that allowed these organisations to gain expert, yet practical, training and insight from leading global experts.

The feedback the DPC received following this conference was overwhelmingly positive, and we expect to organise similar events in the future.

Complete entry available here

 

A25: GDPR readiness guide for SMEs (Ireland, Data Protection Commission)

Entry by: Data Protection Commission, Ireland

Description of the initiative:

In order to assist SMEs in Ireland with their GDPR preparations, in December 2017 the DPC published ‘Preparing your organisation for the GDPR – a guide for SMEs’. This digital publication was made available free-of-charge in a downloadable PDF format on the DPC’s GDPR microsite, GDPRandYou.ie.

The guide also incorporated a checklist, which was also available for download in isolation. The guide was prepared in consultation with the Irish Small Firms Association.

Why the initiative deserves to be recognised by an award?

The guide was developed in response to the need to assist the SME sector to prepare for the GDPR. The readiness guide was prepared in consultation with the Irish Small Firms Association which help ensure that it was of real value to Irish SMEs.

The SME guide has proven to be a valuable resource to the DPC in driving compliance and awareness among SMEs. Organisations engaging with DPC are routinely referred to guide as a good practice compliance guide.

The SME guide, free to download, has been widely shared and disseminated on social media and feedback has been overwhelmingly positive

The SME guide has even been disseminated by other organisations, as detailed at point f below.

Complete entry available here

 

A26: From Global to Local: Sharenting in Israel (Israel, PPA)

Entry by: Israel’s Privacy Protection Authority (PPA)

Description of the initiative:

This initiative is looking to promote public awareness of sharenting. This new term refers to parents oversharing of personal data which concerns their children.

PPA has realized that sharenting, while much discussed abroad, does not receive sufficient attention in the Israeli discourse.  In order to encourage and generate a debate, PPA created a multi-layered plan consisted of four elements: cooperation with the Academy of the Hebrew Language; informational video; a news article and an op-ed.

Why the initiative deserves to be recognised by an award?

PPA’s initiative addresses common behavior in the digital-driven era which may be problematic.  This initiative is relevant to the challenges presented by technological developments, urging to consider the implications of current trends on the next generation.  As sharenting has become a global trend, the initiative touches upon the sensitive issue of children’s privacy vis-à-vis their parents and the society at large.  It highlights the need to balance between the interests of parents, and those of the children and their well-being.

This initiative accurately identifies that sharenting does not receive sufficient attention within the local discourse, and therefore requires an informed public debate.  In this context, it is looking to adapt the use of a global term to the local culture.

Importantly, PPA’s initiative takes into account that in order to increase awareness amongst the general public in an effective manner, it is necessary to move away from an exclusive focus on the governmental ‘voice’.  It therefore focused on building partnerships and mobilizing external actors of influence.

The initiative was highly successful, engaging with the public through different forms and outlets in a creative and innovative manner.  It also expanded the reach of PPA’s messaging and exposure to new audiences.

Complete entry available here.

 

A27: Privacy Meets Creativity (Israel, PPA)

Entry by: Privacy Protection Authority Israel

Description of the initiative:

Privacy Meets Creativity: PPA Collaborates with Habetzefer

In order to increase public awareness of the importance of privacy and data protection in the digital era, PPA has been cooperating with an Israeli Advertising Studies Institute, Habetzefer, highlighting the themes of informed consent, oversharing of personal information on the internet, as well as the fact that data protection is a global issue which concerns us all.  Habetzefer students created campaigns which are visually representing these notions.

Why the initiative deserves to be recognised by an award?

PPA’s initiative addresses relevant and topical issues in an unconventional manner.  Collaborating with creative partners, it managed to come up with effective messages, targeting various audiences and expending the reach of PPA’s impact and key messaging.

This initiative was developed in light of the understanding that in order to increase awareness amongst the general public in an effective manner, it is necessary to move away from an exclusive focus on the governmental ‘voice’.  It therefore focused on building partnerships and mobilizing external actors of influence.

The initiative has empowered young students and provided them an opportunity to use their talent and skills to promote the right to privacy in a creative and innovative way.  This was in line with the underlying message that “Privacy Concerns Us All”, including students and young people.  As a result of this initiative, the students effectively became privacy ‘ambassadors’, and they will hopefully promote and be mindful of the right to privacy in their future activities.

Complete entry available here

 

A28: Media Campaign: What You Don’t Share Offline, Don’t Share Online! (Israel, PPA)

Entry by: Privacy Protection Authority, Israel

Description of the initiative:

PPA launched a media campaign in order to increase awareness to oversharing of personal data in the digital sphere.  Looking to demonstrate the potential risks to the right to privacy, PPA decided to focus on the manner privacy considerations become relevant to individuals in their daily routine, personal moments and relationships. It came up with a simple catchy slogan that will resonate well with the general public.

Why the initiative deserves to be recognised by an award?

This initiative addresses relevant and topical issues in an unconventional manner.  Collaborating with creative partners, it managed to come up with a simple and effective slogan, suitable to diverse audiences, thus expanding the reach of PPA’s impact and key messaging.

The campaign motivated the public to visit PPA’s website in which a new section has been devoted to privacy in the daily routine.  This section was recently launched and it contains information, guidance and resources regarding the right to privacy and the challenges involved in its protection. The Q&A section contains information on ‘hot’ topics such as privacy at the workplace, CCTV cameras and the right of access by the data subject.

The campaign was effectively used to expose the public to the launch of a new section on PPA’s website and to the availability of informative resources. It received more than 1.5 million overall views (in all platforms), including hundreds of thousands of complete views of videos, and hundreds of shares and comments on social networks. It contributed to a significant increase in the number of monthly visits to the website – from an average of 7,000 visits to 80,000 visits per month during the campaign period.

Complete entry available here

 

A29: Introductory Guide to the Data Protection Act 2017 (Mauritius, Data Protection Office)

Entry by: Data Protection Office, Mauritius

Description of the initiative:

This guide seeks to summarise the key changes that the new Data Protection Act 2017 has brought, highlight the new obligations which controllers and processors must comply with and make data subjects aware of their enhanced rights.

The Introductory Guide to the Data Protection Act 2017 contains answers to frequently asked questions, checklists and everything else one needs to get to grips with this new law.

Why the initiative deserves to be recognised by an award?

The legislation on data protection which dates from 2004 has been reviewed to align with the European Union’s General Data Protection Regulation (GDPR). The reform brought to the legal regime of data protection has also been made in an effort to simplify an area of law that is sometimes seen by the market as overly cumbersome and complex, the more so given the increasing cross-border nature of activities conducted in or through Mauritius. It is good to point out that Mauritius is the first country in Africa to adopt this new law based on the GDPR. In this respect, the Data Protection Office of Mauritius has issued this guideline to facilitate the interpretation, comprehension and practical application of provisions of the new Data Protection Act 2017.

Complete entry available here

 

A30: Interactive Guide for Data Subjects (Mexico, INAI)

Entry by: National Institute for Transparency, Access to Information and Personal Data Protection (INAI Mexico)

Description of the initiative:

The Interactive Guide for Data Subjects (hereafter The Guide) is aimed at the general public and citizens.

Its objective is to explain data subjects: a) what is the right to the protection of personal data; b) why it is important to take care of their personal information; c) how they can exercise their right and to whom they can complain if they consider that their right has been violated.

Why the initiative deserves to be recognised by an award?

In order to develop a culture of personal data protection among the population in Mexico, INAI considered convenient to have an interactive guide, which is adaptable and accessible from any web browser and mobile device, adding multimedia elements such as videos, gifs, 2D animations, among other elements, in order to make it more attractive and easy to read and consult for those that may be interested.

Therefore, through the launch of the Guide in an interactive format, the INAI, as guarantor of the rights of access to public information and personal data protection, consolidates its commitment of dissemination of the right to the protection of personal data amongst data subjects, through the development of tools that allow a didactic approach as part of INAI’s civic education campaign on the exercise of personal data protection rights.

Complete entry available here

 

A31: Monitor of Transparency and Protector of my Personal Data Program (Mexico, INFOEM)

Entry by: State of Mexico Transparency, Public Information Access and Personal Data Protection Institute of Estado de México and municipalities, (Instituto de Transparencia, Acceso a la Información Pública y Protección de Datos Personales del Estado de México y Municipios, INFOEM)

Description of the initiative:

Monitor of Transparency and Protector of my Personal Data Program is implemented in the State of Mexico schools to contribute to the formation of honest citizens, children will be able to recognize their warranties by using a credential that makes them vigilant of the well use of personal data and transparency in their activities. This allows them build a culture of protection of personal data that fosters a state of individual and collective security.

Why the initiative deserves to be recognised by an award?

The right of privacy and protection of personal data is distinguished by its fundamental nature, constitutionally recognised and an essential part of the international public agenda. In this context, the Infoem, as the guarantor of this right, has implemented proactive approach programs aimed at spreading knowledge, stimulating its exercise and consolidating its insertion in the democratic culture of the entity. This program is also a result of an agreement the Infoem has with the State of Mexico Ministry of Education which has been useful for the execution of the program.

This program stands out for its objective to achieve recognition of the Infoem and the rights protected by it and leads to form better informed, honest and aware citizens.

Children will become the future public servants, DPAs, CEOs, parents and to foster the importance of protecting their data in early ages will make them conscious and better citizens.

Being “Monitor of Transparency and Protector of my Personal Data”, is to be vigilant of the importance of taking care of personal data which also leads to caring for integrity and wellbeing. So far, this program have sensitized 1960 children from different municipalities in the State of Mexico.

Complete entry available here

 

A32: CNDP virtual library (Morocco, CNDP)

Entry by: CNDP Morocco

Description of the initiative:

The CNDP virtual library is a website accessible throughout the Commission online platform that gather and deliver to the Moroccan people and the African community a large amount of knowledge in the personal data field.

The CNDP aim to enrich this library gradually until it becomes the reference in the data protection field across Africa.

Why the initiative deserves to be recognised by an award?

  • The CNDP library is the first library initiated in Africa.
  • Delivering, gathering and preserving knowledge in the data protection field in a single database is a great step for the African continent to create its own heritage and background.
  • Give the Moroccan and the African students and searchers an opportunity to discover more this field in a close way.

Complete entry available here

 

A33: Fact sheets on Privacy issues (Morocco, CNDP)

Entry by: CNDP Morocco

Description of the initiative:

The Moroccan DPA (CNDP) has published 8 detailed fact sheets on some Privacy issues.

The fact sheets (16 in total) aim to provide both Data Subject and Data Controller with practical information in the following fields:

  • Direct Marketing;
  • CCTV;
  • Biometrics;

Why the initiative deserves to be recognised by an award?

  • This initiative is the first of its kind in MENA.
  • The Fact sheets are available in two languages (French and Arabic);
  • Easy to understand language in a format which emphasizes some privacy key points concisely;

Complete entry available here

 

A34: International Conference of Privacy and data Protection in Africa and Extraordinary Assembly of the African Network of Data Protection Authorities (RAPDP) (Morocco, CNDP)

Entry by: CNDP, Morocco

Description of the initiative:

The Moroccan DPA (CNDP) has organized the International Conference of Privacy and data Protection in Africa and hosted the Extraordinary Assembly of the African Network of Data Protection Authorities (RAPDP).

Why the initiative deserves to be recognised by an award?

This Conference was one of the biggest events hosted by the CNDP, besides the 38th ICDPPC in Marrakech in 2016. It allowed to gather all data protection stakeholders in Africa: DPAs, NGOS, academics, public agencies, medias .. etc.

We think this events deserves to be distinguished, in addition to the quality of the speakers and the participants, by the topics discussed, related to economy, law enforcement or human rights:

  • Economy : the conference aimed to consider privacy and data protection as a lever for the digital economy by establishing digital confidence;
  • Compliance: By examining ways of preparing for GDPR order so that African companies can, not only avoid its harsh sanctions but also to reassure European partners that personal data can be exchanged between Europe and Africa in a smooth and secure manner.
  • Human rights: By developing tools that must be provided to individuals in Africa in order to benefit from the imported scientific and technological developments without prejudice to their own lives.

The Next Day, the African Network of Data Protection Authorities (RAPDP) held its extraordinary session, in order to review its governance tools and elect news members of its Bureau.

Complete entry available here

 

A35: Privacy Trust Mark (New-Zealand, Office of the Privacy Commissioner)

Entry by: Office of the Privacy Commissioner New Zealand

Description of the initiative:

The Privacy Trust Mark was designed to recognise privacy excellence in products and services. The trust mark demonstrates that a “privacy by design” approach was used and it’s intended to give consumer confidence. As organisations collect an increasing amount of information, and the consequences of accidental or malicious misuse of that information increase, it becomes more important to be able to identify products that are outstanding in the way they handle personal information.

Why the initiative deserves to be recognised by an award?

The Privacy Trust Mark project deserves to be awarded an ICDPPC Award because it promotes privacy positive behaviours by agencies and assists individuals to recognise products and services that are privacy enhancing. The Privacy Trust Mark is the only trust mark in New Zealand recognising privacy positive behaviours and only one of a handful of trust marks globally that  are administered by data protection bodes. The Privacy Trust Mark is therefore world leading.

The Privacy Trust Mark allows agencies to show how well they have taken account of privacy values in the design of their product or service. It allows individuals to engage more confidently with the products and services they buy, and improves privacy practice across agencies through raising awareness of good privacy practice.

The Privacy Trust Mark enables our Office to proactively recognise outstanding work in privacy that goes beyond mere compliance. Not only does it allow our office to single out exceptional products, it:

  • Values actions that go beyond applying the Privacy Act;
  • Improves public awareness of privacy positive behaviour;
  • Encourages open and early engagement with our Office by agencies; and
  • Presents our Office as more than punitive body.

Complete entry available here

 

A36: Animation (Mohawk media) (New-Zealand, Office of the Privacy Commissioner)

Entry by: Office of the Privacy Commissioner (New Zealand)

Description of the initiative:

A short animated video to communicate three main messages:

  • privacy is about trust;
  • privacy matters in the home, in workplaces and in public; and
  • how our office can help.

It is supported by a complementary infographic.

Why the initiative deserves to be recognized by an award?

The video is being promoted on the OPC NZ’s Facebook, Twitter, LinkedIn profiles. It has also been promoted through the office’s fortnightly email Privacy News newsletter. It was launched in just after Privacy Awareness Week in May. In five weeks, it has achieved 2,800 views.

The video is easy to understand and its messages are short, practical as well as conceptual. We took great care in creating the content to address and include some of the main privacy concerns that we are contacted about by members of the public and organisations. Some of the issues featured in its short duration concern technology (security cameras, drones, mobile apps) and some are ethical (the filming of accidents).

We are very pleased with the final product and the public feedback has been positive. We submit that it is a high quality product that can inspire other DPAs to create something similar.

Complete entry available here

 

A37: Public enquiries: a complementary solution (New-Zealand, Office of the Privacy Commissioner)

Entry by: Office of the Privacy Commissioner New Zealand

Description of the initiative:

Public enquiries: a complementary solution

The Office has used a complementary combination of “AskUs” – our online “intelligent” FAQs and an external call centre to answer public enquiries effectively and to a consistently high standard.

Why the initiative deserves to be recognized by an award?

The initiative is a double-pronged approach to answering public enquiries. Call centre staff refer to AskUs as a starting point. Call centre staff only refer the caller through to OPC staff if they cannot find a satisfactory answer on AskUs.

The range of answers available on AskUs is always growing, and so the resource is becoming more valuable over time.

Because call centre staff (and OPC staff) rely on AskUs to provide an answer, we can be confident as an organisation that we are giving high-quality and consistent privacy guidance to the public.

Complete entry available here

 

A38: Data Analytics Guidance (New-Zealand, Office of the Privacy Commissioner)

Entry by: Office of the Privacy Commissioner New Zealand

Description of the initiative:

The New Zealand Privacy Commissioner and the Government Chief Data Steward have jointly developed six key principles to support safe and effective data analytics. These six principles are intended to help agencies, and guide our thinking on data analytics activities, including algorithmic decision-making. Using these principles in systems and thinking means stronger, more secure, and safer data use.

Why the initiative deserves to be recognized by an award?

There is no similar guidance available.  The use of data analytics is widespread and growing and there is a recognised need for clear principles to guide use. This is a significant step in the creation of an ethical framework for data analytics and data use by two key stakeholders: the Privacy Commissioner and the Government Chief Data Steward.

Complete entry available here

 

A39: Privacy ABC (New-Zealand, Office of the Privacy Commissioner)

Entry by: Office of the Privacy Commissioner New Zealand

Description of the initiative:

Privacy ABC is a user-friendly e-learning module that can be completed in under 30 minutes.

The aim of Privacy ABC is to provide an unthreatening, user-friendly introduction to privacy. It is a foundation course that is designed to be accessible to the general public. It does not require any prior knowledge or legal background. We were conscious that Privacy 101 (a longer introductory course) was perceived as too hard, and too detailed for some learners.

Privacy ABC is designed around a range of eleven practical scenarios.

We have been very pleased with the feedback we have received, and the registration and completion figures for the course demonstrate its popularity.

Why the initiative deserves to be recognized by an award?

Privacy ABC is a highly popular e-learning programme. It was launched in mid 2017 and has outstripped all the other training modules that the Privacy Commissioner’s Office provides.

This is our shortest e-learning module, designed to give learners a quick oversight of privacy in 30 minutes or less. Privacy ABC uses short stories and scenarios to bring privacy concepts to life, so they’ll be sure to stick in your brain!

Over 2,550 people have completed Privacy ABC in the year since it was launched.

Feedback has been that Privacy ABC is a friendly, effective and engaging introduction to privacy generally and the wider range of e-learning modules we offer.

Complete entry available here

 

A40: Software development with Data Protection by Design and by Default (Norway, Datatilsynet)

Entry by: The Norwegian Data Protection Authority

Description of the initiative:

We have developed these guidelines to help organizations understand and comply with the requirement of data protection by design and by default in article 25 of the General Data Protection Regulation. We have cooperated with security professionals and software developers in public and private sector among others. These guidelines are primary intended for developers, software architects, project managers, testers, data protection officers and security advisors.

Why the initiative deserves to be recognised by an award?

The guidelines have to be specific and clear so that organisations that develop software, applications, services, systems etc. and follow the guide, and later on can get their processing activities certified and get a privacy seal or mark according to article 25 (3).

The framework is not meant to be a substitute for a company’s methodology for software development, but it is a supplement to ensure that privacy and security are included in the methodology.

There is abundant technical literature that focuses on security by design when developing software. Relatively little has however been written about data protection by design and by default when developing software. While working on this guide, we have used Software Development LifeCycle (SDLC), Microsoft Security Development Lifecycle (SDL) and ENISA; Privacy and Data Protection by Design – from policy to engineering, as a starting point, and explored how to incorporate privacy principles, subject rights, and the requirements of the GDPR into every step of the process.

The guidelines has already become a gold standard for developers and adopted by three universities in Norway. We think it is because the guide is specific, clear and have checklists that can be used directly by the different developer professions.

Complete entry available here

 

A41: Artificial intelligence and Privacy (Norway, Datatilsynet)

Entry by: The Norwegian Data Protection Authority

Description of the initiative:

This report looks at two of the hottest topics at the moment, Artificial intelligence and the GDPR. We aim to raise awareness on how artificial intelligence works and how it can challenge the right to privacy and data protection. We explore what aspects of the GDPR that may affect the development and use of artificial intelligence. What rights do the user have when being the subject of decision making by AI based systems?

Why the initiative deserves to be recognised by an award?

The report arrived with perfect timing to make it a good counterbalance to the AI debates focusing mainly on efficiency and results. It makes a complexed topic accessible, seen from both the technical and legal side. The report is not only focused on problems, but also outlines some tools and recommendations for usage, development and research.

AI and privacy is a good primer and toolkit for anyone working on, or interested in this topic. It has gathered attention from parts of the government that wants to use the technology, developers, as well as companies and institutions that research and develop the underlying technology.

We decided to translate the report into English to make it available to more than just Norway, we would also welcome others to translate it to new languages for availability.

The report has been promoted as highly recommended reading by the Future of privacy forum, extending its reach outside of EU as well.

We believe that an award would help expose this very useful “tool” to an even wider audience, something that would be a great benefit for privacy and data protection.

Complete entry available here

 

A42: Raising awareness on the protection of personal data in the schools (Turkey, Turkish Personal Data Protection Authority)

Entry by: Turkish Personal Data Protection Authority

Description of the initiative:

As Turkish Data Protection Authority (TDPA), our mission is to provide the protection of personal data and to develop awareness in this respect in the public eye in line with the fundamental rights related with privacy and freedom stated in the Constitution. To carry out our mission, we have organized various meetings, “Slogan Competition” inter-high school, conducted questionnaires and published instructive materials. We have made necessary legal regulations concerning awareness of the protection of personal data in the schools with the cooperation of the Ministry of Education.

Why the initiative deserves to be recognised by an award?

Although TDPA is a newly-established authority, as well as public and private sectors, we have reached at approximately 30 million students and their families related with the protection of personal data and public awareness via above-mentioned cooperation with Ministry of Education. We have spent much time and effort to raise public awareness which is one of our most important missions. Education and public awareness is our priority.

Complete entry available here

 

A43: Your Data Matters (United Kingdom, ICO)

Entry by: Information Commissioner’s Office (United Kingdom)

Description of the initiative:

It’s only through increasing public trust and confidence, that the potential of personal data will be unlocked.

For the public to have trust and confidence, they first need to understand the rights they have and the obligations that organisations have.

‘Your Data Matters’ is a long-term education campaign to help the UK public understand both the rights they have regarding their personal information and also the obligations that organisations have to look after it properly.

Why the initiative deserves to be recognised by an award?

Scope and relevance

This campaign has longevity with numerous opportunities for further development. We will update the materials with scenarios that connect directly back to every ICO announcement for at least two years (eg fines, new guidance, audits, trend reports). Each time the Your Data Matters fingerprint family will come to life and make the news relevant for the public.

Audience reach

Through this collaborative approach, the ICO, without a vast budget, will reach members of the public directly and ensure that they receive coherent and consistent messages.

The campaign is essential not only to the leading organisations we collaborated with, but also any small and medium sized organisations who want increase their customer’s confidence in them but need help to do it.

The UK’s National Health Service are an early adopter of the campaign and have used the material on over a million posters for GP surgeries and individual letters to patients.

Authority

By inviting organisations to partner with the regulator (ICO) we are ensuring that they commit to high standards of data protection. Our involvement gives the campaign materials more authority but also means the organisations are effectively asking the regulator to bear witness to their data protection commitment.

Link to the ICO Page: “Your Data Matters: building trust and confidence” for organisations
Link to the ICO Page: “Your Data Matters” for the public

Complete entry available here

 

A44: Lawful Basis Tool (United Kingdom, ICO)

Entry by: Information Commissioner’s Office (ICO), United Kingdom

Description of the initiative:

The ICO has developed an interactive, web based guidance tool to assist data controllers in assessing which lawful basis within the GDPR is likely to be most appropriate for processing that they intend to carry out.

Why the initiative deserves to be recognised by an award?

This tool represents a new and innovative way to deliver regulatory support and guidance to organisations. It builds on the approach and success of the ICO self-assessment toolkits and is particularly tailored to the needs of small and micro organisations. During the implementation phase of the GDPR a significant proportion of stakeholder queries that the ICO received related to Article 6. This interactive tool demonstrates that the ICO is a responsive and flexible regulator and that we are always learning and striving to develop the most useful resources to support data controllers in maintaining the very highest standards of data protection practice.

Complete entry available here