Entries submitted

A1: Information and Data Protection Commissioner of Albania
A2: Office of the Australian Information Commissioner (entry 1)
A3: Office of the Australian Information Commissioner (entry 2)
A4: Office of the Privacy Commissioner of Canada
A5: Office of the Information and Privacy Commissioner for Victoria, BC, Canada
A6: Office for Personal Data Protection, Czech Republic
A7: European Union, EDPS
A8: Data Protection Commission, Ireland
A9: Jersey Office of the Information Commissioner
A10: National Institute for Transparency, Access to Information and Personal Data Protection (INAI Mexico)
A11: State of Mexico Transparency, Public Information Access and Personal Data Protection Institute of Estado de México and municipalities, INFOEM
A12: Office of the Privacy Commissioner, New Zealand
A13: Data Protection Authority of the Canton of Zurich, Switzerland
A14: CNIL, France
A15: Turkish Personal Data Protection Authority

A1 – Entry by: Information and Data Protection Commissioner of Albania

Description of the initiative:

“Play and learn – Happy Onlife” is the latest initiative of the IDP Commissioner’s Office aimed at raising the awareness of children and teenagers for a safe use of digital environment.

Why the initiative deserves to be recognised by an award?

Over the last 3-4 years, the Commissioner’s Office has set among its priorities the awareness-raising initiatives on protection of personal data, with particular focus on children and teenagers. The massive use of new technologies by these age groups brings about concrete and elevated risks to privacy and to the effective protection of personal data. The Commissioner’s Office closely co-operates with the Ministry of Education, Youth and Sports in addressing these issues, while it organizes on regular basis training events involving interested parties and stakeholders.

Complete entry available here

A2 – Entry by: Office of the Australian Information Commissioner (entry 1)

Description of the initiative:

The Privacy Challenge is an online game designed to raise public awareness of how to protect personal information. It challenges users to “dodge the data dangers” in the digital and real-world environment, from securing their smart phones and social media posts to checking their credit reports and avoiding scams. The game was developed by the Office of the Australian Information Commissioner and launched during Privacy Awareness Week 2019.

Why the initiative deserves to be recognised by an award?

Organisations seeking to engage, inform and grow their audiences are increasingly turning to narrative story-telling techniques to cut through in a crowded communications and media environment.

In the Privacy Challenge, Australia’s national privacy regulator has taken an innovative approach to engaging the public and other stakeholders to raise awareness of data protection risks. It uses an interactive game format to explore the day-to-day dangers associated with data breaches and give advice on how to avoid them.

Australians are some of the most active social media users in the world, with 18 million people being active social media users. The OAIC has designed the game to promote through social channels and encourage players to share links and report their scores.

This digital initiative is helping the OAIC to connect with its stakeholders, extend its social media reach and make advice about privacy more accessible to a broader audience.

Complete entry available here

A3 – Entry by: Office of the Australian Information Commissioner (entry 2)

Description of the initiative:

The Notifiable Data Breaches Scheme 12-month Insights report draws together detailed statistics and lessons learned during the first year of mandatory reporting in Australia to highlight the causes of data breaches and how to prevent them.

Launched by the Office of the Australian Information Commissioner for Privacy Awareness Week 2019, the report has driven widespread media coverage and analysis about the operation of the scheme, raising its visibility to the general public and regulated entities.

Why the initiative deserves to be recognised by an award?

Through publication and promotion of the Notifiable Data Breaches Scheme 12-month Insights Report, the Office of the Australian Information Commissioner has lifted the profile of privacy across the Australian jurisdiction and elevated data breaches to a board-level risk.

The report provides a clear evidence base and practical, proactive measures that can be put into practice immediately by business and government agencies. The OAIC’s approach to reporting also strikes the appropriate balance in providing visibility of data breaches without deterring organisations from notifying.

The Insights Report provides a roadmap for improving privacy practice and data protection for stakeholders across the wide range of entities we regulate, from small business owners to company directors.

Through the ICDPPC and other global forums, the Report is also assisting the OAIC to engage with
our international counterparts about the causes of data breaches, to support cross-jurisdictional insights. This supports greater collaboration on ways to evolve towards global policy, standards and models for data protection and privacy, in line with the ICDPPC’s strategic goals.

Complete entry available here

A4 – Entry by: The Office of the Privacy Commissioner of Canada

Description of the initiative:

Our office produced the Know Your Privacy Rights! poster to support its Data Privacy Day messaging, which focused on protecting, understanding and exercising privacy rights.

The poster was available on our website to download and was also provided to individuals and organizations to help promote privacy. The intention was to create a visually appealing, easily understandable poster to raise Canadians’ awareness of their privacy rights.

Why the initiative deserves to be recognised by an award?

Our Know Your Privacy Rights! poster deserves to be recognized with an award as an example of how to simplify a complicated subject into an easy-to-understand message for the general public with a high level of resonance. In short, an exceptional return on a modest investment.

It also demonstrates the effective work our Office is doing to narrow the gap between how concerned Canadians are about privacy and their knowledge of their rights.

For example, our 2018-19 Survey of Canadians on Privacy shows 92% of respondents are concerned about the protection of their privacy. However, only 64% rated their knowledge of their privacy rights as good (50%) or very good (14%). That result is unchanged since 2016, the last time we conducted our survey.

The vast majority of Canadians appear concerned about privacy but acknowledge they need to know more about their rights. Our poster is an accessible, easy-to-understand resource that raises awareness of privacy rights. Although it was prepared as part of our Data Privacy Day 2019 material, the poster represents a multi-purpose evergreen product that we are now able to use in conjunction with other awareness campaigns or as a standalone piece to be posted periodically to Twitter or other social media sites on an ongoing basis.

Complete entry available here

A5 – Guidance on inappropriate data practices (Canada, OPC)

Entry: Office of the Information and Privacy Commissioner for British Columbia (OIPC)

Description of the initiative:

PrivacyRight provides comprehensive, multi-platform online education to inform organizations of their obligations under PIPA and empower them with knowledge and tools to build effective privacy management programs that protect personal information and comply with the Act. PrivacyRight offers a suite of accessible (and free) tools and resources such as animated videos and webinars, podcasts, guidance documents, printed pamphlets, social media tiles, and monthly newsletters, that walk organizations through the fundamentals to more advanced privacy management.

Why the initiative deserves to be recognised by an award?

PrivacyRight is a direct response to requests from private organizations. PrivacyRight’s education and tools are free, easily accessible, right-sized for learning, and easy to implement.

There is tremendous potential for PrivacyRight to aid in improving privacy practices in the over one million organizations that handle personal information in BC. PrivacyRight helps to educate organizations, and is advancing the conversation around privacy and privacy education in BC, and with other national and international regulators.

During program planning, we faced barriers such as limited funding and identification of and access to organizations. We met these challenges creatively, focussing on building and strengthening relationships with internal and external stakeholders:

All PrivacyRight materials were developed in-house. We engaged staff at all levels for content creation, recording, production, and regular interaction with organizations and the public.
We made connections with the Better Business Bureau (BBB), Chambers of Commerce, BC Registry Services, Service BC, and industry associations, boards, and membership groups. We leveraged their membership and outreach to ensure PrivacyRight reaches those who need it.

We’ve had over 1,200 views to date and nearly 200 newsletter subscribers. And through our connections with external stakeholders, word is spreading!

Complete entry available here

A6 – Entry by: Office for Personal Data Protection, Czech Republic

Description of the Initiative:

The survey of 17 students of the 3rd year of information technology in Pilsen (Czech Republic) was carried out on 21 June 2019. The focus was about using e-learning platforms in schools. Two students replied that they are using e-learning platforms at school; one student replied that he does not know and 14 students answered that they do not use them.

On the question if the controller asked them for the parental consent, 9 students said yes, 2 students answered that they do not know, and 6 students said that the controller did not want the consent of their parents.

I would like to continue in this survey in the next school year 2019/2020.

We need more cooperation and support with the Ministry of Education.

Why the initiative deserves to be recognised by an award?

The game “Moje-soukromi-nekoukat-nestourat” is completely Czech and help to children and young people to understand well Data Protection area. Children are writing essays from their privacy or privacy of their friends or anybody else. The winner is awarded in the Office.

Complete entry available here

A7 – Entry by: EDPS

Description of the initiative:

Comic book: The Cartoon Introduction to Digital Ethics

A comic book on the relation between individuals and new technologies on the need of an ethical approach to innovation in data driven life.

Why the initiative deserves to be recognised by an award?

The EDPS has provided an easily accessible and modern tool for people to develop insights on their approach towards new technologies.

The continuous evolvement of technologies are shaping the world we live in much faster than expected. New generations are not the only affected by these changes, on the contrary, studies show that older generations, less used to the Internet and its risks, are at least equally exposed.

The EDPS has called for a reflection of an ethical approach towards technology developments, not because evolution and improvements have to be stopped, but because we believe that individuals’ rights come first, and technology should put human rights at the very centre of its development.

The comic book has been designed to be easily accessible to the majority of the audience, no matter of the background, nationality or age. Each reader can develop his own point of view on such matter.

Since its presentation in October 2018, the EDPS has been contacted by schools in member states, other EU institutions, citizens and Members of the European Parliament to have copies to be distributed to the audience.

We believe that the comic book may be eligible for running in the award for education and raising awareness category as an innovative approach in pursuing good administration purposes.

Complete entry available here

A8 – Entry by: Data Protection Commission, Ireland

Description of the initiative:

In January 2019, the Data Protection Commission (DPC) launched a special public consultation to give children and young people the opportunity to have their say on issues around children’s data protection rights in a social media context. The DPC created a dedicated lesson plan on personal data and data protection rights, and invited every school and Youthreach Centre in Ireland to participate in this consultation through the delivery by teachers of this unique lesson plan.

Why the initiative deserves to be recognised by an award?

  • The DPC has created an innovative lesson plan, which educates children about their data protection rights. We rigorously tested the efficacy of these materials with the help of the Ombudsman for Children’s Office, by coordinating three pilot workshops with groups of children across three different age groups.With this tailored lesson plan, the DPC has given young people in Ireland the opportunity to have their voices heard about important data protection issues that affect them directly, and the DPC is unique in this regard. As far as we are aware, we are the only international Data Protection Authority to have consulted with young people on data protection issues by reaching out directly to every single school and Youthreach centre in the country (approx. 4000 schools in Ireland) to invite them to participate in our consultation.In total, we heard from approximately 1200 children across Ireland and received very positive feedback from teachers who found the lesson plan materials to be “very worthwhile” and “so informative and insightful”, stating that their students were “very animated and interested throughout” and “thoroughly enjoyed completing these lessons”.Our consultation initiative has also been highlighted by the ICDPPC Digital Education Working Group (DEWG) as a core international initiative being carried out in line with Action 2 of the DEWG’s Action Plan, namely “Awareness-raising on the exercise of digital rights by the children themselves”.

Complete entry available here

A9 – Entry by: Jersey Office of the Information Commissioner

Description of the initiative:

25% of key stage 3 and 4 students in Jersey are on their way to becoming mini information commissioners as the first year of our campaign to inspire gains traction.

“Made me think privacy” year 10 student

Our Young Privacy Ambassador Programme focuses on students exercising their personal data rights, responsibilities and questioning privacy issues.

“Enabling our students to become more responsible for their data, and is an invaluable part of our curriculum” Teacher

Why the initiative deserves to be recognised by an award?

We believe our ‘Mini Information Commissioner’ concept deserves recognition because;

  • We tackle privacy issues with our Island’s young people who grapple to understand the relevance and significance in the face of burgeoning social media.
  • We impart resilience in the face of increasingly sophisticated scams and fraudulent activities.
  • It is vitally important to help young people to safeguard their rights and freedoms.
  • We are nurturing privacy ambassadors for future generations.
  • Jersey prides itself as a well-regulated jurisdiction and our programme is instrumental in protecting Jersey’s strong reputation as a safe place to live and do business.

With adults and especially children now living their lives online, we recognise children need particular ‘education/guidance’ when their personal data is being collected and processed because they may be less aware of the risks involved.

We believe our efforts to collaborate with Jersey’s younger generation and our local education authority to affect the lives of thousands of people in our jurisdiction deserve to be recognised. As our chair, Jacob Kohnstamm says:

“It is not enough that the different players perform their individual roles. The more impressive results happen when we all work well together. Good data protection is a journey not a destination.”

Complete entry available here

A10 – Entry by: National Institute for Transparency, Access to Information and Personal Data Protection (INAI Mexico)

Description of the initiative:

The Minimum Criteria suggested for the contracting of Cloud Computing services that involve the processing of personal data (hereinafter Criteria) are intended to establish minimum considerations to guide data controllers for the selection and hiring of cloud computing providers. The above, in order to comply with the obligations established by Mexican regulations on this matter and to avoid breaches to the security of personal data.

Why the initiative deserves to be recognised by an award?

The criteria are a facilitation tool offered to those data controllers for the Federal Law on the Protection of Personal Data Held by Private Parties and its Regulations. These consist of a series of considerations and specific questions for the selection and hiring of cloud computing service providers. In addition, it provides recommendations to control and ensure the provision of the service, as well as the advantages and disadvantages of joining or hiring them. Therefore, this document serves as a guiding framework for before, during and at the end of a hiring or adhesion of cloud computing services.

Complete entry available here

A11 – Entry by: State of Mexico Transparency, Public Information Access and Personal Data Protection Institute of Estado de México and municipalities, INFOEM

Description of the initiative:

INFOEM became an Assessment and Certification Entity of Labor Competences before the National Council for Standardization and Certification of Labor Competences, with the STANDARD “GUARANTEE THE RIGHT TO THE PROTECTION OF PERSONAL DATA”

The main purpose is to serve as references for the evaluation and certification of the head of transparency units in the State of México, besides complying with the law, INFOEM certificates the public servants that treats Personal Data and guarantees Access to Information.

Why the initiative deserves to be recognised by an award?

INFOEM is one of the only 2 entities in México that has all the procedure to evaluate and certify the Head of every Transparency Unit in State of Mexico and Municipalities.

There are 333 obligated subjects that have to guarantee the good practices on the rights of Data Protection and Access to Public Information to more than 17 million habitants in the State.

In order to achieve this certification, Infoem and CONOCER, Consejo Nacional de Normalización y Certificación de Competencias Laborales (National Council for Standardization and Certification of Labor Competences) have worked together so that public servants are able to guarantee they are perfectly qualified to treat personal information and guarantee the knowledge on the treatment of Data and ARCO rights as well as Access to Information procedures.

Complete entry available here

A12 – Entry by: Office of the Privacy Commissioner, New Zealand

Description of the initiative:

This initiative is the Privacy for Policy-Makers e-learning module.

The Privacy for Policy-Makers e-learning module explains why privacy matters when developing public policy. This e-learning module is designed to help policy-makers consider the privacy of individuals when developing new policy or regulatory interventions. The module will also help private sector analysts to ensure that personal information is managed in their businesses with care and respect.

Why the initiative deserves to be recognised by an award?

The product deserves recognition because it specifically targets policy-makers, a key group that has a significant impact on the development of new products and services that invariably involves the use of personal information.

It is vitally important in our technology-driven environment that policy-makers build in privacy safeguards by default as part of developing new policy. This module will help to ensure policy- makers have foundational knowledge of privacy law in New Zealand and gain an appreciation of what good privacy practice looks like.

The module content also deserves recognition for its accessibility and clarity of thinking. It is well-written and set at a level that can inform both junior and more senior policy practitioners.

The module design is engaging and very accessible, not to mention free for all! It’s simple to sign up and use. The structure of the module, its use of graphics, supported by links to additional resources, work particularly well.

The use of scenarios gives learners the chance to put their ‘privacy hat’ on and test how well they have understood the modules concepts.

Complete entry available here

A13- Entry by: Data Protection Authority of the Canton of Zurich, Switzerland

Description of the initiative:

Aiming to support Kindergarten pupils in developing a mind-set enabling them to live self-determined in the digital world, the Data Protection Authority of the Canton of Zurich cooperated with Zurich University of Teacher Education in creating educational resources. Various didactic approaches let the children experience reasons why some information needs to stay secret, which information is personal and which should be shared with a confidant. The resources are integrated in the teaching education courses and available as a free e-book.

Why the initiative deserves to be recognised by an award?

  • This educational e-book is the first of its kind aimed at children of the age of 4 to 9 years.
  • The teaching material solves the challenge of making the abstract and complex concept of privacy protection easy to grasp for children in the kindergarten age.
  • Children experience the necessity of privacy protection and understand their role in protecting their own privacy and the privacy of their environment.
  • The teaching resources support the children in developing a mind-set to decide in a self-determined way whenever they are exposed to a new situation. It doesn’t focus on giving guidance on how to behave in defined situations, therefore the content is not getting obsolete by the fast pace of technological developments.
  • The use of different pedagogic and didactic approaches gives teachers the opportunity to integrate the material in different school subjects.
  • The use of different methods illustrates the significance of privacy protection in all circumstances.
  • The cooperation between the Zurich Privacy Commissioner and the Zurich University of Teacher Education assures the integration of the resources into the actual lessons in the classrooms. Teachers in training are using the e-book in their education.

Complete entry available here

A14 – Entry by: CNIL, France

Description of the initiative:

On March 10th 2019, CNIL launched « L’Atelier RGPD », a Massive Open Online Course (« MOOC ») about the GDPR developed by CNIL’s experts. It is free and available in French. An English version is currently under development.

Participants can take tests at the end of each modules and obtain a certificate of attendance at the end of the course. As of today, more than 45 000 users have registered to the MOOC.

Why the initiative deserves to be recognised by an award?

This MOOC is, so far, the only one of its kind proposed by a European DPA. It was an instant success, with more than 8 000 accounts created in the first 3 days after its launch. This proved that the CNIL correctly identified the needs of the data protection community (DPOs, controllers, students, lawyers, consultant companies, etc.). Since then, the MOOC’s popularity has only been growing. It was mentioned in several newspapers (see articles in f.), and has been very well received by professionals. Many of them even published their certificate on LinkedIn.

The MOOC has been praised for its clarity, its friendly and accessible design, the use of concrete examples and its overall conception, which follows a clear educational logic.

As of today, more than 45 000 accounts have been created, with nearly 10 000 persons receiving a certificate of attendance. This is a great success which has proven to be instrumental in the spreading of the data protection culture both in the public and the private sectors. Indeed, the CNIL has received many requests to allow the use of this tool for internal training systems and for an English version which is under development (expected in fall 2019).

Complete entry available here

A15 – Entry by: Turkish Personal Data Protection Authority

Description of the initiative:

Participants in the meeting hall of the Authority are informed about processing of their personal data. They are supposed to pick up green or red cockades or to take a seat green or red labelled area according to their choice on controlling their visual data. Whereas green cockades and green labelled seats mean that you give consent to be taken your visual data, red cockades and red labelled seats mean you don’t give consent.

Why the initiative deserves to be recognised by an award?

Thanks to this initiative all participants in the meeting hall will be aware of their right to protect their personal data. Participants will also have free choice on controlling their visual data. The initiative has been implemented successfully in Turkey. Awareness of people on the subject of personal data protection has increased via this initiative. In addition to this, it can be used as an example of obligation to inform of data controllers in Turkey. This creates multiplier effect on the data protection issues. On the other hand, people who participated in any event in the meeting hall of the Authority gave positive feedbacks about the initiative.

Complete entry available here