Entries submitted

B1: African Data Protection Authorities meeting in Casablanca (African DPAs)
B2: Dragons’ Den, a platform for all staff to present an innovative idea or solution (Canada, Office of the Privacy Commissioner)
B3: OIPC’s Big Data Guidelines (Canada, Office of the Information and Privacy Commissioner of Ontario)
B4: Internet Privacy Engineering Network (IPEN) (European Union, EDPS)
B5: The EDPS Ethics Initiative (European Union, EDPS)
B6: Digital Clearinghouse (European Union, EDPS)
B7: CNIL and Inria scientific article (France, CNIL)
B8: Exhibition “TerraData : nos vies à l’ère du numérique” about Big Data (France, CNIL)
B9: PIA software (France, CNIL)
B10: The Privacy Campaign for Small and Medium Enterprises (SME) (Hong-Kong, PCPD)
B11: ‘Preparing Ireland for the GDPR’ Awareness Initiative (Ireland, Data Protection Commission)
B12: GDPR readiness guide for SMEs (Ireland, Data Protection Commission)
B13: From Global to Local: Sharenting in Israel (Israel, PPA)
B14: Privacy Meets Creativity (Israel, PPA)
B15: Media Campaign: What You Don’t Share Offline, Don’t Share Online! (Israel, PPA)
B16: Monitor of Transparency and Protector of my Personal Data Program (Mexico, INFOEM)
B17: The tool “Privacy Notices Generator for the Public Sector” (GAP for the public sector) (Mexico, INAI)
B18: Electronic system for exercising the rights of access, rectification, cancellation and opposition (Mexico, INAI)
B19: Privacy Trust Mark (New-Zealand, Office of the Privacy Commissioner)
B20: Public enquiries: a complementary solution (New-Zealand, Office of the Privacy Commissioner)
B21: Software development with Data Protection by Design and by Default (Norway, Datatilsynet)
B22: Artificial intelligence and Privacy (Norway, Datatilsynet)
B23: Comprehensive and dynamic Guide to GDPR and Law Enforcement Processing (United Kingdom, ICO)
B24: Your Data Matters (United Kingdom, ICO)
B25: Lawful Basis Tool (United Kingdom, ICO)
B26: FTC Recommends Steps to Improve Mobile Device Security Update Practices (United States of America, FTC)

 

 

B1: African Data Protection Authorities meeting in Casablanca (African DPAs)

Entry by: African Data Protection Authorities, members of the ICDPPC (RAPDP)

Description of the initiative:

The African Data Protection Authorities have held, on February 22nd, 2018 in Casablanca, a meeting in order to setup governance bodies of their newly created network (RAPDP) and amend its rules and procedures to allow the network to achieve its objectives

Why the initiative deserves to be recognised by an award?

This initiative should be considered in order to:

  • Highlight the efforts taken by African countries where only several countries have enacted privacy laws;
  • Help to promote privacy and data protection on Africa;
  • Underline the important role of cooperation between DPAs.

Complete entry available here

 

B2: Dragons’ Den, a platform for all staff to present an innovative idea or solution (Canada, Office of the Privacy Commissioner)

Entry by: Office of the Privacy Commissioner of Canada

Description of the initiative:

In October 2017, the Office of the Privacy Commissioner of Canada (“OPC”) launched Dragons’ Den, a platform for all staff to present an innovative idea or solution in furtherance of our ultimate goal: protecting the privacy of Canadians with a vibrant, progressive and results-focused work environment. Dragons’ Den released and leveraged the ingenuity of our staff to address regulatory challenges with high-impact, often non-traditional, strategies.

Why the initiative deserves to be recognised by an award?

While the overwhelming success of this initiative advanced the OPC’s commitment to protecting Canadians’ privacy, the Dragons’ Den philosophy, and it’s positive contagion, is far-reaching.

Given the revolutionary impact of technology in the marketplace, regulators have no choice but to keep pace. Agencies can struggle to remain agile and effective in the face of limited resources and growing demands on those resources. However, Dragons’ Den demonstrated that an organizations’ wealth can be measured in many ways. It recognised the untapped abundance of human capital already within our ranks and its potential for cultivating innovation and creativity.

It is an axiom that the most enduring innovations are those that are sourced from, or developed by, all members of an organization. By providing a forum for progressive ideas to be encouraged and heard, this initiative revealed that all it takes to maximize on an organization’s potential is dedication, a little creativity, and an invitation into the Dragons’ Den.

Complete entry available here

 

B3: OIPC’s Big Data Guidelines (Canada, Office of the Information and Privacy Commissioner of Ontario)

Entry by: Office of the Information and Privacy Commissioner of Ontario, Canada (OIPC)

Description of the initiative:

The OIPC’s Big Data Guidelines develops a framework of privacy protection that sets out the key issues to consider and best practices to follow at each stage of a big data project involving personal information. It offers guidance on how to prevent uses of big data that may be unexpected, invasive, inaccurate, discriminatory or disrespectful of individuals. Topics discussed include:

  • Indirect collection and secondary purpose
  • Privacy of publicly available information
  • Biased datasets
  • False correlations
  • Non-transparent algorithms

Why the initiative deserves to be recognised by an award?

Equal parts buzzword and concept, big data has proven to be a complex and challenging topic, engaging a number of new and emerging information technologies that may be used to fulfill a wide range of policy goals. What makes Big Data Guidelines deserving of recognition is that it breaks down the complexity of big data into a series of discrete issues whose analysis provides clarity to the topic as a whole. This is achieved by taking a “divide and conquer” approach. First, it divides the process of conducting a big data project into four stages: collection, integration, analysis and profiling; then it analyzes the issues that arise at each stage; finally, it recommends best practices to mitigate the emerging risks. The result is a document that does not simply talk about “big data” in the abstract, but rather works within a concrete definition of it to the benefit of readers.

Our guidelines are the first of their kind in Canada to discuss big data from the perspective of a big data practitioner. In no small measure, this is what has enabled them to cut through the hype and explain a complex topic in an accessible manner.

Complete entry available here

 

B4: Internet Privacy Engineering Network (IPEN) (European Union, EDPS)

Entry by: European Data Protection Supervisor (EDPS)

Description of the initiative:

The Internet Privacy Engineering Network (IPEN) is a practical initiative encouraging the development of methodologies and tools that can effectively foster privacy-enhancing technologies (PETs). Since 2014, it brings together data protection experts with a technical background from different areas (DPAs, academia, open source and business developers, individuals) who are committed to finding engineering solutions to privacy challenges. In 2017, the initiative was extended to global reach.

Why the initiative deserves to be recognised by an award?

IPEN contributes to foster the debate about Privacy by Design, which is now a legal obligation under the GDPR, promote the use of PETs, co-ordinate relevant initiatives and give them visibility. The IPEN peculiarity is facilitating the dialogue between policy experts and engineers, who strive to translate legal provisions into system requirements.

IPEN boasts a number of researchers coming from prominent European and US Universities (as KU Leuven and Carnegie Mellon University) as well as businesses at the forefront in innovation and data protection. It supports networking between engineer groups and existing initiatives for engineering privacy into the internet, facilitating exchange in order to coordinate work, prioritize and avoid duplication.

The reciprocal support between ENISA (European Union Agency for Network and Information Security) and IPEN is remarkable. ENISA acknowledged IPEN’s role in promoting innovation and PETs. 2015 ENISA report explicitly identifies IPEN as one of the initiatives having a role in the assessment and promotion of PETs. Conversely, IPEN supported ENISA through the creation of a repository of relevant resources, making its findings and knowledge base publicly available. As a proof of the growing appreciation of the public and institutional recognition, since 2016, IPEN Workshops take place immediately after the Annual Privacy Forum organised by ENISA.

Complete entry available here.

 

B5: The EDPS Ethics Initiative (European Union, EDPS)

Entry by: European Data Protection Supervisor (EDPS)

Description of the initiative:

The EDPS Ethics Initiative is a currently running, multifaceted four-year programme, consisting of a series of projects which all aim at exploring the consequences of current and emerging digital technologies on society. The initiative is devised as a continuous call upon the European and global community to reflect on rights and values in data-driven live from an ethics and forward-looking viewpoint. This also includes, very centrally, to stimulate a public debate on how digital ethics can serve to strengthen core data protection principles and legal compliance.

Why the initiative deserves to be recognised by an award?

Technological advancement, most centrally the interconnectedness of digital devices and big data processing, allow for the collection and usage of personal data in increasingly complex and opaque ways, thus posing significant threats to privacy and data protection.

Against this background, the EDPS has been calling for a broad understanding of data protection and privacy as core values central to protecting human dignity, autonomy and the democratic functioning of our societies. Data has now become the basis of powerful scoring and rating systems, of political profiling and nudging, of tracking and surveillance, and in all these applications an inexhaustible source of profit. It is crucial that all data protection efforts take place in full conscience of this background.

In this, the EDPS Ethics Initiative has served as a wake-up call for the data protection community. Unconventional and daring in its thinking, the EDPS has contributed to launching a much-needed debate on digital ethics. Awarding its call for embracing new technologies only when they are of true benefit for society, and for refreshing our understanding and appreciation of our longstanding European human rights culture, would multiply its impact and further stimulate the debate on digital ethics.

Complete entry available here

 

B6: Digital Clearinghouse (European Union, EDPS)

Entry by: European Data Protection Supervisor (EDPS)

Description of the initiative:

The Digital Clearinghouse aims to convene regulators of different fields of law, i.e. data protection, consumer protection and competition regulators with a view to address common concerns and to foster discussions on issues at the intersection of laws.

Why the initiative deserves to be recognised by an award?

The Digital Clearinghouse is the first network of its kind in promoting discussions among all regulators responsible for the enforcement of law in the digital markets.

In this sense, the initiative contributes innovatively to the way cooperation has been so far performed, by adding a cross-sectorial element to it.

By facilitating the work among data protection, consumer protection and competition authorities, the initiative contributes to overcome silos in the application of different areas of law so as to improve the understanding of how the digital economy functions and of the dominant conducts and models on which it is based.

Furthermore, the Digital Clearinghouse has a global reach, which extends beyond Europe. Cooperation will be also expanded as to include electoral and media regulators.

Complete entry available here

 

B7: CNIL and Inria scientific article (France, CNIL)

Entry by: CNIL (France)

Description of the initiative:

CNIL and Inria (French public entity for scientific research on digital sciences and technologies) reward a scientific article in the field of computer or information science dedicated to the protection of personal data or privacy and written in French or in English.

Why the initiative deserves to be recognised by an award?

It is an opportunity to raise awareness and promote research on privacy and data protection within the scientific community, quite particularly as regards the evolutions led by the General Data Protection Regulation (GDPR).

In particular the development of Privacy by design, accountability and necessary development of technical tools allowing in particular to guarantee the security of the data and individuals rights.

Complete entry available here

 

B8: Exhibition “TerraData : nos vies à l’ère du numérique” about Big Data (France, CNIL)

Entry by: CNIL (France)

Description of the initiative:

The exhibition focuses on a strong topicality of our society: the stakes of the exponential development of digital technology.

Four main questions define the itinerary of the visit:

  • What is data?
  • How is data processed?
  • What impact does data have?
  • Where is data leading us?

The new technologies are deciphered in a colourful, modern and interactive scenographic universe. About thirty tables serve as a support for audiovisuals, multimedia and graphic arts, to understand a world in the midst of an economic and cultural revolution.

The French Data Protection Authority has strongly and happily cooperated from the very beginning with Universcience to create the exhibition (interview of the president, providing of historical and digital contents, DP law advising, etc.).

Why the initiative deserves to be recognised by an award?

This exhibition is a unique and very efficient pedagogical tool to understand Data Protection issues. It is designed for a wide public and it allows to understand Big Data in a playful way. It is a travelling exhibition available in English, Italian and French, and it could be adapted in other languages. It is accessible to all disabled people.

Complete entry available here

 

B9: PIA software (France, CNIL)

Entry by: CNIL (France)

Description of the initiative:

The PIA tool is a free and open source software helping data controllers to carry out data protection impact assessments; this tool helps building and demonstrating compliance to the GDPR, and eases the use of the PIA guides published by CNIL.

Why the initiative deserves to be recognised by an award?

The PIA software is a novel and successful approach to foster the use of DPIA, which are a new instrument of the GDPR.

In less than eight months, the tool has received very positive feedback. It has been downloaded more than 70 000 times, and is used both by SMEs and large organisations.

An active open community has also been created: initially published in 2 languages (French and English), 12 additional language versions were produced by the community (and 6 language translations were verified by national DPAs) and submitted on the Github platform. Today, more and more people and organisations participate actively in its improvement.

In this regard, the tool is the first of its kind, and it paves the way for a new kind of collaboration between DPAs.

Complete entry available here

 

B10: The Privacy Campaign for Small and Medium Enterprises (SME) (Hong-Kong, PCPD)

Entry by: Privacy Commissioner for Personal Data, Hong Kong (PCPD)

Description of the initiative:

This territory-wide privacy protection initiative organized by the PCPD aims to raise awareness and to enhance understanding of the Personal Data (Privacy) Ordinance (PDPO) among the SME through a mix of innovative and traditional means and the engagement of different stakeholders.

Why the initiative deserves to be recognised by an award?

Given the limited resources and manpower, it has always been a challenge for SME to comply with the requirements of the PDPO or to attend to any related training.  By using innovative measures and engaging relevant stakeholders, the above issues have been addressed, and the message of the importance of data protection is also successfully penetrated to SME through this territory-wide data protection education initiative. Notably, just a phone call away, our specialised team of officers offer handy practical advice to SME operators.

Complete entry available here.

 

B11: Preparing Ireland for the GDPR’ Awareness Initiative (Ireland, Data Protection Commission)

Entry by: Data Protection Commission, Ireland

Description of the initiative:

In 2017, the DPC launched a major initiative ‘Preparing Ireland for the GDPR’ to raise awareness of the GDPR. This initiative identified and coordinated a number of communication strands aimed at raising awareness among the business community and the public. National surveys carried in May 2017 and May 2018 demonstrated a doubling of awareness of GDPR in Ireland during this period. By May 2018 over 90% of business were aware of the GDPR.

Why the initiative deserves to be recognised by an award?

The DPC commissioned surveys in May 2017 and May 2018 to provide concrete metrics to measure the impact of the “Preparing Ireland for the GDPR” awareness initiative. The survey results show a remarkable two-fold increase in GDPR awareness amongst SME businesses in Ireland (90% in May 2018) compared to last year (44% in May 2017). In addition, in 2018 compared to 2017, five times more SME business executives demonstrated knowledge of the consequences of GDPR for their organisations, along with a two-fold increase in pre-compliance activity in the small to medium enterprise sector.

Both our GDPRandYOU.ie guidance and our video adverts have been cited by the National Adult Literacy Agency of Ireland as exemplifying the principles of accessibility and understandability.

A lot of thought and effort was invested by the DPC in developing and coordinating the type of campaign that would have meaningful impact for stakeholders, that would be of real assistance to those organisations and individuals seeking to comply with the GDPR and, more generally, to raise public awareness of data protection rights.

The DPC “Preparing Ireland for the GDPR” initiative made a very significant contribution to achieving an extraordinary level of GDPR awareness among Irish business and the public. Over 80% of the Irish public were reached by our campaign, leading to GDPR awareness of over 90% in business community.

Complete entry available here

 

B12: GDPR readiness guide for SMEs (Ireland, Data Protection Commission)

Entry by: Data Protection Commission, Ireland

Description of the initiative:

In order to assist SMEs in Ireland with their GDPR preparations, in December 2017 the DPC published ‘Preparing your organisation for the GDPR – a guide for SMEs’. This digital publication was made available free-of-charge in a downloadable PDF format on the DPC’s GDPR microsite, GDPRandYou.ie.

The guide also incorporated a checklist, which was also available for download in isolation. The guide was prepared in consultation with the Irish Small Firms Association.

Why the initiative deserves to be recognised by an award?

The guide was developed in response to the need to assist the SME sector to prepare for the GDPR. The readiness guide was prepared in consultation with the Irish Small Firms Association which help ensure that it was of real value to Irish SMEs.

The SME guide has proven to be a valuable resource to the DPC in driving compliance and awareness among SMEs. Organisations engaging with DPC are routinely referred to guide as a good practice compliance guide.

The SME guide, free to download, has been widely shared and disseminated on social media and feedback has been overwhelmingly positive

The SME guide has even been disseminated by other organisations, as detailed at point f below.

Complete entry available here

 

B13: From Global to Local: Sharenting in Israel (Israel, PPA)

Entry by: Israel’s Privacy Protection Authority (PPA)

Description of the initiative:

This initiative is looking to promote public awareness of sharenting. This new term refers to parents oversharing of personal data which concerns their children.

PPA has realized that sharenting, while much discussed abroad, does not receive sufficient attention in the Israeli discourse.  In order to encourage and generate a debate, PPA created a multi-layered plan consisted of four elements: cooperation with the Academy of the Hebrew Language; informational video; a news article and an op-ed.

Why the initiative deserves to be recognised by an award?

PPA’s initiative addresses common behavior in the digital-driven era which may be problematic.  This initiative is relevant to the challenges presented by technological developments, urging to consider the implications of current trends on the next generation.  As sharenting has become a global trend, the initiative touches upon the sensitive issue of children’s privacy vis-à-vis their parents and the society at large.  It highlights the need to balance between the interests of parents, and those of the children and their well-being.

This initiative accurately identifies that sharenting does not receive sufficient attention within the local discourse, and therefore requires an informed public debate.  In this context, it is looking to adapt the use of a global term to the local culture.

Importantly, PPA’s initiative takes into account that in order to increase awareness amongst the general public in an effective manner, it is necessary to move away from an exclusive focus on the governmental ‘voice’.  It therefore focused on building partnerships and mobilizing external actors of influence.

The initiative was highly successful, engaging with the public through different forms and outlets in a creative and innovative manner.  It also expanded the reach of PPA’s messaging and exposure to new audiences.

Complete entry available here.

 

B14: Privacy Meets Creativity (Israel, PPA)

Entry by: Privacy Protection Authority Israel

Description of the initiative:

Privacy Meets Creativity: PPA Collaborates with Habetzefer

In order to increase public awareness of the importance of privacy and data protection in the digital era, PPA has been cooperating with an Israeli Advertising Studies Institute, Habetzefer, highlighting the themes of informed consent, oversharing of personal information on the internet, as well as the fact that data protection is a global issue which concerns us all.  Habetzefer students created campaigns which are visually representing these notions.

Why the initiative deserves to be recognised by an award?

PPA’s initiative addresses relevant and topical issues in an unconventional manner.  Collaborating with creative partners, it managed to come up with effective messages, targeting various audiences and expending the reach of PPA’s impact and key messaging.

This initiative was developed in light of the understanding that in order to increase awareness amongst the general public in an effective manner, it is necessary to move away from an exclusive focus on the governmental ‘voice’.  It therefore focused on building partnerships and mobilizing external actors of influence.

The initiative has empowered young students and provided them an opportunity to use their talent and skills to promote the right to privacy in a creative and innovative way.  This was in line with the underlying message that “Privacy Concerns Us All”, including students and young people.  As a result of this initiative, the students effectively became privacy ‘ambassadors’, and they will hopefully promote and be mindful of the right to privacy in their future activities.

Complete entry available here

 

B15: Media Campaign: What You Don’t Share Offline, Don’t Share Online! (Israel, PPA)

Entry by: Privacy Protection Authority, Israel

Description of the initiative:

PPA launched a media campaign in order to increase awareness to oversharing of personal data in the digital sphere.  Looking to demonstrate the potential risks to the right to privacy, PPA decided to focus on the manner privacy considerations become relevant to individuals in their daily routine, personal moments and relationships. It came up with a simple catchy slogan that will resonate well with the general public.

Why the initiative deserves to be recognised by an award?

This initiative addresses relevant and topical issues in an unconventional manner.  Collaborating with creative partners, it managed to come up with a simple and effective slogan, suitable to diverse audiences, thus expanding the reach of PPA’s impact and key messaging.

The campaign motivated the public to visit PPA’s website in which a new section has been devoted to privacy in the daily routine.  This section was recently launched and it contains information, guidance and resources regarding the right to privacy and the challenges involved in its protection. The Q&A section contains information on ‘hot’ topics such as privacy at the workplace, CCTV cameras and the right of access by the data subject.

The campaign was effectively used to expose the public to the launch of a new section on PPA’s website and to the availability of informative resources. It received more than 1.5 million overall views (in all platforms), including hundreds of thousands of complete views of videos, and hundreds of shares and comments on social networks. It contributed to a significant increase in the number of monthly visits to the website – from an average of 7,000 visits to 80,000 visits per month during the campaign period.

Complete entry available here

 

B16: Monitor of Transparency and Protector of my Personal Data Program (Mexico, INFOEM) 

Entry by: State of Mexico Transparency, Public Information Access and Personal Data Protection Institute of Estado de México and municipalities, (Instituto de Transparencia, Acceso a la Información Pública y Protección de Datos Personales del Estado de México y Municipios, INFOEM)

Description of the initiative:

Monitor of Transparency and Protector of my Personal Data Program is implemented in the State of Mexico schools to contribute to the formation of honest citizens, children will be able to recognize their warranties by using a credential that makes them vigilant of the well use of personal data and transparency in their activities. This allows them build a culture of protection of personal data that fosters a state of individual and collective security.

Why the initiative deserves to be recognised by an award?

The right of privacy and protection of personal data is distinguished by its fundamental nature, constitutionally recognised and an essential part of the international public agenda. In this context, the Infoem, as the guarantor of this right, has implemented proactive approach programs aimed at spreading knowledge, stimulating its exercise and consolidating its insertion in the democratic culture of the entity. This program is also a result of an agreement the Infoem has with the State of Mexico Ministry of Education which has been useful for the execution of the program.

This program stands out for its objective to achieve recognition of the Infoem and the rights protected by it and leads to form better informed, honest and aware citizens.

Children will become the future public servants, DPAs, CEOs, parents and to foster the importance of protecting their data in early ages will make them conscious and better citizens.

Being “Monitor of Transparency and Protector of my Personal Data”, is to be vigilant of the importance of taking care of personal data which also leads to caring for integrity and wellbeing. So far, this program have sensitized 1960 children from different municipalities in the State of Mexico.

Complete entry available here

 

B17: The tool “Privacy Notices Generator for the Public Sector” (GAP for the public sector) (Mexico, INAI)

Entry by: National Institute for Transparency, Access to Information and Personal Data Protection (INAI Mexico)

Description of the initiative:

The tool “Privacy Notices Generator for the Public Sector” (GAP for the public sector) is an application compatible with the most used internet browsers that allows data controllers in the public sector to generate privacy notices in accordance with the corresponding law, based on an automated questionnaire. This, in order to comply with the information principle.

Why the initiative deserves to be recognised by an award?

The GAP for the public sector was developed from the analysis of the regulatory framework applicable to the public sector. Therefore, with the systematization of the information and the design of the dynamic questionnaire, those data controllers that use this tool can obtain information regarding what should be contained in a privacy notice. Furthermore, the tool allows the users to create any privacy notices that they require by imputing the relevant information into the tool’s questionnaire. Also, they can generate all the privacy notices that they require, depending on the personal data they process, without being specialists on this matter.

Through the questionnaire, the tool identifies and validates the user’s responses, showing the questions and / or sections required for each type of privacy notice, based on the previous responses. It also has interactive elements that include help information without having to leave the questionnaire. These elements allow any user to elaborate, through the tool, in an approximate time of one or two hours, a privacy notice in editable format.

We consider that the GAP for the public sector is an ideal tool to facilitate public sector data controllers’ compliance with the information principle.

Complete entry available here

 

B18: Electronic system for exercising the rights of access, rectification, cancellation and opposition (Mexico, INAI)

Entry by: National Institute for Transparency, Access to Information and Personal Data Protection (INAI Mexico)

Description of the initiative:

The electronic system for exercising the rights of access, rectification, cancellation and opposition (ARCO rights) integrated to the National Transparency Platform (NTP), allows citizens to exercise these rights, before more than 8,000 authorities belonging to the Executive, Legislative, Judicial Branches and autonomous bodies of the three levels of federal, state and municipal government. This, through an approved and accessible format for the entire country, which is available 365 days a year.

Why the initiative deserves to be recognised by an award?

Through a single Platform, two human rights can be exercised: access to information and the protection of personal data. This platform permits the exercise of these rights, before more than 8,000 authorities of the Executive, Legislative, Judicial branches and autonomous bodies at the federal level, as well as within Mexico’s 32 states. This, through an approved and accessible format for the entire country. (In accordance with the World Bank, Mexico’s population is approximately 128 million inhabitants).

The Platform is a unique tool of its kind, as it can be used from any device with Internet access, by providing citizens with the opportunity to exercise the right to the protection of personal data electronically.

Likewise, it is important to recognize the homologation of the formats -at federal level- established for each ARCO right, the distinction between the data subject and the legal representative as the applicant, as well as the recognition between the rights of a data subject, a minor, a deceased or of a person condemned to interdiction.

Finally, it is necessary to recognize the collaborative work between the local supervisory authorities and the INAI as the general manager of the NTP.

Complete entry available here

 

B19: Privacy Trust Mark (New-Zealand, Office of the Privacy Commissioner)

Entry by: Office of the Privacy Commissioner New Zealand

Description of the initiative:

The Privacy Trust Mark was designed to recognise privacy excellence in products and services. The trust mark demonstrates that a “privacy by design” approach was used and it’s intended to give consumer confidence. As organisations collect an increasing amount of information, and the consequences of accidental or malicious misuse of that information increase, it becomes more important to be able to identify products that are outstanding in the way they handle personal information.

Why the initiative deserves to be recognised by an award?

The Privacy Trust Mark project deserves to be awarded an ICDPPC Award because it promotes privacy positive behaviours by agencies and assists individuals to recognise products and services that are privacy enhancing. The Privacy Trust Mark is the only trust mark in New Zealand recognising privacy positive behaviours and only one of a handful of trust marks globally that  are administered by data protection bodes. The Privacy Trust Mark is therefore world leading.

The Privacy Trust Mark allows agencies to show how well they have taken account of privacy values in the design of their product or service. It allows individuals to engage more confidently with the products and services they buy, and improves privacy practice across agencies through raising awareness of good privacy practice.

The Privacy Trust Mark enables our Office to proactively recognise outstanding work in privacy that goes beyond mere compliance. Not only does it allow our office to single out exceptional products, it:

  • Values actions that go beyond applying the Privacy Act;
  • Improves public awareness of privacy positive behaviour;
  • Encourages open and early engagement with our Office by agencies; and
  • Presents our Office as more than punitive body.

Complete entry available here

 

B20: Public enquiries: a complementary solution (New-Zealand, Office of the Privacy Commissioner)

Entry by: Office of the Privacy Commissioner New Zealand

Description of the initiative:

Public enquiries: a complementary solution

The Office has used a complementary combination of “AskUs” – our online “intelligent” FAQs and an external call centre to answer public enquiries effectively and to a consistently high standard.

Why the initiative deserves to be recognised by an award?

The initiative is a double-pronged approach to answering public enquiries. Call centre staff refer to AskUs as a starting point. Call centre staff only refer the caller through to OPC staff if they cannot find a satisfactory answer on AskUs.

The range of answers available on AskUs is always growing, and so the resource is becoming more valuable over time.

Because call centre staff (and OPC staff) rely on AskUs to provide an answer, we can be confident as an organisation that we are giving high-quality and consistent privacy guidance to the public.

Complete entry available here

 

B21: Software development with Data Protection by Design and by Default (Norway, Datatilsynet)

Entry by: The Norwegian Data Protection Authority

Description of the initiative:

We have developed these guidelines to help organizations understand and comply with the requirement of data protection by design and by default in article 25 of the General Data Protection Regulation. We have cooperated with security professionals and software developers in public and private sector among others. These guidelines are primary intended for developers, software architects, project managers, testers, data protection officers and security advisors.

Why the initiative deserves to be recognised by an award?

The guidelines have to be specific and clear so that organisations that develop software, applications, services, systems etc. and follow the guide, and later on can get their processing activities certified and get a privacy seal or mark according to article 25 (3).

The framework is not meant to be a substitute for a company’s methodology for software development, but it is a supplement to ensure that privacy and security are included in the methodology.

There is abundant technical literature that focuses on security by design when developing software. Relatively little has however been written about data protection by design and by default when developing software. While working on this guide, we have used Software Development LifeCycle (SDLC), Microsoft Security Development Lifecycle (SDL) and ENISA; Privacy and Data Protection by Design – from policy to engineering, as a starting point, and explored how to incorporate privacy principles, subject rights, and the requirements of the GDPR into every step of the process.

The guidelines has already become a gold standard for developers and adopted by three universities in Norway. We think it is because the guide is specific, clear and have checklists that can be used directly by the different developer professions.

Complete entry available here

 

B22:  Artificial intelligence and Privacy (Norway, Datatilsynet)

Entry by: The Norwegian Data Protection Authority

Description of the initiative:

This report looks at two of the hottest topics at the moment, Artificial intelligence and the GDPR. We aim to raise awareness on how artificial intelligence works and how it can challenge the right to privacy and data protection. We explore what aspects of the GDPR that may affect the development and use of artificial intelligence. What rights do the user have when being the subject of decision making by AI based systems?

Why the initiative deserves to be recognised by an award?

The report arrived with perfect timing to make it a good counterbalance to the AI debates focusing mainly on efficiency and results. It makes a complexed topic accessible, seen from both the technical and legal side. The report is not only focused on problems, but also outlines some tools and recommendations for usage, development and research.

AI and privacy is a good primer and toolkit for anyone working on, or interested in this topic. It has gathered attention from parts of the government that wants to use the technology, developers, as well as companies and institutions that research and develop the underlying technology.

We decided to translate the report into English to make it available to more than just Norway, we would also welcome others to translate it to new languages for availability.

The report has been promoted as highly recommended reading by the Future of privacy forum, extending its reach outside of EU as well.

We believe that an award would help expose this very useful “tool” to an even wider audience, something that would be a great benefit for privacy and data protection.

Complete entry available here

 

B23: Comprehensive and dynamic Guide to GDPR and Law Enforcement Processing (United Kingdom, ICO)

Entry by: Information Commissioner’s Office (ICO), UK

Description of the initiative:

The ICO has developed a comprehensive and dynamic Guide to GDPR and Law Enforcement Processing. The Guide has been structured to provide a layered set of advice for data controllers and processors. It contains a range of information from ‘at a glance’ overviews of the key concepts in the legislation right through to in detail technical guidance. It is fully web based and is constantly evolving. The next phase will involve embedding detail relevant to the UK Data Protection Act 2018.

Why the initiative deserves to be recognised by an award?

We receive consistent feedback from stakeholders nationally and internationally about the value of our practical guidance which is deliberately written in plain English and a very accessible style.

It is particularly relevant to note the Law Enforcement Processing content which we believe is a relatively unique source of support for those with an interest in this specific aspect of the new directive as part of the wider data protection regime.

The access figures clearly demonstrate the significant reach of these resources.

The Guide to the GDPR – published 21 November 2017 (figures correct as of 29 June 2018)
2,714,751 unique visitors to the Guide front page
11,264,949 unique visitors across the whole of the Guide
UK – 2,387,640 unique visitors to guide front page
2nd – USA – 93,044
3rd – Ireland – 19,983
Guide to the Law Enforcement Processing – published 5 April 2018
11,509 unique visitors to Guide front page
39,745 unique visitors across whole of the Guide
UK – 10,157 unique visitors to guide front page
2nd – USA – 370
3rd – Netherlands – 108

Complete entry available here

 

B24: Your Data Matters (United Kingdom, ICO)

Entry by: Information Commissioner’s Office (ICO), United Kingdom

Description of the initiative:

It’s only through increasing public trust and confidence, that the potential of personal data will be unlocked.

For the public to have trust and confidence, they first need to understand the rights they have and the obligations that organisations have.

‘Your Data Matters’ is a long-term education campaign to help the UK public understand both the rights they have regarding their personal information and also the obligations that organisations have to look after it properly.

Why the initiative deserves to be recognised by an award?

Scope and relevance

This campaign has longevity with numerous opportunities for further development. We will update the materials with scenarios that connect directly back to every ICO announcement for at least two years (eg fines, new guidance, audits, trend reports). Each time the Your Data Matters fingerprint family will come to life and make the news relevant for the public.

Audience reach

Through this collaborative approach, the ICO, without a vast budget, will reach members of the public directly and ensure that they receive coherent and consistent messages.

The campaign is essential not only to the leading organisations we collaborated with, but also any small and medium sized organisations who want increase their customer’s confidence in them but need help to do it.

The UK’s National Health Service are an early adopter of the campaign and have used the material on over a million posters for GP surgeries and individual letters to patients.

Authority

By inviting organisations to partner with the regulator (ICO) we are ensuring that they commit to high standards of data protection. Our involvement gives the campaign materials more authority but also means the organisations are effectively asking the regulator to bear witness to their data protection commitment.

Link to the ICO Page: “Your Data Matters: building trust and confidence” for organisations
Link to the ICO Page: “Your Data Matters” for the public

Complete entry available here

 

B25: Lawful Basis Tool (United Kingdom, ICO)

Entry by: Information Commissioner’s Office (ICO), United Kingdom

Description of the initiative:

The ICO has developed an interactive, web based guidance tool to assist data controllers in assessing which lawful basis within the GDPR is likely to be most appropriate for processing that they intend to carry out.

Why the initiative deserves to be recognised by an award?

This tool represents a new and innovative way to deliver regulatory support and guidance to organisations. It builds on the approach and success of the ICO self-assessment toolkits and is particularly tailored to the needs of small and micro organisations. During the implementation phase of the GDPR a significant proportion of stakeholder queries that the ICO received related to Article 6. This interactive tool demonstrates that the ICO is a responsive and flexible regulator and that we are always learning and striving to develop the most useful resources to support data controllers in maintaining the very highest standards of data protection practice.

Complete entry available here

 

B26: FTC Recommends Steps to Improve Mobile Device Security Update Practices (United States of America, FTC)

Entry by: Federal Trade Commission (FTC, USA)

Description of the initiative:

A new FTC report finds that the complexity of the mobile ecosystem means that the security update process for patching operating system software on some mobile devices is intricate and time-consuming. The report recommends that manufacturers consider taking additional steps to get more security updates to user devices faster. It also recommends that manufacturers consider telling users how long a device will receive security updates and when update support is ending.

Why the initiative deserves to be recognised by an award?

Consumers use their mobile devices for a wide range of activities and want to have confidence that when they use them they will be secure.  The report found, however, significant differences in how the industry deploys security updates and that more needs to be done to make it easier for consumers to ensure their devices are secure.

Security researchers and government agencies agree that it is important to install security updates that patch vulnerabilities in the device’s operating system. Many of these devices, however, remain without important security updates for long periods– either because no update is issued at all, because approving and deploying a patch is a lengthy process, or because users do not install available updates. The FTC report examines certain manufacturers’ security update practices and offers recommendations on how to improve the security update process.

A key finding of the report is that support periods, the time during which a device receives operating system updates, and update frequency vary widely, even among devices that cost the same, are made by the same company, or are serviced by the same carrier. A device may receive security updates for many years – or, in some instances, may not receive any updates at all.

Complete entry available here