Entries submitted

B1: Office of the Victorian Information Commissioner (OVIC), Australia
B2: European Data Protection Supervisor (EDPS)
B3: CNIL, France
B4: Jersey Office of the Information Commissioner
B5: PIPC, Korea
B6: State of Mexico Transparency, Public Information Access and Personal Data Protection Institute of Estado de México and municipalities, INFOEM
B7: Turkish Personal Data Protection Authority
B8: Information Commissioner’s Office, UK

B1 – Entry by: Office of the Victorian Information Commissioner (OVIC)

Description of the initiative:

The Youth Advisory Group is a small group of young people aged between 15 – 20 years who gather to discuss privacy issues and raise awareness of privacy amongst young people in Victoria. YAG is an important stakeholder group, providing OVIC with a valuable youth perspective on privacy and assisting in the development of materials targeted towards young people.

Why the initiative deserves to be recognised by an award?

OVIC’s Youth Advisory Group is unique, with no similar groups existing in other jurisdictions across Australia. The Group provides OVIC with valuable insight into the privacy challenges facing young people, and a means to engage with this cohort. This channel is important, as raising privacy awareness and educating young people about privacy helps to minimise the privacy risks facing this group. Further, OVIC believes young people should have the opportunity to be involved and provide input into the initiatives and policies that will affect them.

In addition to the benefits to OVIC, the Youth Advisory Group also provides members with the opportunity to voice their opinions and ideas about privacy with a regulatory body, and contribute towards initiatives that raise privacy awareness. The Group allows members to meet other like-minded individuals who are passionate about privacy; develop their leadership, communication, social, and collaboration skills; and gain insight into government processes.

Members of the Youth Advisory Group assist OVIC to raise privacy awareness not only within the broader community, but also amongst their peers. They champion privacy by starting conversations about privacy, sharing resources, encouraging their peers to be conscious of their privacy, and speaking at public events about youth perspectives.

Complete entry available here

B2 – Entry by: European Data Protection Supervisor (EDPS)

Description of the initiative:

The EDPS has developed open source software tools to support a large-scale remote privacy inspection of websites. The tools collect evidence of personal data processing, such as cookies, or requests to third parties. The collection parameters are configured ahead of the inspection and then collection is carried out automatically. The collected evidence, structured in a human- and machine-readable format, is then used to generate inspection minutes and reports, to minimise manual workload..

Why the initiative deserves to be recognised by an award?

With the new EU data protection legislation applicable (e.g. GDPR), many websites have updated their privacy consent management mechanisms and rethought their personal data processing operations. This change, plus personal data breaches on websites, led to an increasing public awareness on privacy issues of websites and resulted in an increasing number of complaints to supervisory authorities.

The EDPS tools allow laypersons after a brief introduction to gather evidence on personal data processing operations of websites using a reproducible, reliable, and fast method. No third-party cloud service is involved to gather evidence. The tools are self-consistent and can be used in intranets without internet access. The open software license allows experts to adapt the tools to their own needs.

The tools allowed the EDPS to extend the scope of its web service inspection from just a few EU websites to potentially all websites that are covered by its mandate (>1000), which are now being inspected in groups. Since communicating the findings generated by the tools, the EDPS observed an increased privacy awareness of website controllers and data protection officials. In the future, these tools could help website controllers to carry out own audits in order to strengthen the EU’s accountability principle.

Complete entry available here

B3 – Entry by: Commission Nationale Informatique et Libertés (CNIL), France

Description of the initiative:

Données & Design (Data & Design) is a platform aiming at promoting design for privacy and creating a design community for data protection. It helps designers get a practical grip on the regulation and encourage the co-design of good privacy practices for user interface (UI) and user experience (UX). It provides case studies, interface assessment methodologies, and tools to co-design privacy-friendly alternatives to common design practices. Its community includes 500 members on Slack.

Why the initiative deserves to be recognised by an award?

As the CNIL highlighted in its 2019 Innovation et Foresight Report (Shaping Choices in the Digital World, From dark patterns to data protection: the influence of UX/UI design on user empowerment), it is necessary for DPAs to take design into account and guide design practitioners in understanding and applying the regulation, in an open and non-competitive approach, in order to ensure individuals stay in control of their data in the digital world.

Indeed, design has a prevailing role in shaping the relationships between individuals and the digital worlds: the interface is the first object of mediation between law, rights and individuals when it comes to data protection. As a result, this initiative aims at encouraging DPAs to take design into account in their compliance analysis, as well as guiding designers, and professionals who are usually unfamiliar with the regulation, in creating new visual grammars and interaction patterns respectful of privacy and data protection. Those complementary approaches are also a way to give body to the privacy by design principle by providing practical contents and tools for stakeholders to create privacy-friendly interfaces from the outset of their projects.

Complete entry available here

B4 – Entry by: Jersey Office of the Information Commissioner

Description of the initiative:

We use mobile phone apps for online shopping, banking, social media, theatre tickets and even food delivery… so what better way to provide our customers with easy access to our data protection laws and guidance than to develop our very own. We’re excited as at the time of writing this submission we are waiting for our Jersey Office of the Information Commissioner (JOIC) Resource App to be released from the App store.

Why the initiative deserves to be recognised by an award?

We believe we are the first regulator to launch a mobile app to bring data protection into the everyday lives of Islanders and this deserves recognition because;

  • The critical function of the App is to facilitate offline GDPR article references with a bookmarking facility that allows users to save relevant articles for future use.
  • The App reinforces the message that compliance, privacy and the law is important to everyone.
  • It has the capacity to grow, add more content and tools, to develop content to meet user demands and queries.
  • It enhances the visibility and accessibility of data protection, privacy and practical support all in a one stop shop resource.
  • We plan to continually develop the app creation to meet user demands and queries. Our aim is to create a sibling app to complement the work of our Young Privacy Ambassador Programme.
  • Using a familiar platform which is embedded in our everyday lives shows the JOIC as relevant to the digital era, while also demonstrating our commitment to being more visible and accessible.

Complete entry available here

B5 – Entry by: Personal Information Protection Commission of Korea

Description of the initiative:

The Privacy Risk Assessment System is aimed at assessing privacy risks in the laws, regulations and enforcement decrees to be enacted or revised by central administrative agencies when they intend to introduce or alter policies or systems involving personal data processing through such enactment or revision. Practically, central administrative agencies should submit to the PIPC all the laws, regulations and enforcement decrees to be enacted or revised, regardless of whether they entail personal data processing. It is because there should always be some grey area between what is personal data and what is not.

Why the initiative deserves to be recognised by an award?

The Privacy Risk Assessment System is very effective in protecting data subjects’ personal data as it allows privacy risks to be identified and assessed at the legislation stage, and recommendations to be made as necessary to get rid of privacy risks. This also contributes to avoiding data breaches and misuse/abuse of personal data in advance. The system is also significant in the sense that it helps to ensure consistency amongst data protection laws/provisions by identifying and removing duplicate or conflicting elements. The outcome of PIPC’s privacy risk assessment is also made public on the PIPC’s website and is available for further use by other agencies and citizens.

Complete entry available here

B6 – Entry by: State of Mexico Transparency, Public Information Access and Personal Data Protection Institute of Estado de México and municipalities, INFOEM

Description of the initiative:

INFOEM became an Assessment and Certification Entity of Labor Competences before the National Council for Standardization and Certification of Labor Competences, with the STANDARD “GUARANTEE THE RIGHT TO THE PROTECTION OF PERSONAL DATA”

The main purpose is to serve as references for the evaluation and certification of the head of transparency units in the State of México, besides complying with the law, INFOEM certificates the public servants that treats Personal Data and guarantees Access to Information.

Why the initiative deserves to be recognised by an award?

INFOEM is one of the only 2 entities in México that has all the procedure to evaluate and certify the Head of every Transparency Unit in State of Mexico and Municipalities.

There are 333 obligated subjects that have to guarantee the good practices on the rights of Data Protection and Access to Public Information to more than 17 million habitants in the State.

In order to achieve this certification, Infoem and CONOCER, Consejo Nacional de Normalización y Certificación de Competencias Laborales (National Council for Standardization and Certification of Labor Competences) have worked together so that public servants are able to guarantee they are perfectly qualified to treat personal information and guarantee the knowledge on the treatment of Data and ARCO rights as well as Access to Information procedures.

Complete entry available here

B7 – Entry by: Turkish Personal Data Protection Authority

Description of the initiative:

The initiative aims to prevent visual data of people to be recorded via webcam.

Some software and mobile applications that we use in our devices want to access camera. Users accept sharing our visual and audio records by giving permission unwittingly.

Webcam cover that is prepared as an example by the Authority should be assembled to aforementioned devices and when there is no need to use camera and webcam apparatus, it should be kept closed.

Why the initiative deserves to be recognised by an award?

This initiative aims to protect people from the results of harmful software like unlawfully camera recording. The Authority encourages people to use webcam covers while they do not use their camera in order not to expose to any unlawful video or visual recording. This initiative deserves to be recognised by an award because it is simple but innovative and creative apparatus.

Complete entry available here

B8 – Entry by: Information Commissioner’s Office, UK

Description of the initiative:

The ICO Research Grants Programme supports research and privacy enhancing solutions in significant areas of data protection risk that make a real difference to the UK public. It improves understanding of individuals’ view of privacy issues and interactions with new technologies and promotes the application of research results by relevant stakeholders, including policy makers. It has funded eight projects so far, with a third round to launch later in 2019.

Why the initiative deserves to be recognised by an award?

The ICO Grants Programme is the first competitive grants process run by a UK regulator and supports a wide variety of innovative projects that will inform good data protection practice across a large number of sectors. It embodies the ICO’s approach to upholding individuals’ data rights and effective data protection – not only through effective regulation, but through engagement and promotion of innovative research that promotes best practice.

The relevance of the ICO grants programme was demonstrated when it was mentioned by the UN’s Special Rapporteur on the Right to Privacy in his end of mission statement following his official visit to the UK.  The high quality outputs from projects such as LSE’s examination of children’s privacy have not only informed public debate, created a child led tool and driven academic discussion, but has also fed directly into the development of the ICO’s Age Appropriate Design Code, a key piece of  guidance regarding the online safety of children that is amongst the first of its kind in Europe.

We have high expectations that subsequent projects will continue our ability to uphold data rights, support vulnerable individuals and engage with emerging technologies and to continue to raise people’s trust in how their data is used.

Complete entry available here