LOPD - Spanish ethical and legal issues in the context of an international ICT /AAL project


of 13

Please download to get full document.

View again

All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Proposal of personal data management made in the context of an european project (from the AAL Joint Programme) where our main task was to develop a spanish pilot site to test some Ambient Assisted Technologies in a real elderly people.
  • 2. SPANISH APPLICABLE LAW Spanish Specific Legislation: • Higher security measures for several types of personal data, based on the three levels of security for personal data: “basic”, “medium” and “high” • Security measures for paper files as well as electronic files. Security document needed. Unofficial english version available at: https://www.agpd.es/portalwebAGPD/english_resources/regulations/common/pdfs/reglamentolopd_en.pdf • LOPD implements Directive 95/46/EC into Spanish law • Main principles of Data Protection: Ø Quality of the data Ø Right of information in the collection of data Ø Consent of the data subject Ø Data security and duty of secrety Unofficial english version available at: https://www.agpd.es/portalwebAGPD/english_resources/regulations/common/pdfs/ Ley_Orgaica_15-99_ingles.pdf ROYAL DECREE 1720/2007, of 21 December, which approves the regulation implementing ORGANIC LAW 15/1999 ORGANIC LAW 15/1999 of 13 December on the Protection of Personal Data (LOPD)
  • 3. Finally, other relevant European Directives: •  Directive 95/46/EC of the European Parliament and of the Council of the European Union of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. •  Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications). •  Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC •  Directive 2002/22/EC of the European Parliament and of the Council of 7 March 2002 on universal service and users' rights relating to electronic communications networks and services (Universal Service Directive) [Official Journal L 108 of 24 April 2002]. Also, a mention to other spanish related Legislation: •  Law 34/2002 of 11 July of Information Society Services and Electronic Commerce (LSSICE) •  Law 11/2007 of 22 June 2007 on Citizens' Electronic Access to Public Services (LAECSP). •  Royal Decree 1671/2009, of 6 November 2009, which partially implements Law 11/2007, of 22 June, on Citizens' Electronic Access to Public Services. •  ROYAL DECREE 1494/2007, of November 12, by which the Regulations on basic conditions for access for disabled persons to technologies, products and services related to the information society and media, are approved •  Law 41/2002, of 14th November, Regulating Patient Autonomy and Health Documentation and Information- Related Rights and Obligations SPANISH APPLICABLE LAW
  • 4. PERSONAL DATA PROTECTION CONCEPTS Some definitions (based on Organic Law 15/1999 and Royal Decree 1720/2007) •  Personal data: any alphanumeric, graphic, photographic, acoustic or any other type of info. pertaining to identified or identifiable natural persons. •  Sensitive personal data: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life. •  Health-related personal data: info. regarding the past, present and future health, physical or mental, of an individual. In particular, data referring to the level of disability and genetic info. of a person are considered related to health. •  Data subject: the natural person to whom the data undergoing processing pertain. •  Data controller: a natural person or legal entity, public or private, or administrative body, that alone or jointly with others decides on the purpose, content and use of the processing, although he does not effectively do it. •  Security officer: person or persons to whom the data controller has formally assigned the task of co-ordinating and controlling the applicable security measures. •  Data processor: the natural person or legal entity, public or private, or administrative body that, alone or jointly with others, processes personal data on behalf of the data controller, due to the existence of legal relations binding them and delimiting the scope of his action for the provision of a service. •  System of processing: manner in which an information system is organised or used. Depending on the system of processing, information systems may be automated, nonautomated o partially automated.
  • 5. DATA PROTECTION AGENCY SPANISH DATA PROTECTION AGENCY Public Corporation, responsible of ensure compliance with data protection legislation and monitor its implementation, particularly with regard to the rights of information, access, rectification, opposition and cancellation of data. Agencia de Protección de Datos C/ Jorge Juan, 6, CP. 28001, Madrid (Spain) Tel: +34 91 399 62 00 https://www.agpd.es Any person or body creating files of personal data shall first notify the Data Protection Agency. When there is an intention to create a filing system with several persons/entities acting as data controller, each one shall notify the creation of the corresponding filing system. Notification shall include info. about, at less: data controller, filing system, data subject, service/ unit of access, procedure/origin/categories of data, security measures and, if appropriate (international data transfers), the id. of data processor and the recipients of assignments, etc. There is an on-line free notifications system (“NOTA”) available at the Agency´s website: https://www.agpd.es/portalwebAGPD/canalresponsable/inscripcion_ficheros/ Notificaciones_tele/index-ides-idphp.php
  • 6. ü  May be collected for processing only if it is relevant and not excessive in relation to the purposes for which it was obtained; ü  May not be used for purposes incompatible with those for which the data was collected; ü  Shall be accurate and updated; If proved to be inaccurate, shall be erased and replaced; ü  Shall be erased when it has ceased to be necessary or relevant and shall be stored in a way which permits the right of access to be exercised, unless lawfully erased. PRINCIPLES OF PERSONAL DATA PROTECTION (LOPD) Quality of the data Right of information a)  The existence of… All these rights must be shown to the data subjects in the data collection forms Data subjects shall be informed about: -  a file or personal data processing operation, -  the purpose of collecting the data, -  the recipients of the information. b)  Obligatory or voluntary nature of the reply to the questions put to them. c)  Consequences of obtaining the data or of refusing to provide them. d)  Possibility of exercising rights of access, rectification, erasure and objection. e)  Identity and address of the controller or of his representative.
  • 7. Consent of the data subject a) To collect and process personal data => an express, written, oral or implied informed consent of the data subject is needed. b) To collect and process sensitive personal data => an explicit written consent is needed. Data controller should keep adequate records to evidence the existence of such consent. If no objection after 30 days => it will be considered that data subject consents to the processing of his/her personal data (even though possibility of revocation shall be always available for data subject by free and simple means). DOCUMENTS FOR PERSONAL DATA PROTECTION (SPANISH LAW) “Any free, unequivocal, specific and informed indication of his wishes by which the data subject consents to the processing of personal data relating to him.” Security document Data controller shall draw up a security document including the technical and organisational measures that shall be binding on the personnel with access to the information systems. The document shall contain, at least: measures/regulations/protocols for action; security rules and standards; related staff´s tasks and obligations; structure/description of filling systems, security procedures/measures, etc. The Spanish Data Protection Agency (www.agpd.es) has published a Security Guide and a Model for Security Document (in spanish language)
  • 8. TRANSFER OF DATA Communication of data to third parties ü  Only for related purposes, with the prior consent of the data subject. ü  Data subject must be informed about the purpose for which the data will be used and the type of activity of the person to whom their disclosure is intended. ü  Assignee must also comply with the Data Protection Law ü  Exception: Communication preceded by dissociation procedure. Movement of data to third countries Exceptions: a.  If the transfer takes place to a Member State of the European Union. b.  If the country in which the importer is located offers an adequate level of protection. Data processing that implies transmission to third countries require the authorisation of the Director of the Spanish Data Protection Agency. In any case, an international transfer of data shall be notified to Spanish Protection Data Agency, in order to proceed with its registration in the General Data Protection Register.
  • 9. RIGHTS AND OBLIGATIONS ü  Request only necessary data ü  Inform the data subject about the collection of the data ü  Obtain consent of the data subject for processing and for transfer of data ü  Implementation of security measures (basic, medium or high level) ü  Notification to the Spanish Data Protection Agency ü  Preparation and updating of the security document ü  Access, rectify or cancel his/ her personal data. ü  Access to a free way of objecting to his/her data processing (by calling a free telephone number, etc). ü  Compensation Data Subject Rights Data Controller obligations
  • 10. SECURITY MEASURES IN THE PROCESSING OF PERSONAL DATA SECURITY LEVELS Affected data Security measures (applicable to automated files) Basic level ( Royal Decree 1720/2007 Chapter III, Section 1) Any file or processing of personal data The functions and obligations of staff Record of incidents Access control Management of supports and documents Identification and authentication Backup copies and recovery Medium Level ( Royal Decree 1720/2007 Chapter III, Section 2) Data of criminal or administrative offences Data controlled by: - Tax administrations - Financial institutions - Management Agencies and Common Services of the Social Security - Mutual Funds for accidents at work and illness associated with the SS. Data referring to citizen’s identity or behaviour Security officer Audit Management of supports and documents Identification and authentication Physical access control Record of incidents (+ Basic level measures) High Level ( Royal Decree 1720/2007 Chapter III, Section 3) Data about: Ideology, trade union membership, religion, beliefs, racial origin, health or sex life The citizen, collected for security forces without his/her consent Acts of gender-based violence Management and distribution of media Backup copies and recovery Access record Telecommunications (+ Medium level measures)
  • 11. DISSOCIATION OF DATA Scope of the Spanish Law in Data Protection “personal data recorded on a physical support which makes them capable of processing, and to any type of subsequent use of such data by the public and private sectors.” establishing de concept of “PERSONAL DATA” as… “any alphanumeric, graphic, photographic, acoustic or any other type of info. pertaining to identified or identifiable natural persons.” The Organic Law 15/1999 and Royal Decree 1720/2007 establish it´s scope to… …and specify what does “IDENTIFIABLE PERSON” means: “any person who may be identified, directly or indirectly, through any information regarding his physical, physiological, psychological, economic, cultural or social identity. A natural person shall not be deemed identifiable if such identification requires disproportionate periods of time or activities.” Finally, introduces the concept of “DISSOCIATED DATA”: “that not allowing identification of the data subject.” and of the “DISSOCIATION PROCEDURE”: “any data processing allowing dissociated data to be obtained.” ü Spanish Data protection requirements do not apply to non-identificable / anonymous data, wich is not considered as “personal data” and not subject to personal data regulations ü Data can be processed by means that do not allow the direct or indirect identification of individual. In CONCLUSION…
  • 12. Our proposal for data processing in the context of MobileSage project SPANISH PILOT SITE CALL FOR USERS “FIELD WORK” Evaluation nº1 (p.e. previous, on scenarios) Evaluation nº2 (p.e. during; on dev. prototypes) Evaluation nº3 (p.e: post.; on final prototypes) MOBILE SAGE CONSORTIUM Name, surname Telephone number Age, Gender,… Basic level measures Behaviour data Health data Age Gender … No “spanish” required measures Dissociation of data “User 1” “User 2” “User 3” … Just agregated info: User 1: Data 1.1, Data 1.2,… User 2: Data 2.1, Data 2.2,... User 3: Data 3.1, Data 3.2,... … DATA PROCESSING, CONCLUSSIONS European required measures (pe. Consent of data subject) ¿Who will be the data controller? Results EVALUATIONS SESSIONS
  • Related Search
    We Need Your Support
    Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

    Thanks to everyone for your continued support.

    No, Thanks