EDF2013: Selected Talk: František Nonnemann: Re-use of PSI and Personal Data Protection
1 like1,409 views
The document discusses the re-use of public sector information (PSI) in relation to personal data protection, highlighting European legislation and regulations that govern this area. Key issues include the lack of specific regulation for data protection in the re-use of PSI, the need for legal titles for processing personal data, and the obligations of data controllers. It concludes that while re-use of PSI can offer economic opportunities, careful regulation is needed to address personal data protection and related legal aspects.
EDF2013: Selected Talk: František Nonnemann: Re-use of PSI and Personal Data Protection
- 1. Re-use of PSI and Personal Data Protection František Nonnemann European Data Forum 2013, Dublin
- 2. Content of Presentation Introduction Public sector information European legislation Key issues and Czech approach Discussion 2
- 3. Introduction Public sector processes big ammount of information (PSI) which can be used by private sector for different purposes. Some categories of PSI has specific nature, like personal data which processing must fulfill DP legislation. CZ has specific regulation for processing lawfully published personal data – inspiration? 3
- 4. Public Sector Information All information which are collected, produced, disseminated and processed in other ways by public sector. For example social, economic, geographical, weather, t ourist, business, patent or educational information. 4
- 5. Personal Data Any information relating to an identified or identifiable nature person. An identifiable person is one who can be identified, directly or indirectly, by reference to an identification number or to one or more factors specific to his identity. Special categories of data – strict mode. 5
- 6. Processing of Personal Data Any operation or set of operations, such as collection, recording, storage, adaptation, use, disclosure etc. Publishing of personal data (1st controller) and their re-use by new subject (2nd controller) is processing. 6
- 7. European Legislation Directive 2003/98/EC on the re-use of public sector information. Definitions, general principles, not concrete regulation Proposal for amendment to PSI- Directive, COM 2011/0877 final – 2011/0430 (COD). Extension of the scope, charges, formats of published documents etc. 7
- 8. Re-use and Data Protection Directive 2003/98/EC, Recital 21: This Directive should be implemented and applied in full compliance with the principles relating to the protection of personal data in accordance with Directive 1995/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and of the free movement of such data. 8
- 9. Re-use and Data Protection Directive 1995/46/EC, Recital 72: Whereas this Directive allows the principle of public access to official documents to be taken into account when implementing the principles set out in this Directive. 9
- 10. Key Issues No specific regulation of data protection within the re-use of PSI. Problems: Legal title. Purpose limitation. Information obligation. Anonymisation as a solution? Squaring the circle – anonymous data and useful at the same time. 10
- 11. Legal Title Personal data might be processed only on the basis of proper legal title. Consent is not realistic in re-use of PSI. Public body needs statutory authorization. Re-user? Art. 7/f of Directive 95/46/EC? Czech solution – art. 5/2/d DP Act. 11
- 12. Purpose Limitation Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Controller (re-user) determines the purpose – (non)commercial re-use of PSI – on his own, he processes data for this specified purpose. 12
- 13. Information Obligation Data subject must be given a set of information about processing of his data. Even if the data have not been obtained from the data subject, controller must provide him with the information at the time of recording or dislocing data to third person. Exemptions: Art. 11/2 of Directive 95/46/EC. 13 Art. 11/3/c of Czech DP Act.
- 14. Other CZ Exemptions Notification obligation: Art. 18/1/a: The notification obligation shall not apply to processing of personal data that are part of data files publicly accessible on the basis of a special Act. Transfer to third countries: Art. 27/3/c DP Act: The transfer of personal data may be carried out if the controller proves that the personal data concerned are part of publicly accessible data files on the basis of a special Act. 14
- 15. Remaining Obligations Some obligations remain: Data subject's right to access to information Data subject's right to correct inaccurate personal data. Controllers obligation to secure processed personal data. Minimization of interference with privacy – proportionality test. 15
- 16. Conclusion Re-use of PSI might bring new economic possibilities, new ICT services etc. Information to be made legally public may vary state from state. Regulation of other aspects of re-use is a necessity: personal data protection, copyright, commercial secrets etc. 16
- 17. Thank you for your attention. Questions? frantisek.nonnemann@uoou.cz 17