UNIVERSITY OF OSLO USIT Re Study on the

UNIVERSITY OF OSLO USIT Re: Study on the privacy issues arising with the public pan-European White Pages service Walter M. Tveter GT/SAPP/USIT/Ui. O w. m. tveter@usit. uio. no © CENTER FOR INFORMATION TECHNOLOGY SERVICES Page 1

UNIVERSITY OF OSLO USIT Contents of the study ➢ General information on privacy legislation ➢ Technical information concerning directory services ➢ The application of privacy legislation on the technical plattforms described © CENTER FOR INFORMATION TECHNOLOGY SERVICES Page 1

UNIVERSITY OF OSLO USIT Goal of the study To describe a functional system for European educational directory services within the borders of the Directive 95/46/EC and the national implementations of it. © CENTER FOR INFORMATION TECHNOLOGY SERVICES Page 1

UNIVERSITY OF OSLO USIT starting point: the law ➢ ➢ ➢ Many national implementations of the Directive (95/46/EC). Impractical to use different national laws since not all have chosen to follow the Directives structure The Directive lays out a framework that all national implementations have to follow If we can build something that works with the Directive, it should work with the different national implementations. The motivation for 95/46/EC © CENTER FOR INFORMATION TECHNOLOGY SERVICES Page 1

UNIVERSITY OF OSLO USIT Status of the Directive • Conference in Brussels 30/9 - 1/10 2002 ➢ ➢ ➢ questionaire on the Internet implementation of the Directive development in technology etc. • Proposal for change from Sweden, UK and more. ➢ ➢ ➢ internet publishing / transfer to third countries information to the data subject notification • Signals from comission is no change now, implementation first © CENTER FOR INFORMATION TECHNOLOGY SERVICES Page 1

UNIVERSITY OF OSLO USIT Who controls the data ➢ ➢ ➢ The Controller The controller has legitimate grounds for processing If the data is controlled by another, then this entity will be the controller, and will need legitimate grounds for processing. © CENTER FOR INFORMATION TECHNOLOGY SERVICES Page 1

UNIVERSITY OF OSLO USIT The Controllers responsibility ➢ integrity ➢ confidentiality ➢ availability ➢ revocability ➢ legitimate grounds for processing and other general provisions © CENTER FOR INFORMATION TECHNOLOGY SERVICES Page 1

UNIVERSITY OF OSLO USIT The directive's chapter IV - transfering personal information to third countries ➢ Art. 25 ➢ ➢ Makes it unlawfull to transfer personal information to 'third countries' Art. 26 Provides derogations from art. 25. ➢ None of them fit that well for nrn-directories ➢ the best is probably : “(b) the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of precontractual measures taken in response to the data subject's request; or” ➢ Works well for employees, not that well with students. ➢ © CENTER FOR INFORMATION TECHNOLOGY SERVICES Page 1

UNIVERSITY OF OSLO USIT Using a data processor #1 17. . . 2. The Member States shall provide that the controller must, where processing is carried out on his behalf, choose a processor providing sufficient guarantees in respect of the technical security measures and organizational measures governing the processing to be carried out, and must ensure compliance with those measures. © CENTER FOR INFORMATION TECHNOLOGY SERVICES Page 1

UNIVERSITY OF OSLO USIT Using a data processor #2 17. . . 3. The carrying out of processing by way of a processor must be governed by a contract or legal act binding the processor to the controller and stipulating in particular that: - the processor shall act only on instructions from the controller, - the obligations set out in paragraph 1, as defined by the law of the Member State in which the processor is established, shall also be incumbent on the processor. © CENTER FOR INFORMATION TECHNOLOGY SERVICES Page 1

UNIVERSITY OF OSLO USIT Using a data processor #3 17. . . 4. For the purposes of keeping proof, the parts of the contract or the legal act relating to data protection and the requirements relating to the measures referred to in paragraph 1 shall be in writing or in another equivalent form. ➢ ➢ ➢ There must be an agreement between the controller and the processor This should be written, but one can imagine digitally signed agreements. The controller must be able to revoke information © CENTER FOR INFORMATION TECHNOLOGY SERVICES Page 1

UNIVERSITY OF OSLO USIT Policy questions ➢ Policy towards unlegitimate attempts to access data ➢ ➢ ➢ individuals companies countries? Policy towards which grounds one chooses for processing and if they should be common Data protection officer © CENTER FOR INFORMATION TECHNOLOGY SERVICES Page 1

UNIVERSITY OF OSLO USIT © CENTER FOR INFORMATION TECHNOLOGY SERVICES Page 1