Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The GDPR and You

The GDPR and You

Slides from a guest-lecture to the University of Prince Edward Island Philosophy 105, Technology, Values & Science class, February 12, 2018.

Peter Rukavina

February 12, 2018
Tweet

More Decks by Peter Rukavina

Other Decks in Education

Transcript

  1. The GDPR and You
    Technology, Values, Science
    Philosophy 105
    University of Prince Edward Island
    February 12, 2018
    Peter Rukavina • Guest Lecturer
    https://ruk.ca/

    View Slide

  2. “By 2010, our investment in Islanders’
    health care had increased by 25 per
    cent or over $700 per capita – to
    $3,655, putting us above the national
    average of $3,500.”
    2011 Budget Address

    View Slide

  3. I’m interested in obtaining a digital record
    of the transactions under what I would call,
    for lack of knowledge of the terminology, my
    “health care account” — in other words, all
    of the payments to doctors, specialists,
    hospitals, labs, etc. paid out by Health PEI
    attached to my Health Card account for as
    long as records are available.
    Email to Health PEI
    May 26, 2011 – Day 1

    View Slide

  4. Our Information Co-ordinator has indicated
    to me that you should submit a FOIPP
    (Freedom of Information and Protection
    of Privacy) request. Attached is the Access
    to Information form which you can complete
    and submit to our co-ordinator.
    Reply from Health PEI
    May 26, 2011 – Day 1

    View Slide

  5. FOIPP Request

    View Slide

  6. Digital record of financial transactions
    related to my health care (PEI Health Card #
    XXXXXX). I’m interested in all financial
    transactions related to doctors visits,
    hospital care, emergency room visits, lab
    tests, etc. with as much detail as available
    (date, amount, description, account, etc.).
    I would prefer the information in an open
    digital format, such as CSV or XML format.
    FOIPP Request

    View Slide

  7. 30 Days Later
    June 27, 2011 – Day 32

    View Slide

  8. What I Received…
    Physician Date Code
    Location
    (Printed report, not digital data)

    View Slide

  9. “However, a payment made to a physician
    is the physician’s personal information
    and is therefore not ours to disclose.
    General information related to payments for
    physicians can be found in the Master
    Agreement between the Medical Society of
    PEI and the Government of PEI.”
    But no financial data…

    View Slide

  10. So I appealed to the
    Information and Privacy
    Commissioner
    She agreed to open
    a review.
    August 18, 2011 – Day 84

    View Slide

  11. Clause 17(2)(c) of the Health Services Payments Act specifically
    authorizes the Minister to release the information I have requested:
    “the Minister may disclose information obtained in the
    administration of this Act, to the person who received the basic
    health services or to the legal representative or guardian of the
    person” and subsection 17(3) of the same act sets out the
    information that is authorized to be provided (emphasis mine):
    (a) basic health services provided;

    (b) the date on which the basic health services were provided;

    (c) the name and address of the person who provided the basic
    health services;
    (d) amounts paid under the plan; and

    (e) the person to whom payments were made from the plan.
    Sent more information…
    October 17, 2011 – Day 144

    View Slide

  12. Waited…

    View Slide

  13. Waited…
    Information and Privacy Commissioner informed
    me that her review would take longer than 90 days

    View Slide

  14. Waited…
    Waited…
    Information and Privacy Commissioner informed
    me that her review would take longer than 90 days

    View Slide

  15. Waited…
    Waited…
    Sent the Standing Committee on Legislative
    Management a letter asking for more resources
    for the Information and Privacy Commissioner
    Information and Privacy Commissioner informed
    me that her review would take longer than 90 days

    View Slide

  16. Waited…
    Waited…
    Sent the Standing Committee on Legislative
    Management a letter asking for more resources
    for the Information and Privacy Commissioner
    Waited…
    Information and Privacy Commissioner informed
    me that her review would take longer than 90 days

    View Slide

  17. “One more year…”
    Information and Privacy Commissioner sends a
    letter anticipating a ruling in February 2014
    January 24, 2013 – Day 609

    View Slide

  18. “9 more months…”
    Information and Privacy Commissioner sends a
    letter anticipating a ruling in September 2014
    January 16, 2014 – Day 966

    View Slide

  19. $879.37
    February 26, 2014 – Day 1007

    View Slide

  20. European GDPR
    1.Consent
    2.Breach Notification
    3.Right to Access
    4.Right to be Forgotten
    5.Data Portability
    6.Privacy by Design

    View Slide

  21. Consent
    • the controller shall be able to demonstrate that the
    data subject has consented to processing of
    his or her personal data.
    • the request for consent shall be presented in a
    manner which is clearly distinguishable from the
    other matters, in an intelligible and easily
    accessible form, using clear and plain language.
    • The data subject shall have the right to
    withdraw his or her consent at any time.

    View Slide

  22. Breach Notification
    • In the case of a personal data breach, the controller
    shall without undue delay and, where feasible, not
    later than 72 hours after having become
    aware of it, notify the personal data breach to the
    supervisory authority
    • When the personal data breach is likely to result in a
    high risk to the rights and freedoms of natural
    persons, the controller shall communicate the
    personal data breach to the data subject without
    undue delay.

    View Slide

  23. Right to Access
    The data subject shall have the right to obtain from the controller confirmation as to whether or
    not personal data concerning him or her are being processed, and, where that is the case,
    access to the personal data and the following information:
    1. the purposes of the processing;
    2. the categories of personal data concerned;
    3. the recipients or categories of recipient to whom the personal data have been or will be
    disclosed, in particular recipients in third countries or international organisations;
    4. where possible, the envisaged period for which the personal data will be stored, or,
    if not possible, the criteria used to determine that period;
    5. the existence of the right to request from the controller rectification or erasure of personal
    data or restriction of processing of personal data concerning the data subject or to object to
    such processing;
    6. the right to lodge a complaint with a supervisory authority;
    7. where the personal data are not collected from the data subject, any available information as
    to their source;
    8. the existence of automated decision-making, including profiling, referred to in Article
    22(1) and (4) and, at least in those cases, meaningful information about the logic involved,
    as well as the significance and the envisaged consequences of such processing for the data
    subject.

    View Slide

  24. Right to be Forgotten
    The data subject shall have the right to obtain from the controller the
    erasure of personal data concerning him or her without undue
    delay and the controller shall have the obligation to erase personal
    data without undue delay where one of the following grounds
    applies:
    1. the personal data are no longer necessary in relation to the
    purposes for which they were collected or otherwise processed;
    2. the data subject withdraws consent on which the processing is based
    according to point (a) of Article 6(1), or point (a) of Article 9(2), and
    where there is no other legal ground for the processing;
    3. the data subject objects to the processing pursuant to Article 21(1)
    and there are no overriding legitimate grounds for the processing, or
    the data subject objects to the processing pursuant to Article 21(2);
    4. the personal data have been unlawfully processed;

    View Slide

  25. Data Portability
    • The data subject shall have the right to receive
    the personal data concerning him or her,
    which he or she has provided to a controller, in a
    structured, commonly used and machine-
    readable format and have the right to
    transmit those data to another controller
    without hindrance from the controller to which the
    personal data have been provided.

    View Slide

  26. Privacy by Design
    • Taking into account the state of the art, the cost of
    implementation and the nature, scope, context and purposes of
    processing as well as the risks of varying likelihood and severity
    for rights and freedoms of natural persons posed by the
    processing, the controller shall, both at the time of the
    determination of the means for processing and at the time of the
    processing itself, implement appropriate technical and
    organisational measures, such as pseudonymisation, which
    are designed to implement data-protection principles, such as
    data minimisation, in an effective manner and to integrate the
    necessary safeguards into the processing in order to meet the
    requirements of this Regulation and protect the rights of data
    subjects.

    View Slide

  27. European GDPR
    1.Consent
    2.Breach Notification
    3.Right to Access
    4.Right to be Forgotten
    5.Data Portability
    6.Privacy by Design

    View Slide

  28. Split into Groups of 3

    View Slide

  29. Design for GDPR
    1. Select a personal-data-collecting
    website.
    2. Identify aspects of the site that seem
    problematic for all or some of the
    GDPR.
    3. Describe concrete steps you could
    take to improve compliance.

    View Slide

  30. View Slide

  31. View Slide

  32. European GDPR
    1.Consent
    2.Breach Notification
    3.Right to Access
    4.Right to be Forgotten
    5.Data Portability
    6.Privacy by Design

    View Slide