The GDPR and You

The GDPR and You

Slides from a guest-lecture to the University of Prince Edward Island Philosophy 105, Technology, Values & Science class, February 12, 2018.

E2ed169f43b7aae4f46de5fa9ef837e9?s=128

Peter Rukavina

February 12, 2018
Tweet

Transcript

  1. The GDPR and You Technology, Values, Science Philosophy 105 University

    of Prince Edward Island February 12, 2018 Peter Rukavina • Guest Lecturer https://ruk.ca/
  2. “By 2010, our investment in Islanders’ health care had increased

    by 25 per cent or over $700 per capita – to $3,655, putting us above the national average of $3,500.” 2011 Budget Address
  3. I’m interested in obtaining a digital record of the transactions

    under what I would call, for lack of knowledge of the terminology, my “health care account” — in other words, all of the payments to doctors, specialists, hospitals, labs, etc. paid out by Health PEI attached to my Health Card account for as long as records are available. Email to Health PEI May 26, 2011 – Day 1
  4. Our Information Co-ordinator has indicated to me that you should

    submit a FOIPP (Freedom of Information and Protection of Privacy) request. Attached is the Access to Information form which you can complete and submit to our co-ordinator. Reply from Health PEI May 26, 2011 – Day 1
  5. FOIPP Request

  6. Digital record of financial transactions related to my health care

    (PEI Health Card # XXXXXX). I’m interested in all financial transactions related to doctors visits, hospital care, emergency room visits, lab tests, etc. with as much detail as available (date, amount, description, account, etc.). I would prefer the information in an open digital format, such as CSV or XML format. FOIPP Request
  7. 30 Days Later June 27, 2011 – Day 32

  8. What I Received… Physician Date Code Location (Printed report, not

    digital data)
  9. “However, a payment made to a physician is the physician’s

    personal information and is therefore not ours to disclose. General information related to payments for physicians can be found in the Master Agreement between the Medical Society of PEI and the Government of PEI.” But no financial data…
  10. So I appealed to the Information and Privacy Commissioner She

    agreed to open a review. August 18, 2011 – Day 84
  11. Clause 17(2)(c) of the Health Services Payments Act specifically authorizes

    the Minister to release the information I have requested: “the Minister may disclose information obtained in the administration of this Act, to the person who received the basic health services or to the legal representative or guardian of the person” and subsection 17(3) of the same act sets out the information that is authorized to be provided (emphasis mine): (a) basic health services provided;
 (b) the date on which the basic health services were provided;
 (c) the name and address of the person who provided the basic health services; (d) amounts paid under the plan; and
 (e) the person to whom payments were made from the plan. Sent more information… October 17, 2011 – Day 144
  12. Waited…

  13. Waited… Information and Privacy Commissioner informed me that her review

    would take longer than 90 days
  14. Waited… Waited… Information and Privacy Commissioner informed me that her

    review would take longer than 90 days
  15. Waited… Waited… Sent the Standing Committee on Legislative Management a

    letter asking for more resources for the Information and Privacy Commissioner Information and Privacy Commissioner informed me that her review would take longer than 90 days
  16. Waited… Waited… Sent the Standing Committee on Legislative Management a

    letter asking for more resources for the Information and Privacy Commissioner Waited… Information and Privacy Commissioner informed me that her review would take longer than 90 days
  17. “One more year…” Information and Privacy Commissioner sends a letter

    anticipating a ruling in February 2014 January 24, 2013 – Day 609
  18. “9 more months…” Information and Privacy Commissioner sends a letter

    anticipating a ruling in September 2014 January 16, 2014 – Day 966
  19. $879.37 February 26, 2014 – Day 1007

  20. European GDPR 1.Consent 2.Breach Notification 3.Right to Access 4.Right to

    be Forgotten 5.Data Portability 6.Privacy by Design
  21. Consent • the controller shall be able to demonstrate that

    the data subject has consented to processing of his or her personal data. • the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. • The data subject shall have the right to withdraw his or her consent at any time.
  22. Breach Notification • In the case of a personal data

    breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority • When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.
  23. Right to Access The data subject shall have the right

    to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information: 1. the purposes of the processing; 2. the categories of personal data concerned; 3. the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; 4. where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; 5. the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; 6. the right to lodge a complaint with a supervisory authority; 7. where the personal data are not collected from the data subject, any available information as to their source; 8. the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
  24. Right to be Forgotten The data subject shall have the

    right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies: 1. the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; 2. the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing; 3. the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2); 4. the personal data have been unlawfully processed;
  25. Data Portability • The data subject shall have the right

    to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine- readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.
  26. Privacy by Design • Taking into account the state of

    the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.
  27. European GDPR 1.Consent 2.Breach Notification 3.Right to Access 4.Right to

    be Forgotten 5.Data Portability 6.Privacy by Design
  28. Split into Groups of 3

  29. Design for GDPR 1. Select a personal-data-collecting website. 2. Identify

    aspects of the site that seem problematic for all or some of the GDPR. 3. Describe concrete steps you could take to improve compliance.
  30. None
  31. None
  32. European GDPR 1.Consent 2.Breach Notification 3.Right to Access 4.Right to

    be Forgotten 5.Data Portability 6.Privacy by Design