The GDPR and You Technology, Values, Science Philosophy 105 University of Prince Edward Island February 12, 2018 Peter Rukavina • Guest Lecturer https://ruk.ca/
“By 2010, our investment in Islanders’ health care had increased by 25 per cent or over $700 per capita – to $3,655, putting us above the national average of $3,500.” 2011 Budget Address
I’m interested in obtaining a digital record of the transactions under what I would call, for lack of knowledge of the terminology, my “health care account” — in other words, all of the payments to doctors, specialists, hospitals, labs, etc. paid out by Health PEI attached to my Health Card account for as long as records are available. Email to Health PEI May 26, 2011 – Day 1
Our Information Co-ordinator has indicated to me that you should submit a FOIPP (Freedom of Information and Protection of Privacy) request. Attached is the Access to Information form which you can complete and submit to our co-ordinator. Reply from Health PEI May 26, 2011 – Day 1
Digital record of financial transactions related to my health care (PEI Health Card # XXXXXX). I’m interested in all financial transactions related to doctors visits, hospital care, emergency room visits, lab tests, etc. with as much detail as available (date, amount, description, account, etc.). I would prefer the information in an open digital format, such as CSV or XML format. FOIPP Request
“However, a payment made to a physician is the physician’s personal information and is therefore not ours to disclose. General information related to payments for physicians can be found in the Master Agreement between the Medical Society of PEI and the Government of PEI.” But no financial data…
Clause 17(2)(c) of the Health Services Payments Act specifically authorizes the Minister to release the information I have requested: “the Minister may disclose information obtained in the administration of this Act, to the person who received the basic health services or to the legal representative or guardian of the person” and subsection 17(3) of the same act sets out the information that is authorized to be provided (emphasis mine): (a) basic health services provided; (b) the date on which the basic health services were provided; (c) the name and address of the person who provided the basic health services; (d) amounts paid under the plan; and (e) the person to whom payments were made from the plan. Sent more information… October 17, 2011 – Day 144
Waited… Waited… Sent the Standing Committee on Legislative Management a letter asking for more resources for the Information and Privacy Commissioner Information and Privacy Commissioner informed me that her review would take longer than 90 days
Waited… Waited… Sent the Standing Committee on Legislative Management a letter asking for more resources for the Information and Privacy Commissioner Waited… Information and Privacy Commissioner informed me that her review would take longer than 90 days
Consent • the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data. • the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. • The data subject shall have the right to withdraw his or her consent at any time.
Breach Notification • In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority • When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.
Right to Access The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information: 1. the purposes of the processing; 2. the categories of personal data concerned; 3. the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; 4. where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; 5. the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; 6. the right to lodge a complaint with a supervisory authority; 7. where the personal data are not collected from the data subject, any available information as to their source; 8. the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
Right to be Forgotten The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies: 1. the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; 2. the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing; 3. the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2); 4. the personal data have been unlawfully processed;
Data Portability • The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine- readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.
Privacy by Design • Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.
Design for GDPR 1. Select a personal-data-collecting website. 2. Identify aspects of the site that seem problematic for all or some of the GDPR. 3. Describe concrete steps you could take to improve compliance.
reinvented
motherhoodinadhd
martine
vtryo
matleenalaakso
asial_corp
amarelo_n24
bernhardsvt
ashitanoterakoya
samuraicurry
ainischool
hide2kano
gmoriki
morganepeng
jnunemaker
jrom
cromwellryan
bryan
62gerente
eitanlees
danielanewman
davidbonilla
geeforr
sachag