Axa Assurance Maroc - Insurer Innovation Award 2024
EDF2013: Selected Talk: František Nonnemann: Re-use of PSI and Personal Data Protection
1. Re-use of PSI and Personal
Data Protection
František Nonnemann
European Data Forum 2013, Dublin
2. Content of Presentation
Introduction
Public sector information
European legislation
Key issues and Czech approach
Discussion
2
3. Introduction
Public sector processes big ammount
of information (PSI) which can be used
by private sector for different purposes.
Some categories of PSI has specific
nature, like personal data which
processing must fulfill DP legislation.
CZ has specific regulation for processing
lawfully published personal data –
inspiration?
3
4. Public Sector Information
All information which are
collected, produced, disseminated and
processed
in other ways by public sector.
For example
social, economic, geographical, weather, t
ourist, business, patent
or educational information.
4
5. Personal Data
Any information relating to an identified
or identifiable nature person.
An identifiable person is one who can
be identified, directly or indirectly,
by reference to an identification number
or to one or more factors specific to his
identity.
Special categories of data – strict mode.
5
6. Processing of Personal
Data
Any operation or set of operations, such
as
collection, recording, storage, adaptation,
use, disclosure etc.
Publishing of personal data (1st controller)
and their re-use by new subject
(2nd controller) is processing.
6
7. European Legislation
Directive 2003/98/EC on the re-use
of public sector information.
Definitions, general principles, not concrete
regulation
Proposal for amendment to PSI-
Directive, COM 2011/0877 final –
2011/0430 (COD).
Extension of the scope, charges, formats
of published documents etc.
7
8. Re-use and Data
Protection
Directive 2003/98/EC, Recital 21:
This Directive should be implemented and
applied in full compliance with the principles
relating to the protection of personal data
in accordance with Directive 1995/46/EC
of the European Parliament and of the
Council on the protection of individuals with
regard
to the processing of personal data and
of the free movement of such data.
8
9. Re-use and Data
Protection
Directive 1995/46/EC, Recital 72:
Whereas this Directive allows the principle
of public access to official documents
to be taken into account when implementing
the principles set out in this Directive.
9
10. Key Issues
No specific regulation of data protection
within the re-use of PSI.
Problems:
Legal title.
Purpose limitation.
Information obligation.
Anonymisation as a solution?
Squaring the circle – anonymous data
and useful at the same time.
10
11. Legal Title
Personal data might be processed only
on the basis of proper legal title.
Consent is not realistic in re-use of PSI.
Public body needs statutory authorization.
Re-user?
Art. 7/f of Directive 95/46/EC?
Czech solution – art. 5/2/d DP Act.
11
12. Purpose Limitation
Personal data must be collected for
specified, explicit and legitimate purposes
and not further processed in a way
incompatible with those purposes.
Controller (re-user) determines the
purpose – (non)commercial re-use of PSI
– on his own, he processes data for this
specified purpose.
12
13. Information Obligation
Data subject must be given a set
of information about processing of his
data.
Even if the data have not been obtained
from the data subject, controller must
provide him with the information at the
time of recording or dislocing data to third
person.
Exemptions:
Art. 11/2 of Directive 95/46/EC.
13 Art. 11/3/c of Czech DP Act.
14. Other CZ Exemptions
Notification obligation: Art. 18/1/a:
The notification obligation shall not apply
to processing of personal data that are part
of data files publicly accessible on the basis
of a special Act.
Transfer to third countries: Art. 27/3/c DP Act:
The transfer of personal data may be carried
out if the controller proves that the personal
data concerned are part of publicly
accessible data files on the basis of a special
Act.
14
15. Remaining Obligations
Some obligations remain:
Data subject's right to access to information
Data subject's right to correct inaccurate
personal data.
Controllers obligation to secure processed
personal data.
Minimization of interference with privacy –
proportionality test.
15
16. Conclusion
Re-use of PSI might bring new economic
possibilities, new ICT services etc.
Information to be made legally public may
vary state from state.
Regulation of other aspects of re-use
is a necessity: personal data
protection, copyright, commercial secrets
etc.
16
17. Thank you for your attention.
Questions?
frantisek.nonnemann@uoou.cz
17