German DPA (Rheinland-Pfalz) issues 105.000 EUR fine on hospital

.. due to privacy issues related to patient management.
The fine is based on several breaches of the General Data Protection Regulation in the framework of a patient mix-up when admitting the patient. This resulted in incorrect invoicing and revealed structural technical and organisational deficits in the hospital’s patient and privacy management.

A Day in the Life of an AI project (privacy design and AI phases)

Great presentation that breaks down what needs to be considered from a privacy point of view in the different phases of an AI project.

My hope is to turn these into a “checklist” for new AI experiments that are run on pre-assessed AI platforms. (I’m very interested in comments).

Full slides from DPC19 :

https://iapp.my.salesforce.com/sfc/p/#1a000000HSGV/a/1P000000XeTO/7xOqxD1UampJRpDFr37qKWaLBKb9Ge2ZHgUUFBoiP6g

Phases of an AI project

  • Scoping
    • Problem identification
    • Impact of the AI?
    • Purpose limitation
    • Planning of solution & resources
  • Identify Data Sources
    • Getting access, data transfer
    • Compliance requirements for the data
    • Data minimization & pseudonymization
  • Data Pre-Processing
    • Exploratory Data Analysis
    • Feature selection (data minimization)
    • Feature engineering
    • Anonymization/pseudonymization
  • Modeling
    • Training, validation, testing
    • Does the model generalize well? (Test for bias/variance)
    • Support explanation
  • Deployment
    • Re-identification risk: Will the analysis or model be published?
    • Explanation to domain experts and/or data subjects
    • Incremental learning
    • Human-in-the-loop
  • Request of data subjects
    • Rights to get an explanation
    • Right to be forgotten

Denmark: DPA rules that insisting without exceptions on ID validation in connection with Data Subject Request is not compliant with GDPR

The Danish Data Protection Authority concluded that requesting data subjects to submit a passport, driver’s license, or national identity card, in order to support the exercise of their rights does not comply with the GDPR.

The Danish Data Protection Authority has ruled in a case in which a British citizen complained that Pandora A / S had asked him to submit a passport, driver’s license or national identity card before Pandora would consider his request for deletion.

Pandora stated that, for security reasons, the company had established a general procedure for submitting credentials in connection with requests to exercise the rights of data subjects.

The Data Inspectorate found that Pandora’s general procedure, *which without exception required ID validation* in connection with processing requests for the exercise of data subjects’ rights, did not comply with the Data Protection Regulation.

The Danish Data Protection Authority emphasized, among other things, that the data controller has a duty to make a concrete assessment of whether there is a reasonable doubt about the identity of the natural person when receiving requests for the exercise of data subjects’ rights.

The case is the first case where the Danish Data Protection Agency has taken a decision as the lead supervisory authority under the “one-stop shop mechanism” in connection with cross-border processing of personal data.

https://www.datatilsynet.dk/tilsyn-og-afgoerelser/afgoerelser/2019/okt/id-validering-ifm-anmodninger-om-udoevelse-af-registreredes-rettigheder/

ENISA proposes Best Practices and Techniques for Pseudonymisation

The European Union Agency for Cybersecurity (ENISA) published a new report on “Pseudonymisation Techniques and Best Practices”, which explores the basic notions of pseudonymisation, as well as technical solutions that can support implementation in practice.
https://www.enisa.europa.eu/news/enisa-news/enisa-proposes-best-practices-and-techniques-for-pseudonymisation

Report:
https://www.enisa.europa.eu/publications/pseudonymisation-techniques-and-best-practices

German Data Protection Authorities propose to create GDPR-obligations for producers of software and hardware (incl. liability)

Copying the below directly from the homepage of the Data Protection Authorities of Baden-Württemberg at https://www.baden-wuerttemberg.datenschutz.de/german-data-protection-authorities-propose-to-create-gdpr-obligations-for-producers-of-software-and-hardware-incl-liability/ :

“German Data Protection Authorities #DSK suggest to strengthen the principle „Privacy by Design“ by including a new category of legally obliged parties, the „producers“. They should be hit directly with #GDPR -obligations and also face claims for damages.

https://www.linkedin.com/pulse/german-data-protection-authorities-propose-create-producers-piltz