In my previous post I suggested that Technology was viewed in the Directive as pure means, a perfectly controlled instrument. It is worth noting that the document published by the Commission outlining the responses to the Review of the Directive commits itself to this view (see the link on Clare Walker’s post). Actually what it says is that the Directive is neutral as to the technology (which could mean no preferences), but actually means, I think, that the technology is passive and reflective. But we know, even on the most obvious level, that this neutrality is questionable, given the history of large scale and disastrous IT programmes. I suppose you could say, in return, that in principle the technology can be made to reflect user requirements, it’s just difficult to make it happen. The solutions are provided by the technical expert. We also know that the new technologies are creating novel situations … Continue Reading ››
Irish political party, Fine Gael, has hit the headlines in Ireland recently due to a series of data protection incidents. In anticipation of Ireland’s imminent election, likely to be held in March, Fine Gael embarked on what it is terming “the biggest consultation exercise to date with the Irish electorate”. Fine Gael shut down its primary website, replacing it with a single page site containing its party leader’s video message inviting “complaints, ideas and proposals”. The purpose behind the website was to try and replicate, in an Irish context, the online political engagement and resultant momentum which propelled Barack Obama to power. With nearly 1,000 responses in its first day live, the site started strongly, although by the later part of last week, concerns had been raised regarding data protection and privacy issues. In particular, the Office of the Data Protection Commissioner (‘ODPC’) was notified that the website did not have a … Continue Reading ››
As of 1 November 2010 the Swedish Data Inspection Board (“Board”) has issued a regulation for whistleblowing. The new regulation takes away some of the formalities for companies which are about to launch whistleblowing schemes in Sweden. The Swedish Data Protection Act (“Act”) prohibits other parties than public authorities to process personal data concerning legal offences. Since whistleblowing schemes may involve the processing of such personal data, companies wanting to implement whistleblowing schemes in Sweden have, in the past, been obliged to procure a formal exemption from the Board. With the new regulation this is no longer necessary (as long as the company complies with the regulation). Basically, the regulation codifies the Board’s view as it has been expressed in its past decisions. In essence this means that a whistleblowing scheme may be implemented provided that:

Even though a specific code of conduct and a structured process apply to clinical trials, there are lacking dedicated, specific regulations on protecting the personal data obtained in such trials.

 As a result, the processing of patient personal data is subject to general regulation in Poland, which is the Personal Data Protection Act of 29 August 1997, “PDPA”, which Act implemented Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995.

The PDPA implies that a sponsor of clinical trials be a data controller, as the sponsor decides on, cumulatively, (i) purposes of personal data processing, and (ii) techniques/mode of personal data processing. The requirement is confirmed in ongoing legislative work.

A sponsor, however, usually does not actually have the personal data of participants in trials, which is caused by how trials are in practice organized. Firstly, sponsors outsource trials to … Continue Reading ››

Posted on behalf of our new Brussels blogger Sebastien Lardinoit: Belgium and the US have recently reached an agreement on the exchange of fingerprint, DNA and other biometric information. The Belgian Minister of Internal Affairs Ms Turtelboom announced the news during the course of her visit to Washington at the occasion of the EU-America summit of December 2010. Reaching an agreement on such a sensitive issue was onerous and involved almost two years of negotiations. Initially there were many reservations from the Belgian Privacy Commission ("BPC"). The BPC expressed its concerns in its advice of 24 November 2010 on the US draft agreement on enhancing cooperation in Preventing and Combating Serious Crime ("PCSC") (advice available in French and Dutch on The BPC (amongst others)were concerned over the lack of clarity with respect to the circumstances in which fingerprints, DNA data and related data may be used and/or exchanged, however the US were … Continue Reading ››
The recent Opinion on applicable law  published by the Article 29 Working Party will be of interest to anyone pondering data protection issues relating to cloud computing, to EU multi nationals and to non EU businesses whose activities may trigger EU data protection obligations. This Datonomist freely admits that the 34 page opinion (complete with flowcharts) is not her idea of Friday afternoon reading, but is encouraged by the inclusion of a numbers of topical examples which illustrate the Working Party's practical analysis of the applicable law provisions of Directive 95/46. These include cloud computing, geo location and social media scenarios. The Opinion serves two purposes.  The first is to clarify the application of the applicable law rules (Article 4 on applicable law; Article 17 (3)which is relevant to security and data processors, and Article 28 which deals with the powers of national enforcement authorities) – and by "clarify" the WP … Continue Reading ››
Employees are valuable assets to employers, as are employees’ photographs. Companies often use pictures to identify their employees on entry cards or the intranet, and publish them in their marketing materials and on the Internet. Conditions of such use are often discussed due to some questions connected with the applicable privacy laws. With the aim of clarifying these issues, the Czech Office for the Protection of Personal Data expressed its views (Practical Issues Series No 3/2010) on a question regarding when and under what conditions employers can use photographs of their employees. Many employers were unsure about how to handle employee photographs, because they contain or may contain biometric data and thus allow the direct identification of individuals. They can also show a person’s racial or ethnic origin and, in certain cases, even reveal his or her religious affiliation. In all these cases, a photograph can be a source of sensitive … Continue Reading ››