Anywhere around us, data is being collected. Everything we do is recorded. Think of internet traffic, but also the traffic on the road, the pedometer on your phone or even the heating in the house. All these devices record a part of your daily life in data.
There are so many interesting stories hidden in those large number series. Many organisations such as the municipality, but also the business community, collect data about people for certain services or product development. But is that allowed just like that? And how do they deal with all this (personal) data? Of course, it is not the intention that all your data is just on the street. The rules on this are largely laid down in the General Data Protection Ordinance (GDPR).
The new law is a comprehensive document. But what does it actually mean to you? In this article, you will read five questions and answers about it.
What is privacy and what are personal data?
Privacy is the personal freedom that distinguishes and protects ourselves and our actions, characteristics and information from others. It can be one person or a group of people, for example, a family. This is often linked to the need for people to decide for themselves with whom they share information, and so privacy is linked to freedom.
Personal data are the tangible data that are often involved when we talk about privacy. Personal data is all information about an identified or identifiable natural person. It can be information that is directly about someone or information that can be traced back to one person. There is a difference between ordinary and special personal data. Personal data are, for example, your name, date of birth and address. Special personal data are often more sensitive, think of race and religion or information about someone’s health.
What is the role of the GDPR in this?
The General Data Protection Regulation (GDPR) is the European legislation to protect personal data. This states what responsibility governments, organisations and companies have with regard to personal data. This law also states what rights citizens have with regard to their personal data. The Personal Data Authority supervises compliance with this Act.
The GDPR contains six principles for the processing of personal data. An organisation may only process personal data if there is at least one basis for doing so. These principles are
- Consent of the concerned person;
- The data processing is necessary for the execution of an agreement;
- The data processing is necessary for the fulfilment of a legal obligation;
- The data processing is necessary for the protection of vital interests;
- The processing of data is necessary for the performance of a task carried out in the public interest or in the exercise of official authority;
- The data processing is necessary for the protection of legitimate interests.
When processing personal data, an organization is responsible for the data it processes. It must ensure that these data are processed and used properly and that they are also stored securely.
In addition to the rights and obligations of data processing organisations, citizens also have rights with regard to their personal data. For example, they have the right to inspect, correct and/or delete their personal data at a particular organisation.
Processing of personal data
Not every organization that is allowed to process personal data does so all by itself. Sometimes it is outsourced to a third party, for example, an administration office. According to the GDPR, clear agreements must be made about this in the form of a processing agreement. There are two roles when it comes to the processing of personal data: the processing controller and the processor. The data controller is the organization that collects and may process personal data. The processor is the party that actually processes the data. A processor agreement contains the responsibilities of the controller and the tasks of the processor. Ultimately, the controller always remains responsible for the personal data and the processing thereof.
Such a processor agreement states, among other things:
- what processing is involved;
- which personal data the organisation processes in this respect;
- for what purpose the organization does this;
- how the organization does this.
To make it more concrete, we look at how a municipality like Eindhoven handles the processing of personal data. In Innovation Origins’ reports, they are therefore often a source or clearer of the figures used. Mariëlle van den Bos, a data protection officer at the municipality of Eindhoven, explains how the municipality handles processing agreements. “It may be that the municipality deposits the processing with another party, but it does determine the purpose and means of such processing.” For example, the municipality has such a processing agreement with the Wij Eindhoven foundation, which provides benefits. “I don’t think the resident will notice much of this. As a municipality, we remain responsible and have laid down all the guarantees in the processing agreement.”
What are the obligations of the municipality?
“As a municipality, we have a lot to do with personal data. We have to deal with them properly and carefully,” explains Van den Bos. It is an internal supervisor and therefore has a lot to do with the external supervisor, the Personal Data Authority. The municipality keeps a register stating which personal data are processed and for what purpose. It also checks whether this basis corresponds with the requirements of the GDPR.
Van den Bos: “The processing of personal data is very broad. It can be data that the municipality gives to another person, but it can also be copying or providing data. The municipality examines whether there is a high privacy risk associated with each processing operation. If this is the case, it performs a Privacy Impact Assessment (PIA). “At such a PIA we look at what exactly we do as a municipality and what the purpose is. It is very important to see whether we really need all the data we request for certain processing”, explains Van den Bos. “In addition, we assess the risks for those involved, for us these are often the inhabitants. If there are any, we look at measures to tackle those risks.”
How does the municipality deal with this?
The municipality is only responsible for the data that it collects itself and not for the data that are further collected in the city. “But of course we do have a responsibility towards our citizens with regard to the design of the (digital) public space”, says Olga Bondarenko, strategic advisor to the municipality of Eindhoven. “For example, we cannot force a party to report to us if they measure something in the city. But we have included in our policy that we deem privacy to be very important and that we want companies and organizations within the municipality to comply with the rules. Part of this is that we want to make the data that is collected in the city available to residents and other parties to make use of it.”
The sensor register is an example in which the municipality works together with various parties that collect data in order to make it clear to citizens where the sensors that collect data are located. In this way, citizens also know where they need to be if they want to know something about the equipment or the data they collect. Bondarenko: “Locally, we still have too few means to enforce that transparency in the public space is also increased in the digital field.” The municipality is working with the Association of Dutch Municipalities and the Ministry of the Interior to change this.
At the beginning of 2018, the Association of Dutch Municipalities (VNG) called on their members ‘to actively participate in the activities of the Smart Society knowledge network and to participate in the process of further developing the principles’. The principles of the Smart Society were set up by the municipalities of Eindhoven and Amsterdam. These four principles include the goals of digital infrastructure, the role of the government and the openness of data. This is, therefore, a starting point for municipalities. “We hope that initiatives of this kind, and perhaps even legislation, in the long run, will be rolled out further and further to ensure transparency in the field of data in the public space,” says Bondarenko.
According to Bondarenko, this is not always only about data where the privacy of residents is at risk. “It is much broader than just personal data. Because perhaps the data cannot be traced back to a person, but perhaps as a resident, you still want to know what happens to that data. The public space belongs to everyone and I think you just want to be in control as a resident.”
Still, according to her, there is another side, namely that of companies. “They can often make great use this data, for example for event management, crowd control and security in the public space. This can also be relevant for the residents because it increases their safety on the street. So you can also ask yourself what it is like when data is collected. As long as it is handled with care, of course,” explains Bondarenko. “In addition, companies use data to innovate and develop products, so as a government we do not want to hinder innovation either. That is why I think that the inhabitants must find a balance between ‘I don’t want to be measured’ and ‘I want to live in a safe city’. That is a balance that we should discuss with each other.”
What can you do yourself?
“The government’s entire digitisation agenda is also often about awareness and knowledge. Do you know what happens to your data and can you decide for yourself?” says Bondarenko. Van den Bos complements: “A resident simply has far more rights and possibilities than he or she knows or thinks. People do have control over the data that is held by an organisation. In addition, these organisations are also becoming increasingly aware of privacy and its importance.”
According to Bondarenko, it ultimately comes down to trust. “As a citizen, you must have the confidence that your data will not be abused. According to her, the municipality must also contribute to this: “It is an emotion. As a municipality, we can legally account for everything, but for residents, it is just feeling. So even if you, as a municipality, meet the legal standards, you still have to talk to each other about ethics, emotion and feeling about data collection and privacy.” If everything is well organised and feels good for the residents, Bondarenko believes there are certainly opportunities and possibilities with data for the future.