PREPARING FOR THE GDPR AT THE UNIVERSITY OF HELSINKI

Transcription

1 PREPARING FOR THE GDPR AT THE UNIVERSITY OF HELSINKI Jarkko Reittu Data Protection Officer and Legal Counsel University of Helsinki, Administrative Services 1

2 MY BACKGROUND JARKKO REITTU Master s degree in physics (2005) and law (2013), bar examination (2015) Senior DSP SW Specialist at Nokia Networks ( ) R&D work with 2G/3G/4G Radio Network Controller (RNC), Media Gateway (MGW) and Base Station I-HSPA Also integrating and testing network security protocols e.g. IPsec, IKE and SSH to embedded systems Testing mobile network data security Legal counsel at university s research services since 2013 IPR law, contract law and competition law Designated Data Protection Officer since 5/2016 2

3 GOAL: DOCUMENTED DATA PROTECTION COMPLIANCE = ACCOUNTABILITY WHAT UH IS GOING TO DO TO REACH THE GOAL? 1. Analyze the legal framework 2. Analyze the personal data processing activities 3. Identify and document privacy risks, including risks in agreements 4. Create and update necessary Data Protection Rules, Policies and Processes 5. Create the General Data Processing Agreement 6. Provide necessary infrastructure and services for the researchers and other employees 7. Create Communication Plans and Communicate 8. Create Data Protection and Data Security Training for employees 9. Handle Data Security and Data Breach Notification in 72 hours 10. Monitor compliance with the GDPR continuously 11. Report regularly to the University s Management 3

4 ANALYZE THE LEGAL FRAMEWORK It is not just about the GDPR National regulation: Personal Data Act, Act on the Openness of Government Activities, Act on the Status and Rights of Patients, Biobank Act, Medical Research Act, Universities Act, etc. etc. Other EU regulation: e.g. epd COM(2017) 10, DPD (680/2016), Privacy Shield COM(2016)4176 Challenge: The GDPR interpretation is unclear in some aspects Waiting for the WP29 Guidelines e.g. regarding the Extent of Consent in the Scientific Research as this may have a major impact to research done with sensitive patient data and biobank research Waiting for guidance from Finnish Data Protection officials e.g. regarding the 72 hours Data Breach reporting obligation Waiting for national derogations to the GDPR Articles 15 (Right to Access Data), 16 (Right to rectification), 18 (Right to restriction of processing) and 21 (Right to object) concerning Scientific Research as stated in the Article 89 UH cooperates with Ministry of Justice, Ministry of Education and Culture and Ministry of Finance National legislation work is done in pieces; How to ensure that national data protection legislation stays coherent? 4

5 ANALYZE THE PERSONAL DATA PROCESSING ACTIVITIES AND IDENTIFY RISKS It is estimated, that there are thousands separate activities where personal data is processed. Therefore automated self-service process is needed that meets following requirements: 1. Data mapping: collect basic information to identify processing activities 2. Analyze and check the compliance of processing activities 3. Maintain a record of processing operations under university s responsibility UH is researching different options Tools for the IT services already in use, part of IT portfolio management Challenge: Gathering info from all data processing activities done in research How to commit all researchers? Is university or researcher the controller? Who is responsible in the court? One Solution: a web based application that it is integrated to the general research contract management process 5

6 THE RESEARCH CONTRACT MANAGEMENT PROCESS AND DATA PROTECTION Question: Where shall authorities focus their limited resources? 1. To the universities that does not appointed the DPO 2. To the projects and activities that are not approved by university s DPO 1. Finnish universities are jointly creating a self-regulation instrument for privacy, similar to Ethics self-assessment done in the Horizon 2020 Programme 2. UH has started a lean project for the Research Contract Management Process that shall cover also data protection Initial screening shall be done by researchers themselves. Cases shall be directed to DPO and other legal counsels only when needed Documented DPO s approval Records shall be maintained by the person responsible for the data processing activity Head of units (signatories) shall get a contract cover note that gives a green/red light for all relevant legal aspects, including data protection and data security 6

7 IDENTIFY AND DOCUMENT PRIVACY RISKS University of Helsinki has started a evaluation pilot project where UH shall assess the data protection risks at the Institute for Molecule Medicine Finland (FIMM, part of UH), because FIMM is considered to be high risk unit due the nature data processed Data Protection Impact Assessment pilot is done in the 2 day workshop facilitated by a private company Report and follow up in the SaaS based tool Based on the experience gathered from pilot, PIAs shall be extended to the all units in the university Our goal: a documented overview of all data protection risks in the university UH shall take necessary actions based on risk evaluation as data protection is never ending job! 7

8 CREATE GENERAL DATA PROCESSING AGREEMENT (DPA) Obligation for a [written] agreement is stated in the GDPR Article 28 (3): Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. Covers both data protection and data security requirements set in GDPR Can be included as appendix to agreements Application may be challenging with big players like Microsoft or Google, but their model agreements should cover data protection issues in the satisfactory level. First draft of the data processing agreement is ready and applied 8

9 CREATE RULES, POLICIES AND PROCESSES FOR DATA PROTECTION Existing Policies and Rules covers mainly the Data Security Information Security Policy Acceptable use policy for University of Helsinki (IT Services) Research Data Policy Research Ethics Research Data Management Guide Data Protection Policies and Rules Code of Conduct concerning Data Protection in the Education is ready and almost approved by data protection authority Code of Conduct concerning Data Protection in Research is done together with Aalto University Data Protection shall be part of new Research Contract Management Process Close cooperation with other Finnish universities and data protection authority 9

10 CREATE DATA PROTECTION AND DATA SECURITY TRAINING FOR EMPLOYEES Data Protection and Security is whole organization s issue: everybody must understand the purpose behind the data protection legislation and why privacy is important University of Helsinki has created a web based training module that covers basics in data protection and data security In first phase, the training module shall be mandatory for all administrative personnel Later the training will be introduced to researchers and other personnel There has been discussion, that data protection should be included to the student s basic education, at least on the PhD level, as data management is researcher s basic skill. Data Security is already covered in the ICT Driving License course that is mandatory for all students 10

11 HANDLE DATA SECURITY AND 72 HOUR DATA BREACH NOTIFICATION PROCESS Data Security Team is mainly responsible for University s Data Security 72 hour Data Breach Notification requirement as stated in GDPR Article 33 Data Security Team is responsible for implementing notification process Open issues What supervisory authority expects to be notified How notification shall be done Waiting for guidance from supervisory authority 11

12 MONITOR COMPLIANCE WITH THE GDPR Privacy risks and data processes shall be monitored actively Regular meetings with data security team, data management planning team, legal counsels, research funding advisors, library etc. Close cooperation with other DPOs, Helsinki University Central Hospital, supervisory authorities and government bodies Regular reporting directly to director of administration Tools for following privacy issues and reporting Producing yearly privacy statements for the university Management 12

13 QUESTIONS? 13