WELCOME TO

PUBLIC SECTOR THEATRE

WiFi: QEII Guest #Privacy | #PrivSecLDN

 Opening Remarks

HELLEN BEVERIDGE
Privacy Lead, Data Oversight

WiFi: QEII Guest #Privacy | #PrivSecLDN

 Making Our Good People
Great

NEIL SINCLAIR
National Cyber Lead, Police Digital
Security Centre

WiFi: QEII Guest #Privacy | #PrivSecLDN

 Data Minimization in the
Public Sector: Challenges and
Directions
LUÍS FILIPE COELHO ANTUNES
Professor, University of Porto

WiFi: QEII Guest #Privacy | #PrivSecLDN

Data minimization:
100 ANOS. COMPROMISSO COM O FUTURO

Luís Filipe Antunes

Professor
Cybersecurity and Privacy Competence Centre
Computer Science Department
University of Porto
 PrivSec London - february 2020

Data protection principles

Lawfulness, fairness Accuracy Integrity and

and transparency confidentiality

Purpose limitation Data minimisation Storage limitation Accountability

 PrivSec London - february 2020

Agreement study

• Storage period Sample

Human resources • Data processed
Same lawfulness:
legal obligation 13 Organizations
contract 37 processing activities

Findings:
Low agreement

Compliance process Records of processing activities

Same approach Based on a template from the DPA

 Data Processing Activities General_Observers PrivSec London - february 2020
Medicine at Work 13
Attendance and Punctuality Control 12
Accidents at Work 11
Individual Process 11
Performance Evaluation 11
Disciplinary Processes 10
Public Health Insurance 10
Recruitment and Selection 10
Internship 9
Pawns / Alimony 9
Professional Qualification 9
Compensation and Other Payment Processing 8
CV Storage 8
Professional Diseases 7
Health Insurance 6
Medical Certificates 6
Staff Map 6
Accumulation of Functions 5
Indicators, Surveys and Statistics 5
Unions 5
Retirements 4
Community Work 3
Employment Contract 3
Family Charge Benefits 3
Worker Card 3
Allowances 2
CCD Quota 2
Commuting 2
Criminal Registration Certificates 2
Meal Card 2
Alcohol and Drug Control at Work 1
Birthday Postcard 1
Careers 1
Internal Mobility 1
Social Support 1
Volunteering 1
Worker Requirements 1
 PrivSec London - february 2020

Records of processing activities

Lawfulness of Data / Records of Usage of data /

Identification
processing processing activities Purpose

Storage Transmission Exercise of the right Audit

 PrivSec London - february 2020

1. Identify the purpose for data processing

2. Identify the participants in the data processing, their intervention and the lawfulness
3. Identify is the lawfulness of processing for this processing
4. Identify data handled in data processing
– identification data – traffic and location data
– contact details – internet browsing data
– data billing – other categories of non-sensitive personal data
– familiar life – profiles
– professional life – Article 9
– financial information – Article 10
5. Identify the categories of data subjects subjected to processing
6. Indicate the retention period for the data processing activity
 PrivSec London - february 2020

Proportions of agreement

The overall agreement can be interpreted as the probability that if a organization identify a
given processing activity, it will also be identified by another, randomly chosen,
organization.

The agreement between the 13 institutions regarding the processing activities

is:

56%

95% CI [0.52 , 0.60]

 PrivSec London - february 2020
12

Data processed

The overall agreement between the 13

institutions regarding the data processed in
the scope of the 37 processing activities is:

67%
95% CI [0.65 , 0.68]
 PrivSec London - february 2020
13

Storage period

The agreement between the 13 institutions

regarding the storage period in the scope of
the 37 processing activities is:

62%
95% CI [0.60 , 0.65]
 PrivSec London - february 2020

And if:

we consider pairs of institutions?

 PrivSec London - february 2020

Agreement study

• Storage period Sample

Human resources • Data processed
Same lawfulness:
legal obligation 13 Organizations
contract 37 processing activities

Findings:
Low agreement

Compliance process Records of processing activities

Same approach Possible solutions: Based on a template from the DPA

• DPAs: explain / delimiting
• more concise laws
• create the culture of data
minimization
Thank you!
LFA@fc.up.pt
 COFFEE BREAK &
NETWORKING OPPORTUNITY
Sessions will resume at 11:00

WiFi: QEII Guest #Privacy | #PrivSecLDN

 Handling DSARs: Best
Practice

DAVE PARSONS
Information Governance Manager,
Cardiff Council

WiFi: QEII Guest #Privacy | #PrivSecLDN

HOW TO IDENTIFY AND EFFECTIVELY
PROCESS A SUBJECT ACCESS REQUEST

DAVE PARSONS
INFORMATION GOVERNANCE MANAGER
CARDIFF COUNCIL
 Objectives

• Identify a subject access request

• Explain how to process a request
• Identify key areas for managing compliance
• Recognise how to implement processes in your organisation
INDIVIDUAL RIGHTS
Right to be informed Right to Erasure Right to Object
Transparency in how we collect Right to ask for data to be deleted. Right to object to an

Right of Access
information and how we intend to The Right to be forgotten organisation using your data
use it

The right to access

Right of Access information
Right to Restrict
The right to access information
Processing held.
Right to ask an organisation to stop
Right to ADM
Right not to be subject tto
automated decision making,
held. processing your data including profiling

Right to Rectification
The right to correct information you
SAR or DSAR
Right to Data Portability
to enable individuals to obtain
Right

believe is inaccurate structured, machine readable format

and transfer data to another DC
Key areas for effective compliance
Recognising a request

Written Verbally

May not
Living
specify
Individual
DSAR
 How to process a request
• Confirm valid ID of the Data Subject, is the person a living individual

• Is the request clear and are you able to identify data sources who may
hold any relevant information

• Acknowledge receipt of the request/request clarification

• Record all requests to monitor compliance

• Answer the request within one calendar month.

Redaction & Officer Names
Redaction & Officer Names
Records Management
When things go wrong….
Records Management
Records Management

• Implemented in January 2018

• Phased 2 year approach

- 7 years – 3 years

• Almost 19 million emails deleted

Personal Data Assets

What personal data do we process and why?

Which GDPR legal bases are we relying on?

Who owns it and where is it held?

Record of Processing Activity
Training/Raise Awareness

• Face to face
• Roadshows
• Newsletters
• E-Learning solution
• Organisational wide communications
• Staff Briefings

Make sure staff know their

responsibilities.!
 Implementing processes in your organisation

• Adopt clear policies and procedures

• Consider implementing a records retention
schedule
• Ensure you have a Personal Data Asset Register
• Provide training to staff.
 Defined IAO
Role &
Responsibilities

Information
Asset Register Policies

INFORMATION
ASSET OWNERS

Measure
Knowledge
Service
Hub
Compliance
 Thank You

Questions

DAVE PARSONS
INFORMATION GOVERNANCE MANAGER
DAVE PARSONS CARDIFF COUNCIL
INFORMATION GOVERNANCE MANAGER
CARDIFF COUNCIL
 Addressing the Emerging issues for Public Sector
Data Protection and Security

Hellen Beveridge Bebe Lees Dawn Monaghan Dave Parsons

Privacy Lead, Head of Communication, Head of IG Policy, Information Governance
Data Oversight The Security Company NHSx Manager,
Cardiff Council

WiFi: QEII Guest #Privacy | #PrivSecLDN

 LUNCH BREAK &
NETWORKING OPPORTUNITY
Sessions will resume at 13:20

WiFi: QEII Guest #Privacy | #PrivSecLDN

 Estonia Case Study:
E-Governance and
Digitalisation

FLORIAN MARCUS
Presenter-Analyst, e-Estonia Briefing Centre

WiFi: QEII Guest #Privacy | #PrivSecLDN

enter e-Estonia
the coolest digital society

Florian Marcus

Presenter-Analyst
e-Estonia Briefing Centre
florian.marcus@eas.ee
a modest
country that extends
beyond
its borders

+ population: 1.3 million

+ area: 45,228 km2
+ ICT sector employees: 5,9% of workforce
essential
Best secret weapons.

© Taaniel Malleus
+ internet is a social right
+ every Estonian resident has an electronic ID
+ 99% of services are online
electronic ID
The strongest identity.

+ every Estonian has an electronic ID

+ eIDAS assurance level „high“
+ 17% of mobile-ID

© copyright
+ 34% of smart-ID
+ e-Residency
elaborated
Clear and honest principles.

+ once-only

© Aron Urb
+ digital by default
+ trust-by-design
exchange
The busiest highway of e-Estonia – X-Road
from 2001.

+ saving 844 years annually

+ over 450 institutions and enterprises
+ 150 public sector institutions
+ over 3000 different services
+ over 900 million transactions per year
+ technology exported to Finland, Iceland, Faroe Islands,
Ukraine and other countries
proactive government TARGET:
7 LIVE BY YEAR 2020

Action plan for life-event service design

name change change of residence retirement death (succession) building disability

(incl marriage) houses

driving buying childbirth start of school unemployment crime military

licence a car school change & job search victim service

starting a business
let’s build the future
together!

© Reimo Roonet
e-Estonia

e-estonia@eas.ee
 The Future of Digitalisation in the Public Sector

Hellen Beveridge Florian Marcus Luís Filipe Antunes Joe Dignan

Privacy Lead, Presenter-Analyst, Professor, Founder,
Data Oversight e-Estonia Briefing Centre University of Porto Kintechi

WiFi: QEII Guest #Privacy | #PrivSecLDN

 COFFEE BREAK &
NETWORKING OPPORTUNITY
Sessions will resume at 15:00

WiFi: QEII Guest #Privacy | #PrivSecLDN

 Facial Recognition and Data
Privacy

ROWENNA FIELDING
Head of Individuals’ Rights and Ethics,
Protecture

WiFi: QEII Guest #Privacy | #PrivSecLDN

 DATA PROTECTION SUPPORT

Meeting all your data protection and privacy needs

 Facial Recognition
and privacy
Rowenna Fielding | Head of Individual’s Rights & Ethics

D A T A P R O T E C T I O N S U P P O R T
www.protecture.or
g.uk
who does that face belong to?
what sort of person has this type of face?
what’s going on in this person’s mind?
facial recognition: a new radium rush
 THINK:
rights, freedoms
DO:
DPIA (properly)!
CHECK:
your privilege
• necessary, proportionate, legitimate,
• fair, lawful & transparent
• accurate, adequate, only relevant data
• minimum amount of retention necessary
• appropriately secure

....demonstrably, with evidence

www.protecture.or
g.uk
questions

?
www.protecture.org.uk

help@protecture.org.uk

@ProtectureDPO

www.protecture.or
g.uk
 Climate Change, Data Deltas and
Digital Twins

JOE DIGNAN
Founder, Kintechi

WiFi: QEII Guest #Privacy | #PrivSecLDN

Climate Change, Data Deltas and Digital
Twins
Joe Dignan
@_joedignan
 Only 29% of the world is land, cities
currently occupy 3% of that
representing 0.9% of the earth
Climate surface. Buildings occupy between
70% and 80% of every city and we
Change spend 87% of our life in them.
needs Buildings, a tiny percentage of the
planet consume 75% of world
Smarter electricity, 40% of global energy, are
responsible for 40% of the total GHG
Cities emissions, consume 25% of the
global water supply and generate
40% of total solid waste.
If technology is
the answer,
what was the
question?
Cedric Price
Architect
A Data Trust Model is a Data
Governance Mechanism that will lead to
the Development of Data Deltas and
Data Exchanges
A Digital Twin is an
exact virtual representation
of a physical object. It's
created by connecting large
amounts of data —
including real-time
information — to a
3D virtual model replica of a
physical asset
 New RoI Models
Analysis performed by the Stockholm
Environmental Institute for the Coalition
for Urban Transitions’ recent Source: Vivid Economics for the Coalition for Urban Transitions, 2019

report Climate Emergency, Urban

Opportunity found that a bundle of 16 low-
carbon investments and measures in cities
across the transport, buildings, materials
and waste sectors could cut global urban
emissions by 90% by 2050 and has present
value of almost $24 trillion, equivalent to
nearly one-third of the 2018 global GDP.
World Bank Blog: LEAH LAZER NAINA KHANDELWAL JAKE WELLMAN|JANUARY 30, 2020
How do you do it
• Create an innovation
group that can deal with
wicked problems
• Show through ‘use cases’
what people would do
differently if the
investment was made
• Measure the difference so
you can prove the ROI
• Reinvest the ROI in solving
other wicked problems
 Top ten traits of
successful smart communities
1. Find a focused maverick
2. Create a dedicated team
3. Follow the Money
4. Benchmark what you have
5. Create the underlying infrastructure
6. Build a sense of common purpose
7. Find a reason to be part of the future
8. Leverage the private sector
9. Do something
10.Measure the difference
Stay in touch

Joe Dignan
@_joedignan or LinkedIn
 Closing Remarks

HELLEN BEVERIDGE
Privacy Lead, Data Oversight

Drinks reception sponsored by OneTrust and

DPOrganizer will now be held in the main Exhibition Hall.

WiFi: QEII Guest #Privacy | #PrivSecLDN