Building upon existing principles (e.g., the OECD Privacy Principles), it has become an important reference point for global work in this area. In terms of existing frameworks, the European Union’s (EU) 2016 General Data Protection Regulation (GDPR) is the most recent example of comprehensive regulation of data protection and privacy, setting a new threshold for international good practices. EU General Data Protection Regulation (GPDR) The sections below describe some particular data protection safeguards in relation to institutional oversight, data security, data sharing, cross-border data transfers, and user consent.īox 8. Finally, users should have certain rights over data about them, including the ability to obtain and correct erroneous data about them, and to have mechanisms to seek redress to secure these rights. In general, personal information should be lawfully obtained (usually through freely given consent) for a specific purpose, and not be used for unauthorized surveillance or profiling by governments or third parties or used for unconnected purposes without consent (unless otherwise required under the law). The processing of personal data in accordance with the above principles should be monitored by an appropriate, independent oversight authority, and by data subjects themselves. Requirements to use technologies that protect privacy (e.g., the tokenization of unique identity numbers) by eliminating or reducing the collection of personal data, preventing unnecessary or undesired processing of personal data, and facilitating compliance with data protection rules.Īccountability. With respect to transaction metadata, people can be given an option for how long such data are retained. Personal data-including transaction metadata-should not be kept longer than is necessary for the purposes for which it is collected and processed. Personal data should be accurate and up-to-date, and inaccuracies should be expediently corrected. The collection and use of personal data should be done fairly and transparently.Īccuracy. The collection and use of personal data should be done on a lawful basis, e.g., involving consent, contractual necessity, compliance with legal obligation, protection of vital interests, public interest and/or legitimate interest.įairness and transparency. ![]() This is often articulated as requiring that only the “minimum necessary” data-including transaction metadata-should be collected to fulfil the intended purpose. The data collected must be proportionate to the purpose of the ID system in order to avoid unnecessary data collection and “function creep,” both of which can create privacy risks. The collection and use of personal data should be limited to purposes: (1) which are stated in law and thus can be known (at least in theory) to the individual at the time of the data collection or (2) for which the individual has given consent. ![]() In accordance with international standards on privacy and data protection (see Box 8), these laws typically have broad provisions and principles specific to the collection, storage and use of personal information, including: Many countries have adopted general data protection and privacy laws that apply not only to the ID system, but to other government or private-sector activities that involve the processing of personal data. To begin, ID systems should be underpinned by legal frameworks that safeguard individual data, privacy, and user rights. Privacy & Security, data protection requires a holistic approach to system design that incorporates a combination of legal, administrative, and technical safeguards.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |