An Ontology based Framework for E-Government Regulatory Requirements Compliance

2019 ◽  
Vol 11 (2) ◽  
pp. 22-42 ◽  
Author(s):  
M. Mahmudul Hasan ◽  
Dimosthenis Anagnostopoulos ◽  
George Kousiouris ◽  
Teta Stamati ◽  
Peri Loucopoulos ◽  
...  
Keyword(s):  
Personal Data ◽  
Service Development ◽  
Government Service ◽  
Regulatory Requirements ◽  
Regulatory Requirement ◽  
General Data Protection Regulation ◽  
The Public ◽  
Enormous Amount ◽  
General Data ◽  
Government Legislation

E-Government has gained an enormous amount of attention by researchers and practitioners interested in digitizing the public sector through enacting policies and regulations. Compliance of regulatory requirements from these policies and regulations is an important requirement in e-Government service development projects. However, the concepts of regulatory requirements compliance are still scattered around in developing e-Government services. This article presents an e-Government regulatory requirement compliance (eGRRC) ontology framework that describes the interrelated concepts of regulatory requirements compliance in e-Government service development. The proposed eGRRC ontology is then applied on the recently introduced general data protection regulation (GDPR) for personal data processing across European Union (EU) countries, in order to indicate how the concepts can be mapped to the defined entities. The contribution of this article is on introducing a framework for researchers and practitioners to explore regulatory requirements compliance and their interrelationships in e-Government service development. Furthermore, e-Government legislation can accordingly be modeled using on the eGRRC ontology, that serves as basis for queries to infer knowledge about the source of regulatory requirements, objectives of the regulation, various types of requirements, the services affected, orientation of regulatory rules in requirements, priorities, and amendments of regulations in e-Government service development.

scholarly journals La responsabilidad proactiva de las Administraciones Públicas en la protección de datos personales.

2020 ◽  
pp. 138-153
Author(s):  
Aritz ROMEO RUIZ
Keyword(s):  
Public Administration ◽  
Data Protection ◽  
Main Idea ◽  
Personal Data ◽  
Practical Implementation ◽  
Organizational Changes ◽  
General Data Protection Regulation ◽  
The Public ◽  
General Terms ◽  
General Data

Laburpena: Lan honen helburua da administrazio publikoak datu pertsonalen tratamenduan duen erantzukizun proaktiboaren printzipioaren analisia eskaintzea, eta ikuspegi juridikoa ematea praktikan errazago aplikatzeko. Lana lau ataletan egituratuta dago. Lehenengoan, datu pertsonalen babesa arautzen duen esparru berriaren aurkezpen orokorra egiten da; hau da, Datuak Babesteko Erregelamendu Orokorrak (EB) ezartzen duen araudi berria aurkezten da. Bigarren atala erantzukizun proaktiboari buruzkoa da, administrazio publikoek datu pertsonalak tratatzeko oinarrizko printzipio gisa. Hirugarrenak proposatzen ditu administrazio publikoek praktikan erantzukizun proaktiboaren printzipioa betetzeko kontuan har ditzaketen hainbat neurri. Azkenik, laugarren atalak gogoeta egiten du antolamendu-aldaketak egiteko beharrari buruz, Erregelamendu Orokorraren printzipioak betetzen dituztela ziurtatzeko eta herritarrek eskubideak balia ditzaten ziurtatzeko; horrez gain, aipamen berezia egiten dio datuak babesteko ordezkariaren figurari. Ondorioztatzen den ideia nagusia da garrantzitsua dela administrazio publikoek datuak babesteko politika bat diseinatzea, lehenetsita aplikatuko dena, eta ez bakarrik erantzukizun politikoak dituztenei, baizik eta sektore publikoan lan egiten duten pertsona guztiei eragingo diena. Resumen: El presente trabajo tiene como objetivo ofrecer un análisis del principio de responsabilidad proactiva en el tratamiento de datos personales por parte de la administración pública, y pretende aportar una visión jurídica para facilitar su aplicación en la práctica. El trabajo está estructurado en cuatro apartados. En el primero de ellos se presenta, en términos generales, el nuevo marco regulador de la protección de datos personales, que es consecuencia del Reglamento (UE) General de Protección de Datos. El segundo apartado está dedicado a la responsabilidad proactiva como principio básico del tratamiento de datos personales por las administraciones públicas. El tercero propone una serie de medidas que las administraciones públicas pueden tener en cuenta para cumplir con el principio de responsabilidad proactiva en la práctica. Finalmente, el apartado cuarto aporta una reflexión sobre la necesidad de introducir cambios organizacionales para asegurar el cumplimiento de los principios del Reglamento General de Protección de datos y del ejercicio de derechos por la ciudadanía, con una especial mención a la figura del delegado o delegada de protección de datos. La principal idea que se concluye es la importancia de que las administraciones públicas diseñen una política de protección de datos que se aplique por defecto, e implique, no sólo a quienes ejercen responsabilidades políticas, sino a todas las personas que trabajan en el sector público. Abstract: The present work aims to offer an analysis of the principle of proactive responsibility in the treatment of personal data by the public administration, and aims to provide a legal vision to facilitate its practical implementation. The work is structured in four sections. The first of these presents, in general terms, the new regulatory framework for the protection of personal data, which is a consequence of the General Data Protection Regulation (EU). The second section is dedicated to proactive responsibility as a basic principle of the processing of personal data by public administrations. The third proposes a series of measures that public administrations can take into account to comply with the principle of proactive responsibility in practice. Finally, the fourth section provides a reflection on the need to introduce organizational changes to ensure compliance with the principles of the General Data Protection Regulation and the exercise of rights by citizens, with special reference to the figure of the Data Protection Officer. The main idea that is concluded is the importance for public administrations to design a data protection policy that is applied by default, and involves not only those who exercise political responsibilities, but also all those who work in the public sector.

USE OF PASSENGER LOCATION CARDS IN THE ERA OF THE COVID-19 PANDEMIC, AND THE PROCESSING OF PERSONAL DATA OF AIR PASSENGERS

2021 ◽  
Vol 57 ◽  
pp. 2-2
Author(s):  
Katarzyna Biczysko-Pudełko
Keyword(s):  
Personal Data ◽  
The State ◽  
General Data Protection Regulation ◽  
The Public ◽  
General Data ◽  
The Subject ◽  
The Republic ◽  
Questionnaire Method ◽  
General Regulation

Purpose. The aim of the article is to analyse the processing of personal data of air passengers during the SARS-CoV-2 pandemic in the context of doubts that have arisen in connection with the need for these passengers to provide their personal data as part of filling out the Passenger Location Card questionnaire. Method. The research method used in this study is case study. Findings. In the study, it was showed that firstly, the data of air passengers processed in relation to the application of the Passenger Location Card by the State Border Sanitary Inspectorate in Warsaw should be protected under the provisions of the General Regulation on the protection of personal data. Furthermore, their controller, i.e. the State Border Sanitary Inspectorate in Warsaw, did not fulfil its obligations in this regard. This, in effect, justifies the conclusion that the processing process not in accordance with the law on the protection of personal data. Research and conclusions limitations. The analysis concerned only passengers of aircrafts arriving and/or departing from airports located on the territory of the Republic of Poland. Practical implications. The analysis carried out in this study may provide a solution to the issues that have arisen in the public sector with regard to the processing of personal data collected from air passengers on the basis of the Passenger Location Card questionnaire and thus, the conclusions may prove useful for data controllers who should be aware of such problems, but also for air travellers as data subjects who should be protected by the General Data Protection Regulation and their rights in this regard. Originality. This analysis, if only for the reason that it is an analysis of a problem that has come to light relatively recently (March 2020), has so far, only been the subject of consideration in press articles.

scholarly journals The “A” of FAIR – As Open as Possible, as Closed as Necessary

2020 ◽  
Vol 2 (1-2) ◽  
pp. 47-55 ◽  
Author(s):  
Annalisa Landi ◽  
Mark Thompson ◽  
Viviana Giannuzzi ◽  
Fedele Bonifazi ◽  
Ignasi Labastida ◽  
...  
Keyword(s):  
Data Sharing ◽  
Data Protection ◽  
Personal Data ◽  
Health Data ◽  
Privacy Rights ◽  
Regulatory Requirements ◽  
Data Set ◽  
General Data Protection Regulation ◽  
Digital Era ◽  
General Data

In order to provide responsible access to health data by reconciling benefits of data sharing with privacy rights and ethical and regulatory requirements, Findable, Accessible, Interoperable and Reusable (FAIR) metadata should be developed. According to the H2020 Program Guidelines on FAIR Data, data should be “as open as possible and as closed as necessary”, “open” in order to foster the reusability and to accelerate research, but at the same time they should be “closed” to safeguard the privacy of the subjects. Additional provisions on the protection of natural persons with regard to the processing of personal data have been endorsed by the European General Data Protection Regulation (GDPR), Reg (EU) 2016/679, that came into force in May 2018. This work aims to solve accessibility problems related to the protection of personal data in the digital era and to achieve a responsible access to and responsible use of health data. We strongly suggest associating each data set with FAIR metadata describing both the type of data collected and the accessibility conditions by considering data protection obligations and ethical and regulatory requirements. Finally, an existing FAIR infrastructure component has been used as an example to explain how FAIR metadata could facilitate data sharing while ensuring protection of individuals.

scholarly journals Designing a Distributed Ledger Technology System for Interoperable and General Data Protection Regulation–Compliant Health Data Exchange: A Use Case in Blood Glucose Data (Preprint)

2019 ◽  
Author(s):  
David Hawig ◽  
Chao Zhou ◽  
Sebastian Fuhrhop ◽  
Andre S Fialho ◽  
Navin Ramachandran
Keyword(s):  
Blood Glucose ◽  
Data Privacy ◽  
Data Exchange ◽  
Personal Data ◽  
Use Case ◽  
Concept System ◽  
General Data Protection Regulation ◽  
The Public ◽  
Distributed Ledger ◽  
General Data

BACKGROUND Distributed ledger technology (DLT) holds great potential to improve health information exchange. However, the immutable and transparent character of this technology may conflict with data privacy regulations and data processing best practices. OBJECTIVE The aim of this paper is to develop a proof-of-concept system for immutable, interoperable, and General Data Protection Regulation (GDPR)–compliant exchange of blood glucose data. METHODS Given that there is no ideal design for a DLT-based patient-provider data exchange solution, we proposed two different variations for our proof-of-concept system. One design was based purely on the public IOTA distributed ledger (a directed acyclic graph-based DLT) and the second used the same public IOTA ledger in combination with a private InterPlanetary File System (IPFS) cluster. Both designs were assessed according to (1) data reversal risk, (2) data linkability risks, (3) processing time, (4) file size compatibility, and (5) overall system complexity. RESULTS The public IOTA design slightly increased the risk of personal data linkability, had an overall low processing time (requiring mean 6.1, SD 1.9 seconds to upload one blood glucose data sample into the DLT), and was relatively simple to implement. The combination of the public IOTA with a private IPFS cluster minimized both reversal and linkability risks, allowed for the exchange of large files (3 months of blood glucose data were uploaded into the DLT in mean 38.1, SD 13.4 seconds), but involved a relatively higher setup complexity. CONCLUSIONS For the specific use case of blood glucose explored in this study, both designs presented a suitable performance in enabling the interoperable exchange of data between patients and providers. Additionally, both systems were designed considering the latest guidelines on personal data processing, thereby maximizing the alignment with recent GDPR requirements. For future works, these results suggest that the conflict between DLT and data privacy regulations can be addressed if careful considerations are made regarding the use case and the design of the data exchange system.

scholarly journals COVID-19 Research: Navigating the European General Data Protection Regulation (Preprint)

2020 ◽  
Author(s):  
Regina Becker ◽  
Adrian Thorogood ◽  
Johan Ordish ◽  
Michael J.S. Beauvais
Keyword(s):  
Public Interest ◽  
Data Protection ◽  
Personal Data ◽  
Individual Member ◽  
Sensitive Data ◽  
General Data Protection Regulation ◽  
The Public ◽  
General Data ◽  
High Standards ◽  
National Legislatures

UNSTRUCTURED Researchers must collaborate globally to rapidly respond to the COVID-19 pandemic. In Europe, the General Data Protection Regulation (GDPR) regulates the processing of personal data, including health data of value to researchers. Even during a pandemic, research still requires a legal basis for the processing of sensitive data, additional justification for its processing, and a basis for any transfer of data outside Europe. The GDPR does provide legal grounds and derogations that can support research addressing a pandemic, if the data processing activities are proportionate to the aim pursued and accompanied by suitable safeguards. During a pandemic, a public interest basis may be more promising for research than a consent basis, given the high standards set out in the GDPR. However, the GDPR leaves many aspects of the public interest basis to be determined by individual Member States, which have not fully or uniformly made use of all options. The consequence is an inconsistent legal patchwork that displays insufficient clarity and impedes joint approaches. The COVID-19 experience provides lessons for national legislatures. Responsiveness to pandemics requires clear and harmonized laws that consider the related practical challenges and support collaborative global research in the public interest.

scholarly journals Biobank and Biomedical Research: Responsibilities of Controllers and Processors Under the EU General Data Protection Regulation

2021 ◽  
pp. 61-89
Author(s):  
Ana Nordberg
Keyword(s):  
Biomedical Research ◽  
Public Interest ◽  
Data Protection ◽  
Personal Data ◽  
Historical Research ◽  
General Data Protection Regulation ◽  
The Public ◽  
General Data ◽  
The Eu

AbstractBiobanks are essential infrastructures in current health and biomedical research. Advanced scientific research increasingly relies on processing and correlating large amounts of genetic, clinical and behavioural data. These data are particularly sensitive in nature and the risk of privacy invasion and misuse is high. The EU General Data Protection Regulation (GDPR) developed and increased harmonisation, resulting in a framework in which the specific duties and obligations of entities processing personal data—controllers and processors—were defined. Biobanks, in the exercise of their functions, assume the role of controllers and/or processors and as such need to comply with a number of complex rules. This chapter analyses these rules in the light of Article 89 GDPR, which creates safeguards and derogations relating to ‘processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes’. It identifies key compliance challenges faced by biobanks as data controllers and processors, such as determining whether the GDPR is applicable and its intersection with other regulations; when a biobank should be considered controller and processor; and what are the main duties of biobanks as data controllers and processors and options for compliance.

scholarly journals COVID-19 Research: Navigating the European General Data Protection Regulation

10.2196/19799 ◽  
2020 ◽  
Vol 22 (8) ◽  
pp. e19799 ◽  
Author(s):  
Regina Becker ◽  
Adrian Thorogood ◽  
Johan Ordish ◽  
Michael J.S. Beauvais
Keyword(s):  
Public Interest ◽  
Data Protection ◽  
Personal Data ◽  
Individual Member ◽  
Sensitive Data ◽  
General Data Protection Regulation ◽  
The Public ◽  
General Data ◽  
High Standards ◽  
National Legislatures

Researchers must collaborate globally to rapidly respond to the COVID-19 pandemic. In Europe, the General Data Protection Regulation (GDPR) regulates the processing of personal data, including health data of value to researchers. Even during a pandemic, research still requires a legal basis for the processing of sensitive data, additional justification for its processing, and a basis for any transfer of data outside Europe. The GDPR does provide legal grounds and derogations that can support research addressing a pandemic, if the data processing activities are proportionate to the aim pursued and accompanied by suitable safeguards. During a pandemic, a public interest basis may be more promising for research than a consent basis, given the high standards set out in the GDPR. However, the GDPR leaves many aspects of the public interest basis to be determined by individual Member States, which have not fully or uniformly made use of all options. The consequence is an inconsistent legal patchwork that displays insufficient clarity and impedes joint approaches. The COVID-19 experience provides lessons for national legislatures. Responsiveness to pandemics requires clear and harmonized laws that consider the related practical challenges and support collaborative global research in the public interest.

The Risk-Based Approach to Data Protection

2020 ◽  
Author(s):  
Raphaël Gellert
Keyword(s):  
Risk Management ◽  
Data Protection ◽  
Personal Data ◽  
Management Tools ◽  
General Data Protection Regulation ◽  
Regulation Theory ◽  
Régulation Theory ◽  
General Data ◽  
Data Protection Law ◽  
The Way

The main goal of this book is to provide an understanding of what is commonly referred to as “the risk-based approach to data protection”. An expression that came to the fore during the overhaul process of the EU’s General Data Protection Regulation (GDPR)—even though it can also be found in other statutes under different acceptations. At its core it consists in endowing the regulated organisation that process personal data with increased responsibility for complying with data protection mandates. Such increased compliance duties are performed through risk management tools. It addresses this topic from various perspectives. In framing the risk-based approach as the latest model of a series of regulation models, the book provides an analysis of data protection law from the perspective of regulation theory as well as risk and risk management literatures, and their mutual interlinkages. Further, it provides an overview of the policy developments that led to the adoption of such an approach, which it discusses in the light of regulation theory. It also includes various discussions pertaining to the risk-based approach’s scope and meaning, to the way it has been uptaken in statutes including key provisions such as accountability and data protection impact assessments, or to its potential and limitations. Finally, it analyses how the risk-based approach can be implemented in practice by providing technical analyses of various data protection risk management methodologies.

scholarly journals Application of Blockchain in Education: GDPR-Compliant and Scalable Certification and Verification of Academic Information

2021 ◽  
Vol 11 (10) ◽  
pp. 4537
Author(s):  
Christian Delgado-von-Eitzen ◽  
Luis Anido-Rifón ◽  
Manuel J. Fernández-Iglesias
Keyword(s):  
Data Protection ◽  
Personal Data ◽  
General Data Protection Regulation ◽  
Certification System ◽  
Proposed Model ◽  
Different Types ◽  
International Regulations ◽  
Innovative Solution ◽  
General Data ◽  
Academic Information

Blockchain technologies are awakening in recent years the interest of different actors in various sectors and, among them, the education field, which is studying the application of these technologies to improve information traceability, accountability, and integrity, while guaranteeing its privacy, transparency, robustness, trustworthiness, and authenticity. Different interesting proposals and projects were launched and are currently being developed. Nevertheless, there are still issues not adequately addressed, such as scalability, privacy, and compliance with international regulations such as the General Data Protection Regulation in Europe. This paper analyzes the application of blockchain technologies and related challenges to issue and verify educational data and proposes an innovative solution to tackle them. The proposed model supports the issuance, storage, and verification of different types of academic information, both formal and informal, and complies with applicable regulations, protecting the privacy of users’ personal data. This proposal also addresses the scalability challenges and paves the way for a global academic certification system.

scholarly journals Algorithms that remember: model inversion attacks and data protection law

2018 ◽  
Vol 376 (2133) ◽  
pp. 20180083 ◽  
Author(s):  
Michael Veale ◽  
Reuben Binns ◽  
Lilian Edwards
Keyword(s):  
Data Protection ◽  
Personal Data ◽  
Training Data ◽  
Theme Issue ◽  
Future Directions ◽  
Model Inversion ◽  
General Data Protection Regulation ◽  
General Data ◽  
Inference Attacks ◽  
Use Of Models

Many individuals are concerned about the governance of machine learning systems and the prevention of algorithmic harms. The EU's recent General Data Protection Regulation (GDPR) has been seen as a core tool for achieving better governance of this area. While the GDPR does apply to the use of models in some limited situations, most of its provisions relate to the governance of personal data, while models have traditionally been seen as intellectual property. We present recent work from the information security literature around ‘model inversion’ and ‘membership inference’ attacks, which indicates that the process of turning training data into machine-learned systems is not one way, and demonstrate how this could lead some models to be legally classified as personal data. Taking this as a probing experiment, we explore the different rights and obligations this would trigger and their utility, and posit future directions for algorithmic governance and regulation. This article is part of the theme issue ‘Governing artificial intelligence: ethical, legal, and technical opportunities and challenges’.

Sign in / Sign up

Export Citation Format

Share Document