public administration use of social networks - data protection implications

Public Administration use of Social Networks - Data Protection Implications

European Public Administration Network, Dublin Castle, 5 April 2013 Billy HawkesIrish Data Protection Commissioner

Social Networking….

Phoenix 6 October 2011

Social Networks (SNS)• Designed for data sharing• Nature of Relationship with User

“free” service in exchange for personal data used to target advertising

• Issues Control over sharing and use Responsibility of User and Network

Types of Social Networks• Interactive

Facebook, Google+, YouTube, blogs etc• Broadcast

Twitter etc

European DPA Guidance (WP 163)• Processing of personal data by individual users in most

cases falls within the “household exemption”• Where an organisation is involved, it is a “Data

Controller”• SNS (and Apps providers) are also “Data Controllers” in

relation to their responsibilities: Transparency about data use Privacy-friendly default settings Data access, retention, deletion Complaints facility

Facebook Terms & Conditions• If you collect content and information directly

from users, you will make it clear that you (and not Facebook) are collecting it, and you will provide notice about and obtain user consent for your use of the content and information that you collect. Regardless of how you obtain content and information from users, you are responsible for securing all necessary permissions to reuse their content and information.

Data Protection Rules(Directive 95/46/EC)

• Transparency (A. 10,11) adequate information

• Process fairly & lawfully (A.6) Consent, contract, legal

obligation, vital interests, public interest task, legitimate interests (A.7)

• Specified , explicit and legitimate purpose (A.6)

• Adequate, Relevant & not excessive (A. 6)

• Accurate, up-to-date (A.6)• Retain for no longer than is

necessary (A.6)• Right of Access (A. 12)• Data Security (A. 17)

Intl. Transfers• Right to Object (A. 14)

Marketing, Other• Restrictions on Automated

Decisions (A. 15)

New Draft EU DP Law• Directly-applicable Regulation

Accountability of Data Controller More Transparency “Right to be Forgotten” Privacy by Design

Other Legal Issues• Defamation• Intellectual Property• HR

Issues for Public Administrations• Is the SN compliant with existing data protection law?

Check with DPA• Will the SN be compliant with future, more stringent EU

Data Protection Regulation?• Is the Organisation committed to ongoing compliance

as a Data Controller? Active management

Thank You!Office of the Data Protection CommissionerCanal HouseStation RoadPortarlingtonCo LaoisPhone: LoCall 1890 252231

057 8684800Fax: 057 8684757Email: info@dataprotection.ieWebsite: www.dataprotection.ie