Work Package 5: Legal Issues: Privacy and Data Protection (PRIVACY)
RESPONSIBLE: Ugo Pagallo.
WP5 deals with the principles relating to the protection of personal data at stake in making Public Sector Information (PSI) accessible and reusable. This very protection, in fact, is required by the same PSI-related norms (e.g., art. 1 (4) of D-2003/98/EC) and should be interpreted in the light of a preliminary distinction.
On one hand, the need to map local public sector information as existing PSI repositories, archives, databases, etc., ought to reconcile the requirements of scientific research with the individual’s fundamental rights and freedoms as in the case of the right to personal data protection.
On the other hand, in making PSI accessible and reusable, any activity – even that with potentially high added value – must proceed in accordance with the protection of people’s privacy. Efficiency gains that could be created by the reuse of PSI cannot trump data protection rights.
Therefore, all information provided under PSI must take into account data protection obligations as if they were asked in the ordinary course of providing personal data. This general proviso means that such information shall be processed fairly and lawfully, collected for specified purposes and not further processed in a way incompatible with those purposes, and so on.
OBJECTIVES: The aim of WP5 is to offer a clear cut picture of such a complex legal
issue as data protection rights in accessing and reusing PSI.
Along with issues concerning the “fair balance” that should be struck between the various fundamental rights in the Community legal order, it is enough to mention some striking discrepancies between different legal systems in a strongly interconnected world and the problems related to the adequacy of the protection of personal data in third countries pursuant to art. 25(6) D-95/46/EC (Directive on the protection of individuals with regard to the processing of personal data and on the free movement of such data).
Therefore, the methodological approach will focus on all the data to be mapped and collected in order to determine patterns and clarify principles that might guide future action.
The final goal is to present best practice suggestions, operative guidelines, and standard licenses for the input of sensitive data, which should prevent possible conflicts between data protection rights and PSI legislation.
ATTENDED RESULTS: Under WP5 the deliverables include both a clear cut picture of data protection under PSI norms and some suggestions in defining the optimal policy interventions through a threefold methodological approach, which considers best practice efforts, operative guidelines, and licenses for the input of sensitive data, as well as monitoring mechanisms.
Regarding the first point, the methodological approach should consider best practice efforts on the identifiability of data subjects as well as criteria to assess identification risks, security measures, and parameters to improve data communication and dissemination.
Regarding the guidelines, it should be stressed that according to art. 1 (4) D-2003/98/EC, PSI access and reuse should not alter rights and obligations set out in D-95/46/EC.
Finally, a particular attention should be given to the processing of sensitive data.
The final goal is to set out different licenses for the input of dissimilar sensitive data as criminal convictions, political opinions, racial origins, and the like, in order to prevent any possible conflict between data protection law and PSI legislation and develop standard policies that could be emulated by other (Italian local) governments.
