Monday 23 Apr 2012 @ 09:20
EU News
Printable version E-mail this to a friend

EDPS calls for data protection safeguards before public sector information containing personal data can be re-used

Recently, the European Data Protection Supervisor (EDPS) adopted his opinion on the Commission's Open Data Package, which includes a series of measures to facilitate a wider and innovative re-use of public sector information (PSI). The opinion highlights the need for specific safeguards for data protection whenever PSI contains personal data. It recommends that public sector bodies take a 'proactive approach' when making personal data available for re-use. This would make it possible to make data publicly available, on a case by case basis, subject to conditions and safeguards in compliance with data protection rules.

Peter Hustinx, EDPS, says: "The re-use of PSI containing personal data may bring significant benefits, but also entails great risks to the protection of personal data, due to the wide variety of data held by public sector bodies. The Commission proposal should therefore more clearly define in what situations and subject to what safeguards information containing personal data may be required to be made available for re-use."

In his opinion, the EDPS recommends, among others, that the proposal should:

  • require that a data protection assessment be carried out by the public sector body concerned before any PSI containing personal data may be made available;

  • require that the terms of the licence to re-use PSI include a data protection clause, whenever personal data are processed;

  • where necessary considering the risks to the protection of personal data, require applicants to demonstrate that any risks to the protection of personal data are adequately addressed and that the applicant will process data in compliance with applicable data protection law, and

  • where appropriate, require that data be fully or partially anonymised and license conditions specifically prohibit re-identification of individuals and re-use of personal data for purposes that may individually affect the data subjects.

In addition, the EDPS suggests that the Commission develop further guidance, focusing on anonymisation and licensing, and consult the Article 29 Data Protection Working Party, an advisory body consisting of data protection authorities in EU Member States.

Background information

On 12 December 2011, the Commission adopted a proposal for a Directive amending Directive 2003/98/EC on re-use of public sector information (the PSI Directive). The proposal is part of the 'Open-Data Package'. The PSI Directive aims at facilitating the re-use of public sector information throughout the European Union by harmonising the basic conditions for re-use and removing barriers to re-use in the internal market. The EDPS has previously also recommended a 'proactive approach' in his paper on 'Public access to documents containing personal data after the Bavarian Lager ruling', 24 March 2011 (see chapter III on pages 6-11).

The European Data Protection Supervisor (EDPS) is an independent supervisory authority devoted to protecting personal data and privacy and promoting good practice in the EU institutions and bodies. He does so by:

  • monitoring the EU administration's processing of personal data;

  • advising on policies and legislation that affect privacy;

  • cooperating with similar authorities to ensure consistent data protection.

How Lambeth Council undertakes effective know your citizen (KYC) / ID checks to prevent fraud