The persons whose data is being processed — so-called data subjects such as victims, first responders, volunteers — have a number of specific rights. The architecture of any CIS should foresee the exercise of these distinctive rights and accommodate the increased control of data subjects. The EU’s General Data Protection Regulation significantly increased the rights of data subjects. This reflected a move towards increased end user control and “ownership” of their data and its use. As a starting point, there is a strong emphasis on transparency in relation to how data subjects’ data is collected and processed. Any information on this needs to be intelligible, clear and easily accessible. Building upon this, there are a number of specific rights that the data controller must ensure can be met, usually within one month of a request being made. These include a right to relevant information about the controller and the processing of the information; a right of access to data, including information about the period for which the data will be stored; a right of rectification in relation to inaccurate or incomplete data; a right of erasure of data that is no longer required for its original purpose; and a right to data portability, which relies heavily on data being recorded in an accepted standard to maintain interoperability.
Have you accessed and understood the rights available to data subjects in the GDPR?
Have you reviewed your provision of information to end users to ensure not only that it covers all required issues but also that it is written clearly and promotes transparency?
Have you developed policies to ensure that these rights can be supported within your system; pre-empting any requests by data subjects will enable the duties to be met in a much more efficient manner than acting retrospectively?
Who are the data subjects invoked in your CIS?
How are data subjects informed of their rights from the management/host perspective? What about the rights of the users whose data is being logged?
Data subjects have the following rights:
- The right to be informed in a transparent way about their data being processed (Art. 38, 60 GDPR). This obligation is especially important vis-à-vis first responder agency employees. Victims might not have to be informed since it would require a disproportionate effort to do so during a crisis situation (Recital 62 and Art. 14§5 GDPR).
- The right to access the personal information that is being processed on him or her (Art. 39, 59, 63 GDPR). By virtue of this right any data subject is entitled to ask a data controller whether or not personal data concerning him are being processed and obtain information relating to the purpose, the recipients, the duration of the processing, etc.
- The right to rectification: Data subjects will have the right to request a rectification of inaccurate data concerning him or her (Art. 59 GDPR).
- The right to erasure: Under certain conditions a data subject may require a data controller to delete data concerning him or her. This right would be enforceable for example in case of: unlawful processing, withdrawal of consent or when the data are no longer necessary for the purposes for which they were collected originally (Art. 39, 59, 66, 68).
For these rights to be exercisable it is of utmost importance that both data controllers and data processors maintain records of their processing activities and that they foresee standardised procedures that enable data subjects to exercise their rights effectively. The exercise of such rights might require intense communication between the different connected entities which underlines the need for a common and predetermined procedures.
Consider a victim during an earthquake. First responder agents take a picture of the victim to show an injury to a medical staff and the next day this picture becomes visible on their website. In such a case it is obvious that the victim’s data have been processed beyond the original purpose they were collected for. Since the data are no longer necessary within the context of the disaster relief operation, the data subject can request the erasure of this picture. In practice the data subject will address one of the data controllers participating in the CIS to exercise their right. Nevertheless, all of the entities connected to the CIS should make sure that they all erase any copy of this picture.
Regulation (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [Link]
GDPR Overview of the General Data Protection Regulation (2017). Information Commissioner’s Office [Link]