The Spanish Agency of data protection (AEPD) has published the Guide technologies and data protection in Public Administrations , which explores some of the technologies that are running in the AAPP, the risks inherent to its use regarding the protection of personal data and the safeguards that should be implemented by these. The Guide examines cookies and other tracking technologies, use of social networks, cloud computing, big data, artificial intelligence, blockchain and smart cities. Its contents will be expanded in successive versions, extending it to other specific technologies.
The services implemented in the AAPP are guided by the public service, while the processing of personal data by has a distinctive risk arising from the amount of data collected, the volume of people affected, the impossibility of object to the processing in many cases and the imbalance between administration and citizens. The AAPP, as responsible for processing the data of citizens, before launching new treatment or modify already supplied, must identify the risks to which can be exposed the treatment and take technical and organizational measures to eliminate or at least mitigate damage that may result from the same for the rights and freedoms of individuals.
In the cloud computing, with its undoubted advantages, presents risks as the privacy of information stored, continuity of services, the legal changes and the loss of control of infrastructure and applications used. In the case of the AAPP, for the volume and sensitivity of the data that manage these risks must be the object of rigorous analysis. It is not unlikely that services in the cloud occur security gaps that endanger the availability, integrity and confidentiality of personal data, with consequences for the rights and freedoms of individuals. A cyber attack, a system malfunction or human error may endanger the data of citizens. Risk management of information security is not exclusively in the service provider company that acts as a responsible for treatment, but that corresponds to the administration determine security measures that should be the responsible and which, obligatorily, must be reflected in contract form.
On the other hand, in the design phase of treatments of Big Data must analyse objectively what amount of data is necessary and sufficient, conform to the principle of minimisation of data and do not adopt strategies used to collect the maximum number of data. The Guide picks up that this problem can be seen accentuated in the case of mass collection of data supported by sensors in contexts of treatment, such as those made in the Smart Cities. Massive treatment of personal data is one of the alleged for which the RGPD requires a risk assessment, requiring the realization of an impact assessment regarding data protection and, depending on the outcome of a consultation prior to the Supervisory authority.
Furthermore, the document enrichment warning information of the same person with data from different sources, which may lead to new connections or shades of his personality that separately would not have said. “ Is possible even that, when crossing several sources of data that were supposed to be anonymous, by aggregation of data, disclosing the identity of specific people, ” she adds. The Agency recommends measure, assess and manage risks of re-taking the necessary measures to reduce the likelihood of such re with consequences of great impact in case of special categories of data as medical data, of minors or persons in conditions of particular vulnerability.
Part of these risks also apply to the smart cities: “ even when data is collected anonymized initially, extension, frequency, combination and enrichment of data may result in an identification of individuals ”. The Agency advised to take measures to mitigate this risk as privacy techniques differential or use of aggregation of strategies to avoid correlations, while noting that the installation of sensors massively increases the likelihood of safety failings which can also come from deliberate attacks. Therefore, the agency recommends pay attention to the analysis of security risks from the point of view of data protection, that provide “ maximum guarantees for that there can be no unauthorized access to monitor persons individually or lead a massive filtering of personal data ”.
The recipients of this guide are mainly delegates of data protection of the AAPP and public employees in charge of promoting, manage and use these technologies in the administration, but you can also be useful to companies working as Heurística or treatment of applications for AAPP, as well as the citizens themselves, to understand how to affect them these technologies in the services provided the administration.