Presentation is loading. Please wait.

Presentation is loading. Please wait.

Emergency drill: ECB’s medical scheme and DPIAs

Published byBrice Watkins Modified over 6 years ago

Similar presentations

Presentation on theme: "Emergency drill: ECB’s medical scheme and DPIAs"— Presentation transcript:

1 Emergency drill: ECB’s medical scheme and DPIAs
Barbara Eggl Owe Langfeldt DPO-EDPS Meeting 31/05/2018

2 Agenda DPIA – state of play Group work – based on a true story...
EDPS Guidance WP29/EDPB & national methodologies Group work – based on a true story... ECB medical scheme Challenges Lessons learned Q & A

3 DPIA – EDPS guidance Recap – what happened at past DPO meetings?
Alicante: New architecture & risk-based approach Tallinn: Threshold assessments London: Guiding questions ‘Accountability on the ground’ – prelim. version 02/18 Why ‘preliminary’? Were still waiting for agreed ‘new 45’ But: Articles on records and DPIAs weren’t the controversial ones Feedback received & still welcome Update to come very soon with final agreed text for ‘new 45’ Article 39(4) list to come Risk mindset: same logic applies to less risky processing too

4 DPIA – WP29/EDPB guidance & national methodologies
WP29 GL: rather general on how to do it, more concrete on threshold Toolkit provides some guidance, but all GDPR-compliant methodologies are acceptable ES, FR (also available in other languages), UK updated their guidance in the meantime; no EDPS-imposed methodology. Common framework: description necessity & proportionality risk assessment & treatment process perspective: it’s not over once you’ve got a report!

5 Group work... based on a true story
Scenario: based on ECB medical scheme, but limited in scope Processing operations: reimbursement of medical expenses 24/7 helpline for staff fraud detection and reporting of suspicions reporting to EUI Data subjects: covered staff members and dependents Players: EUI, staff, service provider NB: different system and legal basis; pretend you don’t remember JSIS / the ‘normal’ Staff Regulations. More information in your materials

6 Group work... based on a true story
EUI staff Doctors Patient – doctor relationship reimbursement EUI submit claims enrolment info Provider Claims settlement Helpline info on suspicious cases fraud detection reports on use of system

7 Group work – results? some possible risks & controls
Further subcontracting, leading to loss of control Rules in contract Unauthorised further use of data by contractor Rules in contract, audit trail Interception of claims during submission ... will be defined in security requirements for submission system Leaks via helpline Access control for helpline staff / training / authentication of callers Disclosure of personal data in reporting on system use to EUI Business rules on anonymisation/ pseudonymisation Excessive disclosures in dealing with suspected fraud Business rules

8 ECB Medical Scheme – Challenges
Mapping flows for complex processing operations proved difficult; Many internal & external actors involved; Subcontracting: understanding relationships and ensuring requirements are passed on; EEA processing: getting contractors to understand that extra-EEA access (e.g. helpdesk) is processing too Creativity for thinking of risks: what could possibly go wrong (risk catalogue)? When to go for prior consultation?

9 ECB Medical Scheme – Lessons learned
Early DPO involvement is crucial: Fraud prevention: DPO comments on update of staff rules helped to ensure data minimisation; Tender specifications: include data protection requirements & DP annex early on; Avoids having/discovering problems down the line! Data protection culture: controller side is very data protection aware. Many questions, but often just to confirm their (correct) analysis; Awareness-raising pays off.

10 Q&A Any DPIA experience you’d like to share? Problems encountered, lessons learned...? Feedback on toolkit?

11 Thank you for your attention!
For more information: @EU_EDPS

12 Additional Background Slides

13 Shift in supervision architecture
Prior Consultation DPIA Records of processing Prior Check Opinion Article 27 Notifications Art. 25 Notifications

14 Documentation overview

Download ppt "Emergency drill: ECB’s medical scheme and DPIAs"

Similar presentations

Quality and Outcomes Framework Assessor Training Skills in note-making, summarising and report writing Module S5.

Quality and Outcomes Framework Assessor Training Skills in note-making, summarising and report writing Module S5.
Identifying Data Protection Issues Developing Lifelong Learner Record Systems and ePortfolios in FE and HE: Planning for, and Coping with, Legal Issues.

Identifying Data Protection Issues Developing Lifelong Learner Record Systems and ePortfolios in FE and HE: Planning for, and Coping with, Legal Issues.
1 The Data Protection Officer at work Experience, good practices and lessons learnt Pierre Vernhes – former DPO at the Council of the EU Workshop on Data.

1 The Data Protection Officer at work Experience, good practices and lessons learnt Pierre Vernhes – former DPO at the Council of the EU Workshop on Data.
AUDITING COHESION AND STRUCTURAL FUNDS IN SLOVENIA Nataša Prah Ljubljana, 20.11.2014 

AUDITING COHESION AND STRUCTURAL FUNDS IN SLOVENIA Nataša Prah Ljubljana, 
Social security coverage of non-active persons moving to another Member State: The chicken or the egg? F. Van Overmeiren Ghent University trESS bilateral.

Social security coverage of non-active persons moving to another Member State: The chicken or the egg? F. Van Overmeiren Ghent University trESS bilateral.
Open Access: the post 2014 REF and the University Publications Policy Pat Spoor Nicola Barnett June 2015

Open Access: the post 2014 REF and the University Publications Policy Pat Spoor Nicola Barnett June 2015
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Internal Auditing and Outsourcing

Internal Auditing and Outsourcing
19 March 2008Corruption Risk Mapping1 Corruption risk mapping Towards an Integrity risk map for the Hungarian public sector.

19 March 2008Corruption Risk Mapping1 Corruption risk mapping Towards an Integrity risk map for the Hungarian public sector.
CLINICAL GOVERNANCE and MI Services : An introduction National MI Training Course University of Leicester 5 th July 2007 Mark Cheeseman E ast Anglia MI.

CLINICAL GOVERNANCE and MI Services : An introduction National MI Training Course University of Leicester 5 th July 2007 Mark Cheeseman E ast Anglia MI.
1 EU Emissions Trading Scheme – New System to allocate free Allowances from 2013 onwards IFIEC Energy Forum Brussels, 9 June 2011 Hans Bergman DG Climate.

1 EU Emissions Trading Scheme – New System to allocate free Allowances from 2013 onwards IFIEC Energy Forum Brussels, 9 June 2011 Hans Bergman DG Climate.
POVT Managing Authority A sound Internal Control System A challenge for the 2007-2013 period.

POVT Managing Authority A sound Internal Control System A challenge for the period.
POLICIES = CONTROL Simply stated, a policy lays out what management wants employees to do and a procedure describes how it should be done.

POLICIES = CONTROL Simply stated, a policy lays out what management wants employees to do and a procedure describes how it should be done.
European Data Protection Supervisor CRIM, EP, 17 September 12 Cybercrime and Data protection Hielke HIJMANS Head of Unit Policy & Consultations.

European Data Protection Supervisor CRIM, EP, 17 September 12 Cybercrime and Data protection Hielke HIJMANS Head of Unit Policy & Consultations.
1 Fraud indicators for ERDF, ESF and CF Leif HÖGNÄS, DG Regional Policy “Train the trainers” European Commission seminar for managing and certifying authorities.

1 Fraud indicators for ERDF, ESF and CF Leif HÖGNÄS, DG Regional Policy “Train the trainers” European Commission seminar for managing and certifying authorities.
THE SIMPLE GUIDE: COMPLETING AN INJURY/ACCIDENT REPORT For KPBSD Staff Members.

THE SIMPLE GUIDE: COMPLETING AN INJURY/ACCIDENT REPORT For KPBSD Staff Members.
© Shutterstock - olly Simplified Costs Options (SCOs) The audit point of view.

© Shutterstock - olly Simplified Costs Options (SCOs) The audit point of view.
Authority Requirements Margit Markus Tallinn, 7 May 2009.

Authority Requirements Margit Markus Tallinn, 7 May 2009.
HEFCE policy on open access for the next REF Liz Neilly Michelle Double June 2016.

HEFCE policy on open access for the next REF Liz Neilly Michelle Double June 2016.
The Data Protection Act 1998

The Data Protection Act 1998

Similar presentations

Ads by Google