What is Quantified Self (QS)?



Similar documents
Opinion 8/2014 on the on Recent Developments on the Internet of Things

ANNEX - health data in apps and devices

The Internet of Things Risks and Challenges

Trusted Personal Data Management A User-Centric Approach

ESOMAR PRACTICAL GUIDE ON COOKIES JULY 2012

Working Document 02/2013 providing guidance on obtaining consent for cookies

Medical Technologies and Data Protection Issues - QUESTIONNAIRE

Study of Wireless Sensor Networks and their application for Personal Health Monitoring. Abstract

Data protection compliance checklist

1. Introduction. 2. Sectoral Areas Affected. 3. Data Security. 4. Data Breach Requirements. 5. Traffic Data

UNILEVER PRIVACY PRINCIPLES UNILEVER PRIVACY POLICY

The Internet of Things (IoT) Opportunities and Risks

dma How to guide and cookies legislation Published by The DMA Marketing Council and the IAB Marketing Council we are the

National Nursing Informatics Deep Dive Program

The RFID agenda of the European Commission. Florent Frederix European Commission Directorate General Information Society and Media

I. Personal data and its use in the business to business environment.

Data privacy guidelines for using Wellnomics Risk Management. Wellnomics White Paper

EU Policy on RFID & Privacy

COMMISSION STAFF WORKING DOCUMENT. on the existing EU legal framework applicable to lifestyle and wellbeing apps. Accompanying the document

2010 CPT Codes for Cardiac Device Monitoring

INERTIA ETHICS MANUAL

2.1 It is an offence under UK law to transmit, receive or store certain types of files.

New CPT Codes for Cardiac Device Monitoring SIDE-BY-SIDE COMPARISON

European Commission initiatives on e- and mhealth

Follow the trainer s instructions and explanations to complete the planned tasks.

Guidelines on Executive Order on Information and Consent Required in Case of Storing and Accessing Information in End-User Terminal Equipment

2015 CPT Codes for Cardiac Device Monitoring

Matthias Hauss- SRC Security Research & Consulting GmbH October PCI DSS Requirements in the Context of European Data Protection Law

HERON (No: ): Deliverable D.2.6 DATA MANAGEMENT PLAN AUGUST Partners: Oxford Brookes University and Università Commerciale Luigi Bocconi

Electronic Communication In Your Practice. How To Use & Mobile Devices While Maintaining Compliance & Security

Automotive Suppliers and Cybersecurity

Alternative Biometric as Method of Information Security of Healthcare Systems

>

RFID. Radio Frequency IDentification: Concepts, Application Domains and Implementation LOGO SPEAKER S COMPANY

Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) 2014: 245 incidents reported

CSIS Security Research and Intelligence Research paper: Threats when using Online Social Networks Date: 16/

Big Data Big Security Problems? Ivan Damgård, Aarhus University

SECURITY MEASURES IN THE PERSONAL DATA PROTECTION RULES: TECHNOLOGICAL SOLUTIONS AND LEGAL ADAPTATION

Buckinghamshire County Council Transport for Buckinghamshire ANPR Code of Practice

Terms and Conditions. Acceptable Use Policy Introduction. Compliance with UK Law. Compliance with foreign law

SAP Splash Privacy Statement

PRIVACY STATEMENT OF THE WEBSITE Page 1 of 7

Disclosures HOW WEARABLE TECHNOLOGY AND TELEMEDICINE WILL CHANGE YOUR PRACTICE. Learning Objectives. Are you prepared. Why the growth?

Council of the European Union Brussels, 27 April 2015 (OR. en)

White Paper: RFID s Role in Tracking Medical Assets

Transforming healthcare through Internet of Things. Vijayakannan Sermakani Robert Bosch Engineering and Business Ltd

Great ideas, big data and little privacy? Bart Preneel iminds and COSIC KU Leuven

ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY

Prof. Udo Helmbrecht

Stakeholder Engagement Initiative: Customer Relationship Management

Quantified Self: Analyzing the Big Data of our Daily Life. Andreas Schreiber PyData Berlin 2014

COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT, THE COUNCIL, THE EUROPEAN ECONOMIC AND SOCIAL COMMITTEE AND THE COMMITTEE OF THE REGIONS

Draft Code of Conduct on privacy for mobile health applications

CONNECTing to the Future

Opinion 02/2013 on apps on smart devices

AMENDMENTS TO THE DRAFT DATA PROTECTION REGULATION PROPOSED BY BITS OF FREEDOM

Opinion 02/2013 on apps on smart devices

Privacy Policy on the Responsibilities of Third Party Service Providers

Opinion of the European Data Protection Supervisor

5439/15 PT/ek 1 DG E

Monitoring Employee Communications: Data Protection and Privacy Issues

Best Practices at Research Level

1. What information do we collect?

INTERNET OF THINGS FOCUS AREA

How we keep harmful apps out of Google Play and keep your Android device safe

INCREASING PRODUCTIVITY. By Implementing A Non-Invasive Employee Surveillance Solution

ACA is committed to protecting your privacy. ACA ( we, us or our ) safeguards your personal information to maintain member trust.

The HYDRA project. Personal health monitoring

Transcription:

Subtitle Title

Content Quantified Self (QS) (Sensitive) Personal data Security risks QS Privacy risks QS Art. 29 Working Party (WP29) on QS WP29 on ehealth WP29 on Internet of Things (IoT) QS data at risk in the IoT WP29 recommendation on the IoT

What is Quantified Self (QS)? WP29 => Wearable Computing, Quantified Self and Domotics: Wearable Computing: objects and clothes with sensors. Quantified Self: objects carried by individual to record data on lifestyle. Domotics: sensors that record when a user is at home, patterns of movement... and may transmit data. Reference: WP29 opinion on the Internet of Things

(Sensitive) Personal Data Ethnic origin health. qualify as sensitive data. Art. 8 of Dir. 95/46/EC explicit user consent. QS devices mostly register not health data, yet may provide information about the individual s health as the data is registered in time.

Security risks of QS devices Example:US ICS-CERT now checks everything (pacemakers, defibrillators...) Some findings: a heart pump and some cardiac implants have security flaws that make them vulnerable to hacking. Link: http:// www.techworm.net/2014/11/terrorists- can-hackpacemakers-like-shown- homeland-tv-series.html

Privacy risks of Quantified Self Example: Google Glass raised many privacy concerns led to being banned in certain public locations. Link: http://abcnews.go.com/ Technology/glassholes-privacyissues- troubled-run-edition-google-glass/story (Jan 16, 2015)

Working Party 29 on QS Independent body on data protection Art. 30 of 95/46/EC, Art. 15 of 2002/58/EC. Addressed QS in 8/2014 "Opinion on Recent Developments on the Internet of Things" and in Data protection for ehealth applications (February 2015).

WP29 on Quantified Self A pedometer storing step data for a few days does not process 'health data'. But an application combining several years' of records of an individual is processing health data.

WP29 on Quantified Self If the data controller provides a remote platform to collect and process data, the domestic exception only applies to the actual usage by the user and does not exempt the data controller from the data protection law ( WP163, WP223).

WP29 on Quantified Self The combination of location data with other information read from the device would still make it necessary for the data controller to obtain the consent of the data subject. (Art. 7(a) & Art. 5(3) of the eprivacy Directive)

WP29 on the Internet of Things IoT can develop unlawful form of surveillance and raise security concerns (WP29 Opinion 8/2014) The interaction between objects will result in hardly manageable data flows challenging the protection of the data subjects rights.

Quantified Self and the IoT IoT stakeholders qualifying as data controllers must comply with 95/46/EC and 2002/58/EC. Art. 5(3) of 2002/58/EC applies if an IoT stakeholder can access information stored on an IoT terminal equipment and demands that the subscriber/user consents. This is important because it can give others access to privacy-sensitive information stored on such devices.

WP29 recommendations on IoT PIA required for IoT applications. IoT Stakeholders must delete raw data as soon as they extracted the aggregated data required for their data processing. Principles of Privacy by Design and Privacy by Default apply. Data subjects must be able to exercise their rights and in control of the data at any time.

WP29 requirements for OS and Device manufactures inform stakeholders if data subject withdraws consent provide granular access choices and a do not collect option prevent location tracking

WP29 requirements for OS and Device manufactures provide tools to locally read, edit and modify the data before they are transferred to any data controller. inform everyone impacted by a discovered device vulnerability

WP29 requirements for OS and Device manufactures apply Security by Design and Cryptography limit data leaving devices and aggregate protect data of different individuals using same device

A note on the new Data Protection Legislation Data Protection Regulation will replace Dir. 95/46/EC New Data Protection Regulation currently discussed in Council Italian presidency report on proposal (December 2014) is > 200 pages

References Dir. 95/46/EC on Privacy and Data Protection Dir. 2002/58/EC on e-privacy Art. 29 Working Party Opinion 8/2014 on Recent Developments on the Internet of Things Art. 29 Working Party Opinion 5/2010 on online social networking Privacy and Data Protection Impact Assessment Framework adopted on 12 January 2011 for RFID Applications by the Art. 29 Working Party

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information