CERN is a global organisation that deals with the personal data of people from around the world, and with that comes a certain degree of responsibility. In an age of increasing awareness of the importance of privacy, it is critical for us to take all measures possible to protect personal data and to show that we care about this issue in a very tangible way. This is vital for maintaining the trust of the individuals sharing their information with us, and demonstrating that this laboratory applies the same high-level standards that we apply to our research to everything else we do.
Fully understanding, for example, what data we process, where we process it, who has access to it, and how long we keep it, is key in this era of ever increasing technological and automated handling of information that could be used to identify individuals.
This is also in line with developments in the EU, which approved the General Data Protection Regulation (GDPR) last year, and in other international and national contexts. The GDPR will become EU law in 2018. We intend to demonstrate our commitment to best practice in this area by offering an adequate and equivalent level of protection within the CERN context.
For this reason, I have created an Office of Data Privacy Protection, ODPP, which will work with all stakeholders at CERN to ensure that we are identifying and adopting best practices in our approach to the processing of personal data. The leading principles are already defined in the Code of Conduct, which states that we shall “Safeguard confidential information, documents or data, and ensure that such material in our possession is properly protected” and “Respect the privacy of others and protect personal information given to us in confidence”.
Naturally, it will take some time to evolve our current procedures and practices to ensure that people’s privacy is fully protected at CERN, but there are a number of initiatives in preparation. These will include a communications strategy involving e-learning modules to increase awareness, various policies to clarify the correct ways to process personal data and an Operational Circular setting out the associated rights and obligations. The fact that we have a coherent approach to service management across CERN gives us a unique framework on which to build. The service catalogue will be leveraged to create a consistent, state-of-the-art approach to ensuring that wherever personal data is processed at CERN, the privacy rights of the individuals concerned are fully respected.
What is “Data Protection”? CERN is already fortunate to have an excellent security and IT service that can ensure the confidentiality, integrity and availability of data. Data Protection is concerned with the handling of “personal” data, i.e. data that can identify you as an individual. When can it be collected? How can it be used? Who can it be shared with? Where can it be stored? The Office of Data Privacy Protection has been established to offer help to the services at CERN that process personal data and to anyone who is concerned about how their personal data is being handled by the Organization.
By David Foster