In June 2017, our Director-General, Fabiola Gianotti, stated that taking all measures possible to protect personal data “is vital for maintaining the trust of the individuals sharing their information with us, and demonstrating that this laboratory applies the same high-level standards that we apply to our research to everything else we do”. Operational Circular 11 (OC 11), which describes the data-privacy rights and obligations at CERN, came into force on 1 January 2019 and was a great start to improving data privacy. However, much remains to be accomplished to protect personal data.
The Data Privacy Coordination Committee (DPCC), a dedicated entity to coordinate data privacy at CERN, was created in 2018 to define common approaches to the implementation of the data-privacy rights and obligations. Each department has nominated a representative, the Departmental Data Privacy Protection Coordinator (see list of members), who form the DPCC together with members of the Legal Service, the Staff Association and the Office of Data Privacy (ODP).
Since its inception in 2018, the DPCC has achieved an impressive amount of objectives. For instance, in 2019, an inventory of all CERN services dealing with personal data was carried out. It revealed that 560 such services are currently in existence. From that catalogue, the members of the DPCC coordinated the establishment of privacy notices that explain what we do with and how we protect personal information given to us in confidence.
With regard to the day-to-day management, the DPCC has developed a set of specific procedures to guide people when confronted with aspects of data privacy in their work. One example is a procedure for organising events, something that many of us at CERN may be involved with at some point. The ODP website offers detailed and newly reviewed information on data-privacy protection, while the FAQ page provides answers to specific questions. The Admin e-guide, with its new sub-chapter dedicated to data privacy procedures, focuses on the practical implementation of OC11. Data-privacy notices can be found on Service Now.
The DPCC is working on many additional measures that are essential for the successful implementation of OC11. High-priority measures include developing the “Privacy by design” policy and procedure, reviewing the current e-learning course to align it with the OC11 and establishing data-retention guidelines.
Anne Kerhoas, Rachel Bray