Pular para o conteúdo principal

Governo escocês quer diminuir coleta de dados pessoais

O governo escocês lançou uma consulta pública para investigar maneiras de como reduzir a quantidade de dados pessoais coletados por entidades do tal governo. Alguns trechos do documento preliminar:

Only identify when necessary
1.1 People should not be asked to prove who they are unless it is necessary. A person making a general enquiry about a service should not need to provide any identifying information.

(…)

Identify only once
1.3 For services which are used frequently and for which identification is needed, public service organisations should give people a simple way to register once. Thereafter, unless there is a statutory requirement to prove identity, in many cases a person should be able to access the service using a token, such as a bus pass or library card that proves their entitlement without revealing unnecessary personal information. In other circumstances, a user name and a password or elements of a password may be required.

(…)

Offer choice
1.7 As far as possible, people should be offered alternative ways to prove identity and / or entitlement.

(…)

Adopt privacy and security policies & procedures
2.1 Public service organisations using personal information on behalf of public authorities should adopt clear, coherent and verifiable policies on privacy and security.

(…)

2.3 Responsibility and accountability for privacy should be assigned to a named senior management officer who reports to the Board or equivalent.

(…)

Facilitate oversight and reporting
2.7 The Scottish Government should work with the ICO to facilitate spot checks and the use of the ICO’s forthcoming inspection powers and should co-operate with existing oversight organisations to include privacy issues in their inspections and reporting.

(…)

Carrying out Privacy Impact Assessments (PIAs)
3.1 Public service organisations must carry out an appropriate level of PIA for any new initiative that enables access to services using IT and involves the collection, storage or use of personal information. Public service organisations must also carry out an appropriate level of a PIA if they are changing existing systems in ways which involve collection, storage or use of personal information.

(…)

4.
Data and Data Sharing
Acquiring and holding personal information
4.1 Public service organisations must minimise the personal information they hold, only acquire personal information for which they have a defined and specific need and ensure that such personal information is held only as long as is strictly necessary for the purposes for which it has been provided.
Avoid creating centralised databases of personal information
4.2 Organisations should seek to avoid creating large centralised databases of people’s personal information. People’s personal data should not be acquired and aggregated in a single place but maintained in separate data stores relevant to their specific business purpose. Organisations or their employees can still draw together personal information held in more than one place, if there is a business need to do so. That presents a lower risk than aggregating and storing all the personal information in a single place.
Storing personal and transactional data separately
4.3 Public service organisations must as far as possible store information about people’s access to services separately from their personal data, to minimise the risk of data loss and to ensure that even if one set of information is accessed improperly, this does not allow access to a wider range of information about individuals. This may be achieved through the avoidance of centralised databases (see 4.2 above).
Controlling access
4.4 Public service organisations should ensure that personal data is held securely (see 2.1c above), that their employees only have access to the minimum personal information they need and that audit records exist of all accesses to, changes to and uses of that data.
Storing identifying information
4.5 Public service organisations must consider whether identifying information needs to be stored in a database at all. In some cases, it might be preferable for people to hold and manage their own identifying information which can be accessed by the public service organisation when it is needed. This could be achieved, for  example, by the information being held on a smartcard and accessed when required through a card reader.
Linking information between systems
4.6 Public service organisations should not share personal information unless it is strictly necessary. If a public service organisation needs to link personal information from different systems and databases, it should avoid sharing persistent identifiers; other mechanisms, such as matching, should be considered. If a public service organisation believes that persistent identifiers should be shared, it must publicly explain why.

(…)

Provide easy access to own data
5.7 Public service organisations should provide simple, quick and effective means for individuals to access information held about them. This might include secure electronic access to check and correct the data that is held on them (any such provision would need to be audited and regulated so that the security and accuracy of data is not compromised).
Duty to repair or redress
5.8 Where an individual demonstrates emotional or material harm arising from incorrect or misused personal information held about them, organisations should assume a duty to repair that information and redress the harm as appropriate.

É um documento muito bom vindo de um governo. Espero que a consulta traga melhores idéias e que seja aprovada.

Comentários

Postagens mais visitadas deste blog

Quero ver tu achares uma constitucionalidade

Ophir Cavalcante Junior, diretor tesoureiro da OAB falou ao 1º Encontro Nacional de Identificação do Polícia Federal e fez vários questionamentos sobre a constitucionalidade do Registro Único de Identificação Civil, oficialmente conhecido como Cadastro Único (CU). Como diz a reportagem : Uma das principais preocupações da OAB com o sistema único de identificação, observou, é de que ele possa representar violação aos direitos fundamentais e garantias individuais, previstos no artigo 5° da Constituição, ou favorecer no futuro o fortalecimento do autoritarismo e de um Estado policial, ante o eventual enfraquecimento ou desaparecimento da democracia no País. Meu Deus do Céu! A OAB ainda tem dúvidas sobre a "violação aos direitos fundamentais e garantias individuais" que o CU pode inflingir sobre as pessoas no Brasil? A OAB já ouviu falar em Ahnenpaß ?

Eu vejo a luz!

Não. Eu não estou falando de um fato eleitoral ocorrido esta semana (algo que não aconteceria se Mitt Romney fosse o candidato). Estou falando de um comentário que recebi. A um bom tempo atrás, ainda em abril de 2006, mandei um e-mail para a ONG SaferNet perguntando quem a financia, essas coisas da vida. Esperei sentado, deitado, caminhando, correndo e de outras formas e nada. Eis que a luz aparece para mim nesta madrugada. O leitor Leandro (sem sobrenome) deixa um comentário que transcrevo na íntegra: Quem são os agentes envolvidos? O próprio site da Safernet ajuda a descobrir: http://www.safernet.org.br/site/institucional/redes/inhope E esta Inhope: https://www.inhope.org/en/partners/partners.html https://www.inhope.org/en/partners/sponsors.html Sabendo-se quem é principal patrocinador desta rede dá para entender porque a Safernet implica tanto com o Google e o Orkut. Como fazia um tempinho que não acessava o site da SaferNet, notei que eles mudaram o layout da página. Indo ao pri...

Como clonar digitais

Recordar é viver. Em 18 de abril de 2008, eu mostrei como clonar impressões digitais, usando materiais extremamente sofisticados como cola de madeira, SuperBonder, câmera fotográfica papel de slide e impressora a laser (tipo de coisa que só gente com muito dinheiro e contatos conseegue ter). Como o link anterior quebrou, resolvi republicar esta matéria. Alguém por favor mande isto para o sr. Ricardo Lewandowski ! Para quem ainda tem alguma ponta de confiança na biometria, traduzo um guia prático de como fazer impressões digitais de outros para ti. Como falsificar digitais? Starbug no Chaos Computer Club Para falsificar uma impressão digital é necessário uma primeiro. Digitais latentes nada mais são do que gordura e suor em objetos tocados. Desta forma, para capturar a impressão digital de alguém (neste caso, a que tu queres copiar), deve-se utilizar métodos forenses, o que será explicado aqui. (Foto 1) Foto 1: Resíduo gorduroso duma digital Boas fontes de impressões digitai...