Opinion (Rogério COPETO / Official GNR): DATA PROTECTION IN A SECURITY FORCE.
Following our last article titled "The new paradigm in data protection", on the General Data Protection Regulation (RGPD) the application of which became mandatory on 25 May, we return to the subject to talk about the protection of a Security Force (FS).
Rogério COPETO
Lieutenant Colonel of the GNR
Master in Law and Security and Homeland Security Auditor
Head of the Education Division / Command Doctrine and Training
As mentioned in our last article, one of the obligations under RGPD is the appointment of a Data Protection Officer (EPD), which according to its Article 37, It is required when: "The treatment is made by an authority or a public body, except in the courts exercise of its judicial function ".
So, the EPD can be a person or a group of people and have the responsibilities and functions of informing and advising, the maximum head of the institution and its staff, regarding obligations under RGPD, monitor compliance with the RGPD and with the policies of your organization relating to the protection of personal data, including the division of responsibilities, and awareness training of personnel involved in data processing operations, and the related audits, provide advice, when so requested, with regard to the impact assessment on data protection and cooperate with the National Commission Data Protection Point.
Taking into account the importance of an organization EPD is estimated to be needed in Europe and the US over 28.000 EPD, can reach 75.000 all around the world, and that only in the UK searches for EPD increased 700%, verifying that the need for EPD is greatest in technology companies, de marketing digital, finance, healthcare and retail. Multinationals like Uber, o Twitter, a Airbnb, the Cloudflare or Experian published online ads for hiring an EPD, such as Microsoft, o Facebook, the Salesforce.com and Slack also had to hire an EPD.
This race to the EPD may result from the amount of the fines to be imposed in case of breach of the rules RGPD, that in less serious cases, You may have a value up 10 million or 2% the annual turnover worldwide, whichever is higher, and in more severe cases, the fine may have a value up 20 million or 4% the annual turnover worldwide, whichever is higher, concluding that the EPD will be one of the most important officials in any public or private entity.
The EPD of an FS will have the same importance, They are appointed in accordance with article 32 of policy (EU) 2016/680, with the same responsibility and functions than any other EPD and which Directive applies to those who have to process personal data in the criminal police body quality (OPC), however does not apply to all data that a process must FS, including the processing of data in the prevention, investigation, detection or prosecution of crimes or offenses, including data relating to the FS elements in the management of its human resources.
The legal duty of a FS is to maintain law and order, prevent crime, bring offenders to justice and protect all citizens and it is necessary to process personal data of citizens in accordance with the public interest, meaning that the processing of such data is done according to law and within the justice administration.
The data that are personal are the name and address, employment information, financial information, racial or ethnic, political opinion, religion or belief, health condition, physical or mental, sexual orientation, criminal record, physical characteristics, including DNA, fingerprints and other biological samples, photography, sound and images, criminal history information, accident information, etc. Being able data is contained in said computerized databases recorded on paper or.
Personal data held by FS comes from various sources, in addition to the own FS intelligence agencies, including other national or international OPC or entities responsible for licensing activities, as the vehicle registration, as Courts, prisons, Protection Commissions of Children and Youth, private security companies, non-governmental partner organizations in protection strategies for victims of crime and the prevention of delinquency and crime, emergency services such as firefighters, National Health Service, etc.
These personal data are kept in the FS databases, properly secured and encrypted, and it can only be consulted the discretion of "need to know", only through their own police officers, ensuring that all personal data are processed within the law, and they can only be used for lawful purposes and to fulfill the mission of maintaining law and order, prevent crime and protect all citizens and their property, all unnecessary data must be deleted.
As personal data may be from various sources, FS may also have to share the data collected and processed by itself, with other organisms, which includes the remaining OPC, courts, government agencies, etc, should sharing personal data be evaluated case by case and according to the intended purpose, ensuring special security measures, sharing with organizations outside the European Union, especially where there is no personal data protection legislation similar to RGPD.
The security of personal data by the FS is guaranteed through the implementation of security measures and training of responsible elements for their treatment, in accordance with current legal standards, as well as the servers where they are housed databases are in safe places and access restricted to authorized elements, as well as access to databases be done only by those who need information and properly accredited.
All of these systems should be subject to audits and safety inspections, either physical or within the cyber, guaranteed protection against data loss due to misuse, access procedures should be reviewed periodically, as well as the accreditation of who has access to personal data.
The FS remain in possession of personal data by the time strictly necessary to its purpose, can be indefinitely, ensuring the rights of citizens who are: The right to be informed, such as have been obtained and for what purpose, should this information be included in the "Statement of Privacy Notice"; The Right of Access, allowing any citizen can access your personal data, It is however subject to certain restrictions; The right to request their rectification, enabling correct their personal data; The elimination of law and Restriction Law, that allows you to request the removal of personal data and / or restrict the processing of such data, due to absence; The Rights Relating to the Automated Decision Making, when the processing of personal data is carried out by automated means without any human involvement (using artificial intelligence).
For the aforementioned, we can conclude that from all entities that hold personal data, possibly the FS will be those that can best meet the rules of RGPD, and to ensure the protection of these same data, any citizen can know the privacy policies of FS, simply by making a request in accordance with its right to information.
