Underlying Principle 8: Security and privacy

'.'Citizens and businesses must be confident that when they interact with public authorities they are doing so in a secure and trustworthy environment and in full compliance with relevant regulations, e.g. the Regulation and Directive on data protection, and the Regulation on electronic identification and trust services. Public administrations must guarantee the citizens’ privacy, and the confidentiality, authenticity, integrity and non-repudiation of information provided by citizens and businesses.

 

 Covered by: 

Recommendation 15

Define a common security and privacy framework and establish processes for public services to ensure secure and trustworthy data exchange between public administrations and in interactions with citizens and businesses. Supporting Solutions

Legal Initiatives

Legal inititiave

Relevant articles

Legislation:

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

The General Data Protection Regulation (EU) 2016/679 (GDPR) is a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). It also addresses the transfer of personal data outside the EU and EEA areas. The GDPR's primary aim is to give individuals control over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.

Status:

In force

Core topics:

  • Electronic standards
  • New technologies/ AI inclusion
  • Monitoring implementation and compliance
  • Protection of personal data

Appropriate security of the personal data (Art. 5, 1. f)
Processing of special categories of personal data: social security and social protection law (Art. 9, b)
Security of personal data - Security of processing  - ensure a level of security appropriate to the risk (Art. 32, 1)

Legislation:

REGULATION (EU) 2018/1807 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 November 2018 on a framework for the free flow of non-personal data in the European Union

Status:

In force

Core topics:

Public security (clause 19) security of cross-border data processing (clause 33) cybersecurity (clause 36)

Legislation:

DIRECTIVE 2014/24/EU OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 26 February 2014 on public procurement and repealing Directive 2004/18/EC

Status:

In force and transposed

Core topics:

  • Electronic standards

 

Level of security (Art.22.6)

Legislation:

Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (eIDAS Regulation)

Status:

In force and transposed

Core topics:

  • Electronic identification schemes 
Processing of [only those] identification data that are adequate, relevant and not excessive (clause 11)  personal data breaches (clause 31) adequate level of security of electronic identification (Art.1) Processing of personal data (Art.5.1) breached or partly compromised (Art.10.1) principle of privacy by design (Art.12.3c) personal data is processed (Art.12.3d)

Legislation:

DIRECTIVE 2011/24/EU OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 9 March 2011 on the application of patients’ rights in cross-border healthcare

Sector specifc - Health

Status:

In force and transposed

Core topics:

 Due respect of data protection (Art. 11.2a) principles of data protection (Art. 14.2) 

Legislation:

REGULATION (EU) 2019/818 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 20 May 2019 on establishing a framework for interoperability between EU information systems in the field of police and judicial cooperation, asylum and migration and amending Regulations (EU) 2018/1726, (EU) 2018/1862 and (EU) 2019/816

Status:

In force

Personal data (clause 22) processing of data (clause 23, Art.5; 40; 41) protection of personal data (clause 36) new data processing operations (clause 40) applicable Union data protection rules (clause 45) sensitive personal data (clause 69) data minimisation (clause 70) compensation for unlawful  processing of personal data (clause 71)  search data  related to persons or their travel documents (Art.7.5) only for data protection monitoring (Art.10.2) minimum data quality standard (Art.13.3) only for as long as the corresponding  biometric data are stored (Art.15; 35) data retention provisions (Art.23.1) regularly verified by the competent supervisory authority (Art.24.4) security of processing (Art.42) compliance of data processing (Art.44) right of access to, rectification and erasure of personal data (Art.48)  audit of personal data processing operations (Art.52)

Legislation:

DIRECTIVE 2002/58/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications)

Status:

In force and transposed

Core topics:

  • Electronic identification schemes 
Protection of personal data, privacy (clauses 8; 31; 32; Art. 1.1;3) free movement of 
such data (Art.1.1)  security of its services, network security (Art.4.1) personal data, security policy (Art.4.1a)  breach of the security of the  network (Art.4.1) personal data breach (Art.4.3)  confidentiality of communications and the related traffic data (Art.5) erased or made anonymous when it is no longer needed (Art.6.1) for the duration necessary (Art. 6.3; 9)  anonymous, or with the consent (Art.9.1)

Legislation:

DIRECTIVE (EU) 2016/1148 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union

Status:

In force and transposed

Core topics:

  • Access/construction of ICT systems
Security of  network and information systems (Art.1.7; 7.1; 14.1; 14.2; 16.1; 16.2; 19.1) adequate protection of data (Art.13) confidentiality of the information (Art.14.5; 16.6) personal data breaches (Art.15.4)

Legislation:

DIRECTIVE 2014/55/EU OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 16 April 2014 on electronic invoicing in public procurement

Status:

In force and transposed

Core topics:

  • Electronic standards
Protection of personal data, data protection by design, proportionality and data minimisation (clause 20; Art. 3.1) data protection, principle of the protection of privacy (Art. 8)

Legislation:

DIRECTIVE (EU) 2016/680 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA

Status:

In force and transposed

Core topics:

  • Protection of personal data 
    criminal offence and penalties
    free movement of sensitive data
Processing of personal data (Art.1.1; 1.2; 2.1; 2.2; 4; 9.1; 9.2; 10) protection of personal data (Art. 1.2) erasure of personal data (Art. 5; 16) data subjects (Art. 6; 14.1; 17.1; 20.1; 22.1) processing to be lawful  (Art. 8.1)  data protection principles, data minimisation (Art. 20) by default (Art. 20.2) level of security  (Art. 29.1) personal data breach (Art. 30;31) appropriate safeguards (Art 36; 370

Legislation:

Regulation (EU) 2019/817 of the European Parliament and of the Council of 20 May 2019 on establishing a framework for interoperability between EU information systems in the field of borders and visa and amending Regulations (EC) No 767/2008, (EU) 2016/399, (EU) 2017/2226, (EU) 2018/1240, (EU) 2018/1726 and (EU) 2018/1861 of the European Parliament and of the Council and Council Decisions 2004/512/EC and 2008/633/JHA

Status:

In force

Core topics:

  • Cross-borders services Interoperability
Personal data (clause 22) processing of data (clause 23, Art.5; 40; 41) protection of personal data (clause 36) new data processing operations (clause 40) applicable Union data protection rules (clause 45) sensitive personal data (clause 69) data minimisation (clause 70) compensation for unlawful  processing of personal data (clause 71)  search data  related to persons or their travel documents (Art.7.5) only for data protection monitoring (Art.10.2) minimum data quality standard (Art.13.3) only for as long as the corresponding  biometric data are stored (Art.15; 35) data retention provisions (Art.23.1) regularly verified by the competent supervisory authority (Art.24.4) security of processing (Art.42) compliance of data processing (Art.44) right of access to, rectification and erasure of personal data (Art.48)  audit of personal data processing operations (Art.52)

Solutions supporting the implementation of Principle 8

 Solution Description Associated Recommendation
BDTI logo

CEF Big Data Test Infrastructure

Big data test infrastructure (BDTI) helps public administrations improve the experience of the citizen, make government more efficient and boost business and the wider economy through big data. Big data is high-volume, high-velocity and high-variety information that requires new forms of processing to enable enhanced decision-making, insight discovery and process optimisation. Recommendation 15
Communication and Information Resource Centre for Administrations, Businesses and Citizens

CIRCABC

 CIRCABC (Communication and Information Resource Centre for Administrations, Businesses and Citizens) is an open-source, web-based application which enables geographically spread collaborative groups to share information and resources in private workspaces. Recommendation 15
Logo

Data models

The use of CISE specifications and data models, helps to ensure that public administrations are taking into account relevant EU recommendations on standards and specifications in the maritime domain and are seeking to make the approach consistent across borders. Recommendation 15
cef_edeliv

eDelivery 

The eDelivery Building Block helps public administrations to exchange data and documents via AS4 Access Points, based on the AS4 messaging protocol. This allows different parties to exchange electronic data and documents across sectors and borders through a secure eDelivery message exchange network. By connecting to an AS4 Access Point, a public administration can exchange electronic data and documents with any organisation connected to another Access Point in the network. The eDelivery Building Block also helps upgrade exisiting solutions so they can connect to eDelivery messaging networks through an Access Point.  Recommendation 15
cef_eID

eIDc

 The eID Building Block allows public administrations and private service providers to easily extend the use of their online services to citizens from other Member States, in line with the eIDAS Regulation.  Recommendation 15
EIRA 

EIRA 

 The European Interoperability Reference Architecture (EIRA©) is an architecture content metamodel defining the most salient architectural building blocks (ABBs) needed to build interoperable e-Government systems. The EIRA© provides a common terminology that can be used by people working for public administrations in various architecture and system development tasks. The EIRA© was created and is being maintained in the context of Action 2016.32 of the ISA² Programme. The EIRA uses (and extends) the ArchiMate language as a modelling notation and uses service orientation as an architectural style.  Recommendation 15
esignature

eSignature

The CEF eSignature Building Block allows public administrations, businesses, and citizens to electronically sign any document, anywhere in Europe, at any time, in line with the eIDAS Regulation for e-signatures, e-seals and related services offered by Trust Service Providers. Recommendation 15
etrustex

eTrustEx open source software package

 A cross-sector, open source tool that will help you to exchange structured and unstructured documents and to connect to pan-European e-delivery infrastructures with reduced investment. Recommendation 15

"."

European Union
Location Framework Blueprint

The European Union Location Framework (EULF) Blueprint is a framework of recommendations and related guidance for publishing and using location information and applying interoperability principles in digital government. The EULF Blueprint was initially developed through the EULF project in the ISA programme. The content has been updated extensively through the European Location Interoperability Solutions for e-Government (ELISE) project, which is part of the ISA2 programme.  Recommendation 15
cise node

Service model

The CISE Network is a complex open computer network interfacing several EU countries, specifically, in the maritime data context. This network connects CISE nodes and legacy systems thought a special component called "The CISE Adaptor".

This document is a guideline to the CISE Service Model and to the software development of the CISE Adaptors. The intention is to provide a complete, precise and quick start documentation to be used fundamentally as a reference guide by the CISE Software Developers community of the EU Member States. Specifically, the objective is to make more easy the development, test, implementation and validation of CISE Adaptors.

Recommendation 15

Image removed.

 

 

IMAPS solution v1.2

IMAPS is a user-friendly online questionnaire, designed as a self-assessment tool to assist public service owners to evaluate key  interoperability aspects of their digital public service.

Not only can IMAPS be used to assess the interoperability of any public service – from open data portals, and e-voting platforms, to public procurement services, and much more – it is applicable to services at all levels of government (international, national, regional and local).

Recommendation 15

'.'

LIMAPS v1.0.0

This is the Beta version of the Legal Interoperability Maturity Assessment of a Public Service (LIMAPS) survey.

This Beta version of the LIMAPS Survey has been released on the 21 April 2020 on Joinup.

It is a user-friendly online questionnaire, designed as a self-assessment tool to assist public service owners to evaluate key legal interoperability aspects of their digital public service.

The current Beta version of LIMAPS (LIMAPS v1.0.0 Beta) is available at the EU survey portal: https://ec.europa.eu/eusurvey/runner/limaps-beta.

Recommendation 15
"." PM² is a Project Management Methodology developed and supported by the European Commission. Its purpose is to enable project teams to manage their projects effectively and deliver solutions and benefits to their organisations and stakeholders. PM² is a light and easy to implement methodology suitable for any type of project. PM² has been custom developed to fit the specific needs, culture and constraints of EU Institutions, but also incorporates elements from globally accepted best practices, standards and methodologies. Recommendation 15