Summary
Personal data controllers should ensure data accuracy and protect personal data from unauthorized disclosure, loss, modification, or other misuses.
Obligations
Election Parts
Quotes
- Personal data shall be: (...) (f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
- Personal data shall be: (...) (d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’).
- The gathering and holding of personal information on computers, data banks and other devices, whether by public authorities or private individuals or bodies, must be regulated by law. Effective measures have to be taken by States to ensure that information concerning a person’s private life does not reach the hands of persons who are not authorized by law to receive, process and use it, and is never used for purposes incompatible with the Covenant.
- Personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up to date.
- Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorised access, destruction, use, modification or disclosure of data.
- A Member country should refrain from restricting transborder flows of personal data between itself and another country where (a) the other country substantially observes these Guidelines or (b) sufficient safeguards exist, including effective enforcement mechanisms and appropriate measures put in place by the data controller, to ensure a continuing level of protection consistent with these Guidelines.
- The General Assembly (...) 7. Calls upon business enterprises: (...) (c) To implement administrative, technical and physical safeguards to ensure that data are processed lawfully and to ensure that such processing is limited to what is necessary in relation to the purposes of the processing and that the legitimacy of such purposes, as well as the accuracy, integrity and confidentiality of the processing, is ensured.
- Personal information controllers should protect personal information that they hold with appropriate safeguards against risks, such as loss or unauthorized access to personal information, or unauthorized destruction, use, modification or disclosure of information or other misuses. Such safeguards should be proportional to the likelihood and severity of the harm threatened, the sensitivity of the information and the context in which it is held, and should be subject to periodic review and reassessment.
- Personal data are processed lawfully (with the unambiguous consent of the data subject or on the basis of law) for legitimate purposes and not in excess of such purposes, accurately and securely. These conditions apply also to profiling (personal data automatic processing techniques that collect and use information about an individual in order to identify, analyse or predict his or her personal preferences, behaviour and attitudes).
- Member States (through the designated authorities) should enforce compliance with the applicable data protection principles, in particular by engaging with search engine providers to carry out the following actions: – ensure that the collection of personal data by search engine providers is minimised. No user’s IP address should be stored when it is not necessary for the pursuit of a legitimate purpose and when the same results can be achieved by sampling or surveying, or by anonymising personal data. Innovative approaches promoting anonymous searches should also be encouraged; – ensure that retention periods are not longer than strictly necessary for the legitimate and specified purposes of the processing. Search engine providers should be in a position to justify with demonstrable reasons the collection and the retention of personal data. Information in this connection should be made publicly available and easily accessible; – ensure that search engine providers apply the most appropriate security measures to protect personal data against unlawful access by third parties and that appropriate data breach notification schemes are in place. Measures should include “end-to-end” encryption of the communication between the user and the search engine provider; – ensure that individuals are informed with regard to the processing of their personal data and the exercise of their rights, in an intelligible form, using clear and plain language, adapted to the data subject. Search engines should clearly inform users up front of all intended uses of their data (emphasising that the initial purpose of such processing is to better respond to their search requests) and respect the user’s right with regar to their personal data. They should inform individuals if their personal data has been compromised.
- Online intermediaries and digital media should implement the UN Guiding Principles on Business and Human Rights and conduct due diligence to ensure that their products, policies and practices, including in the areas of collection of private data and microtargeting of messages, do not interfere with human rights.
- Personal data that are processed must be adequate, relevant, correct and, if necessary, up to date; all reasonable measures must be taken to complete, correct, block or erase data that are incomplete or incorrect.
- Intermediaries should ensure data security and privacy, and ensure that the use of data is in compliance with international human rights law and has the fully informed consent of data providers.
- The Council of Europe has identified two types of cyberthreats to elections. First, threats to electoral democracy, namely “attacks against the confidentiality, integrity and availability of election computers and data”, compromising voter databases or registration systems; tampering with voting machines to manipulate results; interference with the function of systems on election day; and illegal access to computers to steal, modify, disseminate sensitive data. Second, threats to deliberative democracy, i.e. “information operations with violations of rules to ensure free, fair and clean elections” related to data protection, political finances, media coverage of electoral campaigns and broadcasting and political advertising.