by Rachel Bray, DPCC sub-group communication Lead

In June 2017, our Director-General, Fabiola Gianotti, stated to the CERN community that taking all measures possible to protect personal data “is vital for maintaining the trust of the individuals sharing their information with us, and demonstrating that this laboratory applies the same high-level standards that we apply to our research to everything else we do.”

While the entry into force of Operational Circular No 11 (OC 11), describing data privacy rights and obligations at CERN, on 1 January 2019 was a great start to improving data privacy, much remains to be done to protect personal data. While we all need to be mindful of data privacy on a daily basis, some of us may still be unsure of your rights and responsibilities, where to find information and who you can turn to for help.

In this article, we will provide answers to some of these questions, and hear more from the newly-elected Chair of the Data Privacy Coordinating Committee (DPCC), Anne Kerhoas.

I began by asking Anne to remind us what the DPCC is.

“The DPCC was created in 2018 to define common approaches to the implementation of the data privacy rights and obligations in order to ensure that personal data are handled in an appropriate and harmonised manner across the whole of CERN. Each department has nominated a representative, the Departmental Data Privacy Protection Coordinator (see list of members), who together with members of the Legal Service, the Staff Association and the Office of Data Privacy (ODP) form the DPCC. The specific role of the ODP as a centre of expertise in data protection matters is to advise the DPCC.”

What has the DPCC achieved since its creation in 2018?

“An impressive amount of work has been completed since the creation of the DPCC. For instance, in 2019, we carried out an inventory of all CERN services dealing with personal data and discovered a whopping 560 such services currently in existence. Not only is this a huge amount of work by the DPCC, but it also signifies that almost everyone at CERN is working with personal data. Collectively, the members of the DPCC have coordinated the establishment of over 600 Records of Processing Operations, known as RoPOs, within their departments. Over 120 of them have been reviewed by the ODP and published on the Service Portal. In addition, the DPCC has developed a set of specific procedures to guide our colleagues when confronted with aspects of data privacy in their work. One specific example is a procedure for organising events, something that many of us at CERN may be involved with at some point.”

Where can people find out information about data privacy protection at CERN?

• “The ODP website is the first port of call, offering vast amounts of information;
• the FAQ quick links page provides answers to specific questions;
• the Admin e-guide, with its new sub-chapter dedicated to data privacy procedures, is a very useful aid for the practical implementation of OC11;
• finally, you can also check out the various data privacy notices stored on Service Now.”

Now OC11 is in force. What are the next steps to pursue the implementation of data privacy at CERN and what are the challenges?

“Among the many additional measures on which DPCC is working that are essential for the successful implementation of OC11, I have selected three that should be considered the highest priorities:

• development of the “Privacy by design” policy and procedure;
• review of the current e-learning course to align it with the OC11;
• establishment of retention guidelines, relating to the removal of personal data storage beyond the retention expiry date.

Having a framework such as OC11 and all the supporting measures in place is very good, but alone they are not enough. We need the assistance and cooperation of each and every one at CERN, and that is why I invite you all to join us in this CERN-wide endeavour to protect the privacy of personal data.”