The members of the Ethics Working Group of the DPO Training Program of Duthler Academy, in collaboration with Duthler Associates, published the Code of Conduct for Data Protection Officer (DPO) at the end of 2018. This took the lead in drawing up rules of conduct for the professional group to support the DPO in his daily practice. A practice in which the DPO is regularly confronted with dilemmas.
The rules of conduct are based on core values. In this blog we describe the rules of conduct that are based on the core value “confidentiality”.
Core value confidentiality
A description and explanation of the core value of confidentiality for the DPO:
The DPO respects the confidential nature of information obtained in the context of his supervisory and advisory duties. He does not disclose this information to a third party without specific authorization to do so, unless there is a legal or professional right or obligation to do so.
Data subjects, employees and board members must be able to provide information to the DPO in confidentiality. The DPO must be able to conduct internal investigations and carry out checks with this information. An exception can be made, for example, on the basis of a legal or professional duty if the AP requests access to data.
Code of conduct
Based on this core value, the following rules of conduct have been described:
- The DPO who obtains access to data or information of which he knows or should reasonably suspect the confidential nature is obliged to maintain the confidentiality of those data unless he is obliged or authorized by or pursuant to a statutory regulation to provide the information. The DPO has special legal powers whereby the DPO has access to a large number of (confidential) data. The DPO ensures careful handling of all information obtained, whether or not personal data and maintains confidentiality where necessary. The DPO is obliged to maintain confidentiality with regard to information that he obtains in the performance of his duties. The DPO must be able to receive information in confidence.
- The DPO will take reasonable measures to ensure that those who work under his responsibility comply with the duty of confidentiality that applies to him. The DPO must ensure and take measures that the person who performs a task for or on behalf of him or her and who is under his or her authority observes the same confidentiality as the DPO himself or herself.
- The DPO must be able to receive information in confidence and protects the interests of the person who communicates to him in confidence. This rule is not absolute. The DPO must weigh up the interests of the data subject that must be protected and whether the interests of the organization or those involved are reasonably harmed in the same way as the whistleblower policy.
As mentioned, FGs face dilemmas in their daily practice. Discussions with DPOs show that much is still unclear about what can be expected from a reasonably acting and professional DPO.
Below is a case study of a dilemma for a DPO.
You are a DPO at an academic hospital. A colleague asks you to exchange views confidentially on a specific matter. She indicates that she has long suspected that patient files are being handled carelessly and that medical data of patients can be viewed by unauthorized persons. The evidence has been provided now that she herself had to undergo examinations in the hospital. Colleagues, well-meaning, addressed her about this: “How nice that it turned out well!” Besides the fact that your colleague is happy that she was able to vent, she also hopes that you as a DPO can put an end to this unlawful processing of data.
What would you do as a DPO in this situation, given the tasks assigned to you by the General Data Protection Regulation?