Categories
Closed Consultations

ICO request for feedback on profiling under the GDPR

We’ve just responded to the ICO’s request for feedback on Profiling under the General Data Protection Regulation. Thanks to the work we’ve already done on Learning Analytics, we were able to include several examples of good practice in that area, including the Code of Practice we developed with universities and the National Union of Students.

Categories
Articles

GDPR: moving to Information Lifecycle Registers?

[UPDATE: the Irish GDPR coalition have a nice infographic on information lifecycles under the GDPR] Anyone who has looked at an information security standard is likely to be familiar with the idea of an Information Asset Register. These cover the What and Where of information that an organisation relies on: what information do we hold, […]

Categories
Articles

Federated Access Management and the GDPR

[this article is based on the draft text published by the European Council on 28th January 2016. Recital and article numbers, at least, will change before the final text] When individuals register to access a website or other on-line service, it’s common to have to provide a significant amount of personal data. Some of this […]

Categories
Articles

Incident Response and the GDPR

The Commission’s original draft Regulation included explicit support for the work of computer security and incident response teams, recognising that such activities were a legitimate interest that involved processing of personal data. Furthermore the legal requirements implied by using the legitimate interests justification (notably ensuring that those interests not be overridden by the rights and […]

Categories
Presentations

Referendum: has the GDPR gone away?

A few hours after the result of Thursday’s referendum on membership of the European Union, I gave a presentation on the significance of the EU’s General Data Protection Regulation, due to come into force in May 2018. That might seem a waste of time, but my suggestion was that the referendum result might in fact […]

Categories
Closed Consultations

Privacy online: is a separate Directive still needed?

Now that the General Data Protection Regulation has been completed, the European Commission is reviewing the ePrivacy Directive. This law was introduced in 2002 as part of the telecommunications framework, and it was recognised at the time that it was likely to be largely replaced by a future general privacy law. That has taken longer […]

Categories
Articles

GDPR: Twelve Steps, Sorted

Although the Information Commissioner’s “Twelve Steps to Prepare” is an excellent guide to what organisations need to do in the eighteen months before the General Data Protection Regulation  becomes UK law in May 2018, following them in order from 1 to 12 may not be the best approach. Some of the steps depend on the […]

Categories
Articles

ECJ rules in favour of security and incident response

The recent European Court case of Breyer v Germany provides welcome support for those who wish to protect the security of on-line services. The case concerned two questions – whether a website’s logfiles (typically containing time, client IP address, URL requested and result) constituted personal data and, if so, whether data protection law allowed the […]

Categories
Articles

Learning Analytics – an updated model

At Jisc’s Learning Analytics Network meeting last month I presented an updated version of my suggested legal model for Learning Analytics. The new version adds the data collection stage(s) and seems to me – both as a sometime system developer and privacy-sensitive student – to provide the kinds of guidance, choices and protections that I’d […]

Categories
Publications

Incident Response and the GDPR (Article)

After (too) many years, I’ve turned the ideas from my original TF-CSIRT documents into a formal academic paper, which has just been published in the open access law journal, SCRIPTed: Andrew Cormack, “Incident Response: Protecting Individual Rights Under the General Data Protection Regulation”, (2016) 13:3 SCRIPTed 258 https://script-ed.org/?p=3180 The new General Data Protection Regulation provides […]