Posts about Federated Access Management, which allows service providers and identity providers to work together to minimise data flows while granting users access to protected resources
The Information Commissioner’s consultation on an Anonymisation Code of Practice is mainly concerned with the exchange or publication of datasets derived from personal data. However it once again highlights the long-standing confusion around the treatment of pseudonyms under Data Protection law. A pseudonym is an identifier (often randomly generated) whose value is unique to me, […]
The European Commission have proposed a draft eIdentity Regulation, to replace the current eSignatures Directive (99/93/EC). While the proposal is mostly concerned with inter-operability of national electronic IDs and improving the legal significance of digital signatures, timestamps, documents, etc. there are also some new requirements on “trust service providers”. According to Article 3(12), Trust Services […]
In discussing a legal framework for federated access management we’ve concluded that the right approach to use as a basis for exchanging attributes is that a particular attribute is “necessary” to provide a service. That implies both that service providers shouldn’t ask for attributes they don’t need, and also that where there is a choice […]
I was interested to see both “Shibboleth” and “Athens” being mentioned in a consultation on extending the educational use exemption for re-playing recordings of broadcast programmes, sound recordings and films. At the moment sections 35 & 36 of the Copyright, Designs and Patents Act 1988 permit recordings to be re-played as part of teaching in […]
I did a presentation at the EEMA eID Interoperability conference last month on alternatives to “consent” in federated access management. At the moment consent seems to be the most often cited justification for processing personal data – websites frequently say that “by using this site you consent to…”. The problem with this is that the […]
I’ve just sent in a Janet Submission to the Ministry of Justice’s Call for Evidence on the EU Data Protection proposals. Our response mentions the good and bad things about the proposal, as discussed here previously, for Internet Identifiers: still no clarity on when IP addresses etc. are personal data, but at least more realistic […]
The European Commission’s proposed Data Protection Regulation supports recent thinking in moving away from using consent as a basis for federated access management systems. The consent of the data subject is still one of the legitimate grounds for processing personal data but it cannot be used “where there is a significant imbalance” between the organisation […]
Last week the European Commission published their proposed new Data Protection legislation. This will now be discussed and probably amended by the European Parliament and Council of Ministers before it becomes law, a process that most commentators expect to take at least two years. There’s a lot in the proposal so this post will just […]
An interesting reminder from the European Court of Justice (ECJ) that the Data Protection Directive (95/46/EC) is supposed to make processing and exchanging personal data easier as well as safer. The Directive contains a number of different reasons justifying processing of personal data (gathered together as Schedule 2 of the UK Data Protection Act 1998), […]
Although consent is a key concept in Data Protection, discussions of it often seem confused and legal interpretations inconsistent. For example the European Commission has in the past called both for a crackdown on the over-use of consent and for all processing of personal data to be based on consent! A new Opinion on the […]