Although the Article 29 Working Party seem to have had applications such as incident response in mind when drafting their guidance on exports, that guidance could also be helpful in the field of federated authentication. This technology allows an “identity provider” such as a university or college to assure a “service provider” such as a […]
Month: February 2018
Categories
GDPR: sending incident reports overseas
When incident response teams (CSIRTs) detect an attack on their systems, they normally report details back to the network or organisation from which the attack comes. This can have two benefits for the reporter: in the short term, making the attack stop; in the longer term helping that organisation to improve the security of its […]
The Article 29 Working Party’s guidance on Breach Notification suggests some things we should do before a security breach occurs. The GDPR expects data controllers, within 72 hours of becoming aware of any security breach, to determine whether there is a risk to individuals and, if so, to report to the national Data Protection Authority. […]
Article 22 of the GDPR contains a new, and oddly-worded, “right not to be subject to a decision based solely on automated processing”. This only applies to decisions that “produce[] legal effects … or similarly significantly affect[]” the individual. Last year, the Article 29 Working Party’s draft guidance on interpreting this Article noted that an […]
In thinking about the legal arrangements for Jisc’s learning analytics services we consciously postponed incorporating medical and other information that Article 9(1) of the General Data Protection Regulation (GDPR) classifies as Special Category Data (SCD): “personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing […]