Thoughts on regulatory and ethical issues relating to the use of technology in education and research
It’s pretty clear from the context and implications that when European legislators wrote “public authority” into the General Data Protection Regulation they didn’t mean the same as the drafters of the UK’s Freedom of Information Acts. “Public authority” isn’t defined in the Regulation and I’ve not been able to find it in any other European […]
I was recently asked how the GDPR’s Right to Erasure would affect backups and archives. However that right, created by Article 17 of the GDPR, only arises when a data controller no longer has a legal basis for processing personal data. Provided an organisation is implementing an appropriate backup and archiving strategy, that shouldn’t happen. […]
Most of us are familiar with the recorded messages at the start of phone calls that warn “this call may be recorded for compliance and training purposes”. Some may recognise it as meeting the requirement to notify callers under the snappily titled Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000. But the data protection […]
Many, perhaps most, wifi access services want to perform some sort of authentication of people who use them (for those providing connectivity via Janet, it’s a requirement of the Network Connection Policy). Since authentication involves some processing of personal data, it’s worth reviewing how different ways of doing that might be affected (or not) by […]
Jisc provides a lot of different services: too many for us to look at each one from scratch before the General Data Protection Regulation comes into force next May. Instead, we’ve identified four different patterns that seem to cover the majority of services. We hope that having a common set of expectations for each pattern […]
Looking at yet another of those web registration forms that seems to collect more data than required, it occurred to me that there might be quite a neat way to meet the General Data Protection Regulation’s requirements for positive, recorded consent. First step, as with anything under the GDPR, it to think about which information […]
The Article 29 Working Party has produced new guidance on data processing in the workplace, to account for the very significant changes that have occurred since their previous guidance in 2001. Although the focus is on “employee monitoring”, it is likely to be relevant to other situations where an organisation has significant power over those […]
An interesting query arrived about when to advertise role-based, rather than individual, e-mail addresses. Do role-based ones feel too impersonal, for example, because senders don’t know who they are dealing with? I’ve been recommending the benefits of role-based e-mail addresses, such as service@jisc.ac.uk for a long time. From a legal point of view they avoid […]
A question recently arose about monitoring students’ attendance at lectures and tutorials, and how this fitted into data protection law. Since the main purpose of such monitoring seems to be to identify and assist students who don’t attend, and whose presence is therefore not recorded or processed, there seem to be a number of both […]
I was interested to spot that the Article 29 Working Party visited the question of “public authorities” back in 2014, on page 23 of their Opinion on Legitimate Interests. There they note that there are two possible interpretations of the (then draft) General Data Protection Regulation’s (GDPR) rule that public authorities may not use legitimate […]