Thoughts on regulatory and ethical issues relating to the use of technology in education and research
Some of the General Data Protection Regulation’s requirements on data controllers apply no matter which legal basis for processing is being used. For example there are common requirements on information given to data subjects; breach notification and rights of access and rectification will normally apply to all personal data. However other requirements are specific to […]
The Article 29 Working Party’s final guidance on implementing the right to portability is a significant improvement on the previous draft. The Working Party appear to have recognised the significant risk involved in making large collections of personal data available through on-line interfaces, and that other approaches will be more suitable for most data controllers. […]
The Digital Economy Act 2017 contains sections relating to content filtering by “Internet Service Providers” (ISPs) and “Internet Access Providers” (IAPs). However both terms are derived from (and subsets of) the European definition of Public Electronic Communications Services, so will not apply to Janet or customer networks that are not available to members of the […]
[I’ve updated this 2015 post to refer to the section numbers in the Investigatory Powers Act 2016. As far as I can see, the powers contained in the Act are the same as those proposed in the draft Bill] Over past months there has been various speculation that the Investigatory Powers Bill [now the Investigatory […]
Most universities maintain databases of alumni, for purposes including keeping them informed about the organisation, offering services and seeking donations. These activities have a lot in common with other charities, so the Information Commissioner’s guidance is relevant. Indeed the Information Commissioner’s recent description of using consent-based relationships “to improve [supporters’] level of engagement with your […]
[UPDATE: the Irish GDPR coalition have a nice infographic on information lifecycles under the GDPR] Anyone who has looked at an information security standard is likely to be familiar with the idea of an Information Asset Register. These cover the What and Where of information that an organisation relies on: what information do we hold, […]
Having had my own concerns that the European Commission’s draft e-Privacy Regulation might prevent some activities that are needed by security and incident response teams, it’s very reassuring to see the Article 29 Working Party recommending an explicit broadening of the scope of permitted Network and Information Security (NIS) activities. Strikingly, this comes in an […]
While some have viewed the General Data Protection Regulation‘s approach to consent as merely adjusting the existing regime, the Information Commissioner’s draft guidance suggests a more fundamental change: “a more dynamic idea of consent: consent as an organic, ongoing and actively managed choice, and not simply a one-off compliance box to tick and file away”. […]
A couple of organisations have asked me recently whether the General Data Protection Regulation (GDPR) requires them to get some sort of external recognition of their incident response team. Here’s why I don’t think it does. Recital 49 of the Regulation says: The processing of personal data to the extent strictly necessary and proportionate for […]
Organisations connecting to Janet are required to implement three policies: the Eligibility Policy determines who may be given access to the network; the Security Policy sets out responsibilities for protecting the security of the network and its users; the Acceptable Use Policy identifies a small number of activities that are not permitted on the network. […]