Thoughts on regulatory and ethical issues relating to the use of technology in education and research
The European Court’s declaration today that the European Commission’s fifteen year old decision on the US Safe Harbor scheme is no longer reliable is another recognition that Data Protection requires continuing assessment, rather than one-off decisions. European regulators have been recommending for years that neither data controllers nor companies to which they export data should […]
The new European Data Protection Regulation is relevant to many areas of our work. Yesterday I had the opportunity to look at its likely effect on information security at a Jisc Special Interest Group meeting. For now, we’re still working from the three draft texts published by the European Commission in 2012, the Parliament in […]
Vulnerability handling – how organisations deal with reports of security weaknesses in their software and systems – is a field that has developed a lot in my time working for Janet. When I started most organisations received reports and fixed vulnerabilities on an ad hoc basis, if at all. Now we have guidelines on policies, […]
A helpful comment on page 3 of the Information Commissioner’s discussion of the latest (Council) draft of the General Data Protection Regulation: We reiterate our view that there must be realistic alternatives to consent – for example ‘legitimate interests’ where the data processing is necessary to provide the goods or services that an individual has […]
The Information Commissioner has published updated and extended guidance on the use of the Data Protection Act’s “section 29” exemption, based on cases and wider experience. This exemption is often used to release personal information (such as computer or network logs) to the police or other authorities investigating crimes, so sections 33-52 in particular are […]
A question that comes up from time to time when discussing federated access management is “how can I rely on another organisation to manage accounts for me?”. Federation saves services the trouble of managing user accounts by instead delegating the job to an external identity provider, but it’s entirely reasonable to think carefully about that. […]
Recently I had a thought-provoking discussion on Twitter (thanks to my guides) on the practice of setting your users phishing tests: sending them e-mails that tempt them to do unsafe things with their passwords, then providing feedback. I’ve always been deeply ambivalent about this. Identifying phishing messages is hard (see how you do on OpenDNS’s […]
With Parliament now on its summer break, the legal position under the Counter-Terrorism and Security Act 2015 is unlikely to change till September. That makes this a good time for HE and FE providers in England, Wales and Scotland (the duty doesn’t cover Northern Ireland – see s51(1)) to review the guidance that has been […]
There’s a tension between network neutrality – essentially the principle that a network should be a dumb pipe that treats every packet alike – and network security, which may require some packets to be dropped to protect either the network or its users. Some current attacks simply can’t be dealt with by devices at the […]
After more than three years of discussion, all three components of the European law making process have now produced their proposed texts for a General Data Protection Regulation should look like. The Council of Ministers’ version published last week adds to the Commission’s 2012 original and the Parliament text (unofficial consolidated version) agreed last March. […]