Under current plans the UK will become – for data protection purposes – a “third country” when it leaves the EU. Although the UK Government has stated that the rules for transferring personal data from the UK to the EU will remain the same, any transfers from the EU to the UK will need to […]
With the GDPR having now been in force for more than six months, my talk at this week’s EUNIS workshop looked at some of the less familiar corners of the GDPR map. In particular, since EUNIS provided an international audience, I was looking for opportunities to find common, or at least compatible, approaches across the […]
The Government’s powers make orders relating to information about communications have now moved from the Regulation of Investigatory Powers Act 2000 to the Investigatory Powers Act 2016. The associated Code of Practice provides useful information on the process for issuing three types of notice in particular: Communications Data Requests, Technical Capabilities Orders and Data Retention […]
I’ve been asked a number of times whether GDPR affects the sharing of information between incident response teams. This slideset from a recent RUGIT Security meeting discusses how GDPR encourages sharing to improve security, and provides a rule of thumb for deciding when the benefit of sharing justifies the data protection risk. Information Sharing and […]
At last week’s Jisc Security Conference I presented a talk on how we’ve assessed a couple of Jisc services (our Security Operations Centre and Penetration Testing Service) from a data protection perspective. The results have reassured us that these services create benefits rather than risks for Jisc, its customers and members, and users of the […]
Some good news from the draft ePrivacy Regulation. More than a year after I pointed out that the Regulation could inadvertently prohibit websites and other Internet-connected services from using logfiles to secure their services, the Council of Ministers’ latest (20th September 2018) draft explicitly recognises the problem. Recital 8 now includes the positive statement that: […]
An interesting observation made by a Dutch colleague earlier this week. The arrows in my standard model of learning analytics (here rearranged and recoloured to match the “swimlane” visualisation of the learning process) all mark “gatekeeper” points where information flow is filtered and reduced. Between Collection and Analysis there’s a necessity/relevance filter so that not […]
In developing our Data Protection Impact Assessment for the Janet Security Operations Centre we noted that our Penetration Testing service could involve high risks, but didn’t really fit the DPIA framework. Penetration tests are much smaller scale than the SOC; they are commissioned by individual Jisc customers, usually on only parts of their operations; and […]
Recently I’ve been presenting our suggested legal framework for learning analytics to audiences involved in teaching, rather than legal people. For that I’ve been trying out a different visualisation, which considers the teaching process as involving three layers: Teaching itself (red): during which we process the personal data that’s needed to help students learn. The […]
Alongside the 1995 Data Protection Directive (DPD) sat the 2002 ePrivacy Directive (ePD), explaining how the DPD should be applied in the specific context of electronic communications. In fact, particularly after it was amended in 2009, the ePD did a bit more than that, as it turned out to be a convenient place to insert […]