[Update: a Government amendment to Clause 6 of the Bill appears to confirm that this is their intended interpretation :)] The new Data Protection Bill seems to bring clarity to the question of which legal bases will be available to educational institutions under the General Data Protection Regulation: Clause 6(1) of the Bill states that […]
Categories
Implementing the GDPR
Last week I spoke at the UCISA CISG-PCMG conference on some of the tools we have been using within Jisc to apply the requirements of the GDPR. UCISA has now published a recording of the session, as well as a copy of my slides. The previous day, I did a more detailed presentation on one […]
The Article 29 Working Party’s draft guidance on Breach Notification under the General Data Protection Regulation (GDPR) provides welcome recognition of the need to do incident response and mitigation in parallel with any breach notification rather than, as I’ve been warning since 2012, giving priority to notification. Now the Working Party is explicit that “immediately […]
Categories
GDPR and “cyber security”
Education Technology have just published an article I wrote (though I didn’t choose the headline!) on how security and incident response fit into the General Data Protection Regulation. It aims to be an easy read: if you want something more challenging follow the “incident response protects privacy” link to get the full legal analysis.
Categories
GDPR – Privacy Notices
Although privacy notices are an important aspect of the General Data Protection Regulation, it seems unlikely that we will have final guidance from regulators for several months. Since we need to start rolling out GDPR-friendly privacy notices for Jisc services sooner than that, we’re using what information we have – the GDPR itself, the Information […]
Categories
GDPR: Data Protection Impact Assessments
The Article 29 Working Party of European data protection supervisors has published the final version of its Guidelines on Data Protection Impact Assessments (DPIAs). These build on the long-standing concept of Privacy Impact Assessments, being similar to normal risk assessments but looking at risks to the individuals whose data are being processed, rather than to […]
Categories
European Law on Public Authorities
It’s pretty clear from the context and implications that when European legislators wrote “public authority” into the General Data Protection Regulation they didn’t mean the same as the drafters of the UK’s Freedom of Information Acts. “Public authority” isn’t defined in the Regulation and I’ve not been able to find it in any other European […]
I was recently asked how the GDPR’s Right to Erasure would affect backups and archives. However that right, created by Article 17 of the GDPR, only arises when a data controller no longer has a legal basis for processing personal data. Provided an organisation is implementing an appropriate backup and archiving strategy, that shouldn’t happen. […]
Categories
GDPR: Recording Phone Calls
Most of us are familiar with the recorded messages at the start of phone calls that warn “this call may be recorded for compliance and training purposes”. Some may recognise it as meeting the requirement to notify callers under the snappily titled Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000. But the data protection […]
Categories
GDPR: Wifi access
Many, perhaps most, wifi access services want to perform some sort of authentication of people who use them (for those providing connectivity via Janet, it’s a requirement of the Network Connection Policy). Since authentication involves some processing of personal data, it’s worth reviewing how different ways of doing that might be affected (or not) by […]