Jisc responded to the DCMS consultation on implementing the Research provisions of the GDPR into UK law. The exemptions from certain obligations and data subject rights contained in section 33 of the Data Protection Act 1998 have been vital in enabling long-term research studies, including in health and social sciences, while ensuring the protection of […]
The Department for Culture, Media and Sport has called for views on how the UK should use the “derogations” (i.e. opportunities and requirements for national legislation) contained within the General Data Protection Regulation. The main area where derogations, or the lack of them, could affect the Jisc community is in the application of the GDPR […]
[I’ve updated this 2015 post to refer to the section numbers in the Investigatory Powers Act 2016. As far as I can see, the powers contained in the Act are the same as those proposed in the draft Bill] Over past months there has been various speculation that the Investigatory Powers Bill [now the Investigatory […]
Categories
GDPR: Alumni processes
Most universities maintain databases of alumni, for purposes including keeping them informed about the organisation, offering services and seeking donations. These activities have a lot in common with other charities, so the Information Commissioner’s guidance is relevant. Indeed the Information Commissioner’s recent description of using consent-based relationships “to improve [supporters’] level of engagement with your […]
We’ve just responded to the ICO’s request for feedback on Profiling under the General Data Protection Regulation. Thanks to the work we’ve already done on Learning Analytics, we were able to include several examples of good practice in that area, including the Code of Practice we developed with universities and the National Union of Students.
[UPDATE: the Irish GDPR coalition have a nice infographic on information lifecycles under the GDPR] Anyone who has looked at an information security standard is likely to be familiar with the idea of an Information Asset Register. These cover the What and Where of information that an organisation relies on: what information do we hold, […]
Having had my own concerns that the European Commission’s draft e-Privacy Regulation might prevent some activities that are needed by security and incident response teams, it’s very reassuring to see the Article 29 Working Party recommending an explicit broadening of the scope of permitted Network and Information Security (NIS) activities. Strikingly, this comes in an […]
Categories
GDPR: A new kind of consent
While some have viewed the General Data Protection Regulation‘s approach to consent as merely adjusting the existing regime, the Information Commissioner’s draft guidance suggests a more fundamental change: “a more dynamic idea of consent: consent as an organic, ongoing and actively managed choice, and not simply a one-off compliance box to tick and file away”. […]
[UPDATE] a slightly revised version of this post formed our response to the ICO consultation. The Information Commissioner’s draft guidance on consent makes a surprisingly broad distinction between public and private sector organisations, even when they process the same data for the same purposes. This risks removing important protections when personal data are processed by […]
Categories
GDPR: Official CSIRTs?
A couple of organisations have asked me recently whether the General Data Protection Regulation (GDPR) requires them to get some sort of external recognition of their incident response team. Here’s why I don’t think it does. Recital 49 of the Regulation says: The processing of personal data to the extent strictly necessary and proportionate for […]