Categories
Presentations

Anonymous: why and how, rather than when?

Following my Networkshop talk on logfiles, I was asked at what point logfiles can be treated as “anonymous” under data protection law. Since the GDPR covers all kinds of re-identification, as well as data that can “single out” an individual even without knowing their name, that’s a good CompSci/law question: the work of Paul Ohm […]

Categories
Presentations

Porridge, Bears and Logfiles

Two common concerns in incident response are (a) not having the data needed to investigate an incident and (b) not being able to find signs of incidents in a mass of other data. My Networkshop talk (see “Making IT Safer… Safely”) looked at how the GDPR principles might help us to get it, like Goldilocks’ […]

Categories
Articles

Data Protection expectations on Vulnerability Management

Legal cases aren’t often a source for guidance on system management but, thanks to the cooperation of the victims of a ransomware attack, a recent Monetary Penalty Notice (MPN) from the Information Commissioner (ICO) is an exception. Vulnerability management was mentioned in previous MPNs (e.g. Carphone Warehouse, Cathay Pacific, and DSG), but they don’t go […]

Categories
Articles

Explaining Network Telemetry

A really interesting series of talks on how to gather and share information about the performance of networks at today’s GEANT Telemetry and Data Workshop. One of the most positive things was a clear awareness that this information can be sensitive both to individuals and to connected organisations. So, as the last speaker, I decided […]

Categories
Articles

Right to Object: Public Interest Processing

GDPR Article 21 provides a “right to object” whenever personal data are processed based on either Legitimate Interests or Public Interests. In both cases, an individual can highlight “grounds relating to his or her personal situation” and require the data controller to consider whether there remain “compelling legitimate grounds for the processing which override the […]

Categories
Articles

Right to Object: an Opportunity to Improve?

I was invited to contribute to a seminar on the Right to Object (RtO). Normally this GDPR provision is seen as a way to prevent harm to a particular individual because of their special circumstances. But I wondered whether data controllers could also use the RtO process as an opportunity to review whether their processing […]

Categories
Articles

Information sharing, trust, and more…

Using and sharing information can create benefits, but can also cause harm. Trust can be an amplifier in both directions: with potential to increase benefit and to increase harm. If your data, purposes and systems are trusted – by individuals, partners and society – then you are likely to be offered more data. By choosing […]

Categories
Articles

Managing the risks of Subject Access

My LLM dissertation (published ($$) in 2016 as “Is the Subject Access Right Now Too Great a Threat to Privacy?”) discussed the challenge of reliably identifying a data subject who you only know through pseudonymous digital channels or identifiers. Others have conducted practical experiments, finding that it would, indeed, be relatively easy to use GDPR […]

Categories
Articles

Do we need a “Right of (Data) Decay”?

I’ve been reading about Slow Computing and the need for ‘digital forgetting’. But, unlike the GDPR Right to Erasure, human forgetting isn’t clean: more often involving uncertainty rather than simple elimination. That leaves our database in a different state: whereas digital erasure has no effect on the records that remain, much of our human memory […]

Categories
Articles

Entangled personal data: what if it’s not only mine?

Feedback and performance review are routine parts of many employment relationships. So it’s surprising to find that they take us into obscure corners of data protection law. Regulators have been clear for more than a decade that an opinion about someone is personal data, but there has been much less exploration of the fact that […]