Categories
Publications

GDPR: How to Prepare

To mark one year to go till the General Data Protection Regulation comes into force, we’ve published an article on “How Universities and Colleges Should be Preparing for New Data Regulations” on the Jisc website.

Categories
Articles

GDPR: notices and processes

Some of the General Data Protection Regulation’s requirements on data controllers apply no matter which legal basis for processing is being used. For example there are common requirements on information given to data subjects; breach notification and rights of access and rectification will normally apply to all personal data. However other requirements are specific to […]

Categories
Articles

GDPR: Portability Right Guidance

The Article 29 Working Party’s final guidance on implementing the right to portability is a significant improvement on the previous draft. The Working Party appear to have recognised the significant risk involved in making large collections of personal data available through on-line interfaces, and that other approaches will be more suitable for most data controllers. […]

Categories
Closed Consultations

Jisc response to DCMS consultation on GDPR Research implementation

Jisc responded to the DCMS consultation on implementing the Research provisions of the GDPR into UK law. The exemptions from certain obligations and data subject rights contained in section 33 of the Data Protection Act 1998 have been vital in enabling long-term research studies, including in health and social sciences, while ensuring the protection of […]

Categories
Closed Consultations

DCMS call for views on GDPR derogations

The Department for Culture, Media and Sport has called for views on how the UK should use the “derogations” (i.e. opportunities and requirements for national legislation) contained within the General Data Protection Regulation. The main area where derogations, or the lack of them, could affect the Jisc community is in the application of the GDPR […]

Categories
Articles

GDPR: Alumni processes

Most universities maintain databases of alumni, for purposes including keeping them informed about the organisation, offering services and seeking donations. These activities have a lot in common with other charities, so the Information Commissioner’s guidance is relevant. Indeed the Information Commissioner’s recent description of using consent-based relationships “to improve [supporters’] level of engagement with your […]

Categories
Closed Consultations

ICO request for feedback on profiling under the GDPR

We’ve just responded to the ICO’s request for feedback on Profiling under the General Data Protection Regulation. Thanks to the work we’ve already done on Learning Analytics, we were able to include several examples of good practice in that area, including the Code of Practice we developed with universities and the National Union of Students.

Categories
Articles

GDPR: moving to Information Lifecycle Registers?

[UPDATE: the Irish GDPR coalition have a nice infographic on information lifecycles under the GDPR] Anyone who has looked at an information security standard is likely to be familiar with the idea of an Information Asset Register. These cover the What and Where of information that an organisation relies on: what information do we hold, […]

Categories
Articles

GDPR: A new kind of consent

While some have viewed the General Data Protection Regulation‘s approach to consent as merely adjusting the existing regime, the Information Commissioner’s draft guidance suggests a more fundamental change: “a more dynamic idea of consent: consent as an organic, ongoing and actively managed choice, and not simply a one-off compliance box to tick and file away”. […]

Categories
Closed Consultations

What’s the data protection difference between public and private sectors?

[UPDATE] a slightly revised version of this post formed our response to the ICO consultation. The Information Commissioner’s draft guidance on consent makes a surprisingly broad distinction between public and private sector organisations, even when they process the same data for the same purposes. This risks removing important protections when personal data are processed by […]