Categories
Articles

GDPR: Official CSIRTs?

A couple of organisations have asked me recently whether the General Data Protection Regulation (GDPR) requires them to get some sort of external recognition of their incident response team. Here’s why I don’t think it does. Recital 49 of the Regulation says: The processing of personal data to the extent strictly necessary and proportionate for […]

Categories
Articles

Consent for Learning Analytics: Practical Guidelines

Recently I’ve been doing some work with Niall Sclater on how education organisations might inform students about the use of learning analytics, and when they might seek students’ consent. The resulting blog post is at https://analytics.jiscinvolve.org/wp/2017/02/16/consent-for-learning-analytics-some-practical-guidance-for-institutions/

Categories
Closed Consultations

Jisc Response to Article 29 Working Party on Right to Portability

These are Jisc’s comments on the Article 29 Working Party’s Guidelines on the Right to Data Portability (WP242). Jisc is the UK’s expert body for digital technology and digital resources in higher education, further education and research. Since its foundation in the early 1990s, Jisc has played a pivotal role in the adoption of information […]

Categories
Closed Consultations

Portability right: a data protection challenge

[Update: Jisc has responded to the Working Party’s invitation to comment on these guidelines] The General Data Protection Regulation contains one new right for individuals – data portability (Article 20). Some commentators have suggested that this is just a digital form of the existing subject access right, but the Article 29 Working Party’s new guidance […]

Categories
Publications

Incident Response and the GDPR (Article)

After (too) many years, I’ve turned the ideas from my original TF-CSIRT documents into a formal academic paper, which has just been published in the open access law journal, SCRIPTed: Andrew Cormack, “Incident Response: Protecting Individual Rights Under the General Data Protection Regulation”, (2016) 13:3 SCRIPTed 258 https://script-ed.org/?p=3180 The new General Data Protection Regulation provides […]

Categories
Articles

Learning Analytics – an updated model

At Jisc’s Learning Analytics Network meeting last month I presented an updated version of my suggested legal model for Learning Analytics. The new version adds the data collection stage(s) and seems to me – both as a sometime system developer and privacy-sensitive student – to provide the kinds of guidance, choices and protections that I’d […]

Categories
Articles

GDPR: Twelve Steps, Sorted

Although the Information Commissioner’s “Twelve Steps to Prepare” is an excellent guide to what organisations need to do in the eighteen months before the General Data Protection Regulation  becomes UK law in May 2018, following them in order from 1 to 12 may not be the best approach. Some of the steps depend on the […]

Categories
Articles

ECJ rules in favour of security and incident response

The recent European Court case of Breyer v Germany provides welcome support for those who wish to protect the security of on-line services. The case concerned two questions – whether a website’s logfiles (typically containing time, client IP address, URL requested and result) constituted personal data and, if so, whether data protection law allowed the […]

Categories
Publications

Downstream Consent: A better legal framework for big data

Abstract: Reconciling big data techniques with a legal approach relying on prior consent has proved difficult. By definition, when organisations collection personal information for data-led investigations they do not know what the results and impact of their processing will be. This paper suggests how other parts of the current European data protection framework can provide […]

Categories
Articles

Data exports: update in 2017

The latest announcement from the Article 29 Working Party on the US-EU Privacy Shield also suggests that there shouldn’t be any short-term surprises for those using the other justifications for exporting personal data to the USA. The European Court judgment that invalidated the Safe Harbor agreement in 2015 was concerned, among other things, with the […]