Categories
Articles

Legitimate Interests and Federated Access Management

I only wish the Article 29 Working Party had published their Opinion on Legitimate Interests several years ago, as it could have saved us a lot of discussion in the federated access management community. Any organisation that processes personal data needs to  have a legal justification for this; in access management that applies both to […]

Categories
Articles

Reducing the Impact of Privacy Breaches

At present only public telecommunications providers are required by European law to notify their customers of security breaches affecting their privacy, including breaches that the confidentiality, integrity or availability of personal data. In the UK the Information Commissioner has published recommendations on handling privacy breaches, including when to notify those affected. Requirements to notify privacy […]

Categories
Articles

Low-risk identifiers in Access Management

The Information Commissioner’s analysis of the European Parliament’s amendments to the draft Data Protection Regulation discusses the wide range of information that falls within the definition of “personal data” and gives examples that seem particularly relevant to identity federations. The Information Commissioner considers that identifiers pose a higher privacy risk if they are “interoperable”. Since […]

Categories
Articles

Travelling with encrypted devices

Most portable devices – laptops, smartphones and memory sticks – should be encrypted so that the information they contain is protected if the device is lost or stolen. Many countries (including the UK) give their immigration and other authorities legal powers to demand that you decrypt an encrypted device though given the number of laptops […]

Categories
Articles

Everything by consent?

As a privacy-sensitive person, I’m concerned that the trend in European Data Protection law seems to be to place more and more weight on my consent as justification for processing my personal data. In theory that sounds fine – given full information and a free choice, I can decide whether or not I’m willing for […]

Categories
Articles

Clouds and the draft Data Protection Regulation

At the moment both cloud computing providers and their business customers in Europe have to deal with at least twenty-eight different interpretations of Data Protection law. And there are nearly as many different national rules and formalities when using non-European cloud providers (the UK approach is described in the Information Commissioner’s Guide to Cloud Computing). […]

Categories
Articles

Legislating for Indirectly-linked identifiers

A law that promotes Privacy by Design and Data Minimisation ought to encourage the use of indirectly-linked identifiers, which allow processing to be done separate from, or even without, the ability to identify the person whose information is being processed. However European Data Protection law has never really worked out what these identifiers are. The […]

Categories
Presentations

Federated Access Management: Legal Developments

At the VAMP workshop last week I was asked to review legal developments that might affect access management federations. On the legislative side the new European Data Protection Regulation seems to be increasingly mired in politics. The Commission’s proposed law from January 2012 needs to be discussed with the European Parliament and Council of Ministers […]

Categories
Articles

Managing Incident Response in Identity Federations

In talking with service providers at this week’s conferences on federated access management in Helsinki it’s become apparent that many of them are asking identity providers to supply not only the information that they need for normal operations, but also information that will only actually be needed if a problem occurs. For example it seems […]

Categories
Articles

Bins, MACs and Privacy Law

A recent news story reported that a small number of litter bins in London were collecting a unique identifier from passing mobile phones and using these for some sort of “footfall analysis”. There doesn’t seem to be much detail about the plans: it struck me that a helpful application could perhaps be look for the […]