Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

No cookies to display.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

No cookies to display.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

No cookies to display.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

Categories
Articles

Hacking the law for Federated Access Management

One definition of a “hacker”, according to Wikipedia, is someone “who makes innovative customizations or combinations of retail electronic and computer equipment”. I was recently asked by TERENA to have a think about the legal issues around using federated access management to control access to resources in eResearch. This has quickly come to feel like […]

Categories
Articles

Clouds and Law: Work to Do

A new Opinion on Cloud Computing from the Article 29 Working Party highlights a number of difficulties in applying current data protection law to the cloud computing model and suggests that changes are needed both to cloud contracts and to European law. The main concerns are over lack of control by the client using the […]

Categories
Articles

Pseudonyms and Data Protection

The Information Commissioner’s consultation on an Anonymisation Code of Practice is mainly concerned with the exchange or publication of datasets derived from personal data. However it once again highlights the long-standing confusion around the treatment of pseudonyms under Data Protection law. A pseudonym is an identifier (often randomly generated) whose value is unique to me, […]

Categories
Articles

Choosing the Right Identifier

In discussing a legal framework for federated access management we’ve concluded that the right approach to use as a basis for exchanging attributes is that a particular attribute is “necessary” to provide a service. That implies both that service providers shouldn’t ask for attributes they don’t need, and also that where there is a choice […]

Categories
Articles

How to think about privacy

I’ve been pointed to an interesting article by Alexis Madrigal about the work of Helen Nissenbaum, an American philosopher who has been looking at what “privacy” actually means, and what sort of things cause us to feel that our privacy has been invaded. A lot of discussion (and most of EU data protection law) assumes […]

Categories
Articles

Government CERTs and Information Sharing

I’ve had three discussions in two days about whether Government CERTs are different from others, which makes it a FAQ! It seems to me that legislation may be heading that way, and that that could create a potential problem for sharing information. Most CERTs act in the interests of a particular, reasonably well-defined, constituency. However […]

Categories
Publications

Privacy and Incident Response

At a meeting of TERENA’s CSIRT Task Force last week, I presented an updated version of my paper on Privacy and Incident Response. Responding effectively to incidents is essential to protect the privacy and other rights of individuals and organisations that use the Internet: compromises, phishing, etc. clearly infringe those rights. However incident response may […]

Categories
Articles

Article 29 Working Party hints at new approach to Cloud

The Article 29 Working Party have published an interesting toolbox for Binding Corporate Rules (BCR) for Data Processors. BCRs for Data Controllers have been suggested for some time as a way that large multi-national companies can comply with European Data Protection law. By having its internal rules for handling personal data approved as compliant with […]

Categories
Closed Consultations

ICO Draft Guide on personal information online

The Information Commissioner has now launched a draft text for a new guide on Personal Information Online, with an opportunity to comment on the text over the next three months. It’s good to see that some of the issues I raised at a preparatory meeting have been included, so I’d encourage readers to have a […]

Categories
Presentations

Consent – the last resort?

I did a presentation at the EEMA eID Interoperability conference last month on alternatives to “consent” in federated access management. At the moment consent seems to be the most often cited justification for processing personal data – websites frequently say that “by using this site you consent to…”. The problem with this is that the […]