Last updated: 
6 days 6 hours ago
Blog Manager
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

Information Commissioner on Alternatives to Consent

Monday, September 7, 2015 - 09:42

A helpful comment on page 3 of the Information Commissioner’s discussion of the latest (Council) draft of the General Data Protection Regulation:

We reiterate our view that there must be realistic alternatives to consent – for example 'legitimate interests' where the data processing is necessary to provide the goods or services that an individual has requested.

That supports the approach we’ve adopted in federated access management – that 'legitimate interests' provides both the most appropriate justification [for identity and service providers and the best protection for users. Indeed the ICO's "necessary to provide the … services that an individual has requested" almost exactly matches my wording from last year!

The ICO's comment about "alternatives to consent" also supports something that has been worrying me for a while. If you give consent a higher status than other justifications - as some data protection laws and proposals do - then you encourage data controllers to use consent when it's not appropriate: for example when the processing is necessary for something the individual needs so they can't give free consent anyway. Paradoxically, that actually weakens the protection provided by consent, because those less-than-free consents become legitimised. The common practice of having a single "consent" cover both necessary and optional processing is a good/bad example ("by registering you agree that we can send you advertising…"). Much better for individuals to have necessary processing dealt with under its own, appropriate, justifications, keeping consent for processing that really can be refused.