Last updated: 
3 months 2 weeks ago
Blog Manager
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

Personal Information Online

Wednesday, June 6, 2012 - 10:20

The Information Commissioner has now published his Code of Practice on Personal Information Online (also available as PDF), for which we gave early input. It  seems to contain a lot of helpful and pragmatic advice. There are chapters on when the DPA applies, marketing goods and services (including behavioural advertising), providing privacy choices and sensible defaults, operating internationally (including using cloud and other outsourced services), individual rights online and things to avoid. Examples and recommendations are mostly given in the context of designing web services but should be valuable for other types of system as well. This Code of Practice for service operators has a matching guide for users on Protecting Personal Information On-Line.

Throughout, organisations are encouraged to reduce as far as possible the amount of personal data they process, and to be open about what they are doing with it.There is an annex of suggestions on how this can be done, mentioning both pseudonyms and federated access management. There's even a recognition that separating processing and identification can be a privacy gain, which is not how the strict letter of current law regards it.

The Commissioner can't resolve the "practical and sometimes insurmountable difficulties in complying with all aspects of the DPA in respect of non-obvious personal identifiers" - that needs a revision of European law - but he does at least admit that they exist. Having this good practice guidance on the use of 2010 (rather than 1995) technology should both help organisations and developers understand how to do the right thing and help legislators to bring the law up to date with how privacy can and should be protected.