Regulatory Developments

Last updated: 
3 months 2 weeks ago
Blog Manager
Log in to request membershipHide blog description
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

Recent members:

Showing Accountability for Personal Data

Friday, December 6, 2019 - 11:26

A few weeks ago I gave a presentation to an audience of university accommodation managers (thanks to Kinetic for the invitation), where I suggested that we should view Data Protection as an opportunity, rather than a challenge.

That may seem strange, given that universities probably have the most complex data flows of any organisation. And there definitely are challenges, resulting from both sides of our hybrid nature as part-business, part public service. From the one we may inherit a feeling that consent is the answer to everything, from the other a tendency to think that data sharing agreements are some kind of magic wand; both sides take us into areas where the legislation is unclear, for example the extent of our public function; research has its own special issues; and there's always a temptation to assume that if "they" are doing something then it must be OK.

But it seems to me that the new General Data Protection Regulation actually creates an opportunity to distinguish ourselves from bad practice in both commercial and government sectors. The GDPR introduces a principle of Accountability, which I summarise as data controllers demonstrating that they have thought about their data processing activities themselves, rather than simply relying on either data subjects' "consent" or "common practice" when it gets to tricky areas. For an organisation practising accountability, the law becomes a guide to how to do things right, rather than a barrier to be worked around in the hope that it will be someone else that gets found out.

A tool we've used to do that is the Data Protection Impact Assessment (DPIA), which has helped us to a better understanding of the complex balance of interests around running a Security Operations Centreproviding a Learning Analytics Service to universities and colleges, and using data to improve support for student Wellbeing and Mental Health. And DPIAs shouldn't just be internal activities: by publishing the resulting reports (with redactions if needed, but so far it hasn’t been) we can both demonstrate that we have thought carefully about what we are doing, and reassure users and funders of our services that what we are doing is necessary, proportionate, beneficial and appropriately protected.

The positive response we've had from law-makers and regulators, as well as users and funders, suggests that this is indeed a distinctive and welcome approach.

Data Protection Regulation
GDPRtopics
incident response
Learning Analytics
wellbeing
  • Twitter logo
  • LinkedIn logo
  • Google+ logo
  • Reddit logo
  • StumbleUpon logo