The Information Commissioner’s new guidance on Consent under the General Data Protection Regulation contains some useful guidance for universities and colleges in particular.
[Update: a Government amendment to Clause 6 of the Bill appears to confirm that this is their intended interpretation :)]
The Article 29 Working Party of European data protection supervisors has published the final version of its Guidelines on Data Protection Impact Assessments (DPIAs). These build on the long-standing concept of Privacy Impact Assessments, being similar to normal risk assessments but looking at risks to the individuals whose data are being processed, rather than to the organisation doing the processing.
I was interested to spot that the Article 29 Working Party visited the question of "public authorities" back in 2014, on page 23 of their Opinion on Legitimate Interests.
The Department for Culture, Media and Sport has called for views on how the UK should use the "derogations" (i.e. opportunities and requirements for national legislation) contained within the General Data Protection Regulation. The main area where derogations, or the lack of them, could affect the Jisc community is in the application of the GDPR to research data. We have therefore recommended that the UK Government should:
Now that the General Data Protection Regulation has been completed, the European Commission is reviewing the ePrivacy Directive. This law was introduced in 2002 as part of the telecommunications framework, and it was recognised at the time that it was likely to be largely replaced by a future general privacy law.
Last October the European Court of Justice confirmed that websites do have a legitimate interest in security that may justify the processing of personal data. That case (Breyer) overruled a German law that said websites could only process personal data for the purpose of delivering the pages requested by users. As far as I know, everywhere else in Europe the use of logs to secure websites is accepted as lawful.
While some have viewed the General Data Protection Regulation's approach to consent as merely adjusting the existing regime, the Information Commissioner's draft guidance suggests a more fundamental change: "a more dynamic idea of consent: consent as an organic, ongoing and actively managed choice, and not simply a one-off compliance box to tick and file away".
[UPDATE] a slightly revised version of this post formed our response to the ICO consultation.
