Download as PDF
Blog Article
The Government's powers make orders relating to information about communications have now moved from the Regulation of Investigatory Powers Act 2000 to the Investigatory Powers Act 2016. The associated Code of Practice provides useful information on the process for issuing three types of notice in particular: Communications Data Requests, Technical Capabilities Orders and Data Retention Notices.
Blog Document
I've been asked a number of times whether GDPR affects the sharing of information between incident response teams. This slideset discusses how GDPR encourages sharing to improve security, and provides a rule of thumb for deciding when the benefit of sharing justifies the data protection risk.
Blog Article
At last week's Jisc Security Conference I presented a talk on how we've assessed a couple of Jisc services (our Security Operations Centre and Penetration Testing Service) from a data protection perspective. The results have reassured us that these services create benefits rather than risks for Jisc, its customers and members, and users of the Janet network.
This post links together:
Blog Article
Some good news from the draft ePrivacy Regulation.
Blog Article
An interesting observation made by a Dutch colleague earlier this week. The arrows in my standard model of learning analytics (here rearranged and recoloured to match the "swimlane" visualisation of the learning process) all mark "gatekeeper" points where information flow is filtered and reduced.
Blog Article
In developing our Data Protection Impact Assessment for the Janet Security Operations Centre we noted that our Penetration Testing service could involve high risks, but didn't really fit the DPIA framework.
Blog Article
Recently I've been presenting our suggested legal framework for learning analytics to audiences involved in teaching, rather than legal people. For that I've been trying out a different visualisation, which considers the teaching process as involving three layers:
Blog Article
Alongside the 1995 Data Protection Directive (DPD) sat the 2002 ePrivacy Directive (ePD), explaining how the DPD should be applied in the specific context of electronic communications.
Blog Article
Over recent months the GDPR has given extra weight to concerns - originally expressed by regulators fifteen years ago - about public access to information about individual registrants of DNS domains. This article considers the use of this WHOIS data by those handling information security incidents, and why this represents a benefit, rather than a risk, to the objectives of data protection law.
Blog Article
It's only lunchtime on the first day of the FIRST Conference 2018, and already two talks have stressed the importance and value of reviewing incidents over both the short and long terms. In the very different contexts of an open science research lab (LBNL) and an online IPR-based business on IPR (Netflix), a common message applies: "don't have the same incident twice".
