Download as PDF
Blog Article
I was recently asked how the GDPR's Right to Erasure would affect backups and archives. However that right, created by Article 17 of the GDPR, only arises when a data controller no longer has a legal basis for processing personal data. Provided an organisation is implementing an appropriate backup and archiving strategy, that shouldn't happen.
Blog Article
Most of us are familiar with the recorded messages at the start of phone calls that warn "this call may be recorded for compliance and training purposes". Some may recognise it as meeting the requirement to notify callers under the snappily titled Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000. But the data protection implications of call recording are perhaps more interesting.
Blog Article
Many, perhaps most, wifi access services want to perform some sort of authentication of people who use them (for those providing connectivity via Janet, it's a requirement of the Eligibility Policy).
Blog Article
Jisc provides a lot of different services: too many for us to look at each one from scratch before the General Data Protection Regulation comes into force next May. Instead, we've identified four different patterns that seem to cover the majority of services. We hope that having a common set of expectations for each pattern will simplify discussions with service managers, customers and users.
Blog Article
Looking at yet another of those web registration forms that seems to collect more data than required, it occurred to me that there might be quite a neat way to meet the General Data Protection Regulation's requirements for positive, recorded consent.
Blog Article
The Article 29 Working Party has produced new guidance on data processing in the workplace, to account for the very significant changes that have occurred since their previous guidance in 2001. Although the focus is on "employee monitoring", it is likely to be relevant to other situations where an organisation has significant power over those who use its premises and equipment. The guidance considers the requirements under both the Data Protection Directive and, from next year, the GDPR.
Blog Article
An interesting query arrived about when to advertise role-based, rather than individual, e-mail addresses. Do role-based ones feel too impersonal, for example, because senders don't know who they are dealing with?
Blog Article
A question recently arose about monitoring students' attendance at lectures and tutorials, and how this fitted into data protection law. Since the main purpose of such monitoring seems to be to identify and assist students who don't attend, and whose presence is therefore not recorded or processed, there seem to be a number of both practical and legal issues to think about.
Blog Article
I was interested to spot that the Article 29 Working Party visited the question of "public authorities" back in 2014, on page 23 of their Opinion on Legitimate Interests.
Blog Article
To mark one year to go till the General Data Protection Regulation comes into force, we've published an article on "How Universities and Colleges Should be Preparing for New Data Regulations" on the Jisc website.
