Access Management

25 June 2015 at 4:25pm

Europe's Data Protection Proposal

Andrew Cormack
Access Management
Breach Notification
Cloud computing
Data Protection Regulation
Privacy
incident response
Last week the European Commission published their proposed new Data Protection legislation. This will now be discussed and probably amended by the European Parliament and Council of Ministers before it becomes law, a process that most commentators expect to take at least two years. There's a lot in the proposal so this post will just cover the general themes.
Read more
6 June 2012 at 11:06am

Processing personal data for third party interests

Andrew Cormack
Access Management
Data Protection Directive
Privacy
incident response
An interesting reminder from the European Court of Justice (ECJ) that the Data Protection Directive (95/46/EC) is supposed to make processing and exchanging personal data easier as well as safer.
Read more
6 June 2012 at 10:57am

The Definition of Consent

Andrew Cormack
Access Management
Data Protection Act
Data Protection Directive
Privacy
Although consent is a key concept in Data Protection, discussions of it often seem confused and legal interpretations inconsistent. For example the European Commission has in the past called both for a crackdown on the over-use of consent and for all processing of personal data to be based on consent!
Read more
6 June 2012 at 1:45pm

Privacy Riskiness for Access Management

Andrew Cormack
Access Management
Data Protection Directive
Privacy
On a privacy course I teach for system and network managers I suggest a scale of "privacy riskiness", the idea there being that if you can achieve an objective using information from lower down the scale then you run less risk of upsetting your users and/or being challenged under privacy law. That scale is very much a rule of thumb, derived by a kind of reverse engineering from various bits of European and UK telecommunications law by assuming that the more conditions a law places on a particular type of information, the more privacy invasive it is.
Read more
6 June 2012 at 10:55am

Explaining Attribute Release

Andrew Cormack
Access Management
Data Protection Directive
Privacy
Federated access management can make things nice and simple for both the user and the service they are accessing. By logging in to their home organisation the user can have that organisation release relevant information to the service - "I am a student", "this is my e-mail address" and so on. And because that information comes from the organisation, the service is likely to consider it more reliable than information self-asserted by the individual user (especially if being a student entitles you to benefits such as site licences, reduced prices, etc.).
Read more
6 June 2012 at 10:51am

US/EU Data Protection Comparison

Andrew Cormack
Access Management
Data Protection Directive
Privacy
Europe and the USA are often seen as having very different approaches to personal data: Europe has an over-arching law covering all personal data, the US has some specific laws on particular uses of personal data. One area that is covered by US legislation is the use by universities and colleges of information about their students; since there is increasing exchange of both students and their data across the Atlantic, it seemed worth spending a bit of my time to compare the two laws.
Read more
6 June 2012 at 10:34am

MoJ Data Protection Response

Andrew Cormack
Access Management
Data Protection Regulation
Privacy
An interesting morning yesterday at the launch of the Ministry of Justice's Response to the Call for Evidence on the Current Data Protection Legislative Framework.
Read more
6 June 2012 at 10:19am

Data Protection Directive Meeting

Andrew Cormack
Access Management
Data Protection Regulation
Privacy
I had an interesting day in Brussels yesterday, providing input for the Commission's revision of the 1995 Data Protection Directive. Invitations had been sent to those who responded to the consultation last year, so a wide variety of organisations were present, including banking, marketing, medical, consumer rights, content industries and telecommunications operators.
Read more
6 June 2012 at 10:18am

Pseudonymous Identifiers and the Law

Andrew Cormack
Access Management
Data Protection Act
Data Protection Regulation
Privacy
For a while I've been trying to understand how pseudonymous identifiers, such as IP addresses and the TargetedID value used in Federated Access Management, fit into privacy law. In most cases the organisation that issues such identifiers can link them to the people who use them, but other organisations who receive the identifiers can't. Indeed Access Management federations spend a lot of effort to make it as difficult as possible for the link to be made, using both technical and legal means to protect the privacy of users.
Read more
6 June 2012 at 10:10am

IP Addresses and Data Protection

Andrew Cormack
Access Management
Data Protection Regulation
Privacy
copyright
incident response
An Occasionally Asked Question (an OAQ?) is "are IP addresses personal data?". That question is probably too broad to ever get a simple answer, but a recent decision by the Irish High Court  (EMI Records & Others v Eircom Ltd [2010] IEHC 108) has at least answered the related question "are logs indexed by IP address always personal data?".
Read more
Subscribe to Access Management