Data Protection Act

12 February 2016 at 9:29am

Safe Harbor: Advice Postponed

Andrew Cormack
Data Protection Act
Data Protection Regulation
Safe Harbor
Cloud computing
The Article 29 Working Party of European data protection supervisors had hoped to make a full statement on the EU/US Safe Harbor agreement at the end of January. However this has now been postponed, probably until mid-April. The European Court of Justice declared last October that the original Safe Harbor did not guarantee adequate protection when personal data were transferred from Europe to the USA.
Read more
29 October 2015 at 4:13pm

ICO on Safe Harbor judgment

Andrew Cormack
Data Protection Act
Safe Harbor
The Information Commissioner's Office has published a new article on how they are responding to the European Court's Safe Harbor judgment. The overall message is that data controllers should take stock and not panic. While noting that the judgment does remove some of the former legal certainty, the ICO is "certainly not rushing to use our enforcement powers".
Read more
19 October 2015 at 4:56pm

Article 29 Working Party on Safe Harbor

Andrew Cormack
Data Protection Act
Data Protection Regulation
Safe Harbor
The Article 29 Working Party of European Data Protection supervisors has now published its response to the European Court's ruling that the US-EU Safe Harbor agreement can no longer be relied upon when exporting personal data from the European Economic Area.
Read more
14 October 2015 at 1:45pm

Safe Harbor at the European Court

Andrew Cormack
Data Protection Regulation
Data Protection Act
Safe Harbor
The European Court's declaration today that the European Commission's fifteen year old decision on the US Safe Harbor scheme is no longer reliable is another recognition that Data Protection requires continuing assessment, rather than one-off decisions. European regulators have been recommending for years that neither data controllers nor companies to which they export data should rely on Safe Harbor certification alone. The U.K.
Read more
27 August 2015 at 4:36pm

Disclosing personal data for criminal investigations

Andrew Cormack
Data Protection Act
incident response
The Information Commissioner has published updated and extended guidance on the use of the Data Protection Act's "section 29" exemption, based on cases and wider experience. This exemption is often used to release personal information (such as computer or network logs) to the police or other authorities investigating crimes, so sections 33-52 in particular are worth reading as a refresher. The points I'm most often asked about are:
Read more

Whether to Cloud?

Phyllis Callinan
4 July 2014 at 3:46pm
whether to cloud
Privacy
Data Protection Act
Andrew Cormack has been asked a few times recently how to decide which data or services it's appropriate to place in the cloud. The answer, rather boringly, is the same as for almost any other security question:
Read more
25 June 2014 at 4:45pm

Data Protection: picking the right justification

Andrew Cormack
Data Protection Act
Data Protection Directive
Privacy
There's no doubt that some parts of the UK Data Protection Act and the EU Data Protection Directive are badly out of date and need revising. The world they were drafted for in the early 1990s has changed.
Read more
11 February 2014 at 8:03pm

Travelling with encrypted devices

Andrew Cormack
encryption
Data Protection Act
Most portable devices – laptops, smartphones and memory sticks – should be encrypted so that the information they contain is protected if the device is lost or stolen. Many countries (including the UK) give their immigration and other authorities legal powers to demand that you decrypt an encrypted device though given the number of laptops that cross borders every day only a tiny minority seem to be subject to such demands.
Read more
4 October 2013 at 9:15am

Interception definition and mailboxes

Andrew Cormack
Regulation of Investigatory Powers Act
Interception
Data Protection Act
Police
If you look up "interception" in most dictionaries you’ll find that it happens before an action has completed: in sport a pass can no longer be “intercepted” once it reaches a teammate. In a legal dictionary, however, that turns out not to be true. According to section 2(2) of the Regulation of Investigatory Powers Act 2000 (RIPA) interception can take place at any time when a message is "in transmission", which is explained by section 2(7):
Read more
12 March 2013 at 11:14am

ICO Guide to BYOD

Andrew Cormack
BYOD
Data Protection Act
Privacy
The Information Commissioner has published helpful new guidance on how organisations can support the use of personally-owned devices for work, commonly known as Bring Your Own Device (BYOD). This appears to have been prompted by a survey suggesting that nearly half of employees use their own devices for work, but more than two thirds of them have no guidance from their employers.
Read more
Subscribe to Data Protection Act