Data Protection Regulation

4 December 2019 at 9:33am

Laws to help security and incident response

Andrew Cormack
incident response
Data Protection Regulation
#IGF19
Last week I was invited to be a member of a panel at the UN Internet Governance Forum on how law can help security and incident response and, in particular, information sharing. It seems there are still concerns in some places that privacy law is getting in the way of these essential functions.
Read more
23 October 2019 at 10:22am

EDPB on (not) Necessary for Contract

Andrew Cormack
GDPRprocess
Data Protection Regulation
The European Data Protection Board's (EDBP) latest Guidelines further develop the idea that we should not always expect relationships involving personal data to have a single legal basis. Although the subject of the Guidelines is the legal basis "Necessary for Contract", much of the text is dedicated to pointing out the other legal bases that will often be involved in a contractual relationship.
Read more
26 July 2019 at 3:47pm

Draft Wellbeing Analytics Code of Practice

Andrew Cormack
Learning Analytics
wellbeing
Data Protection Regulation
Following on from my previous blog post on the possible uses of wellbeing analytics, we'd very much welcome comments on this latest draft of our Code of Practice. Note that this includes the maximum safeguards from all legal bases that seem likely to apply, so even if our continuing investigations conclude that some of those bases are not appropriate, the Code's recommendations are unlikely to change significantly.
Read more
3 May 2019 at 10:16am

Wellbeing analytics: legal explorations

Andrew Cormack
Learning Analytics
wellbeing
Data Protection Regulation
While colleagues are looking at whether data can be used to pick up early signs of mental health and wellbeing problems, I'm exploring possible legal frameworks for doing that safely. As the diagram shows, trying to deliver an early warning service to all students falls into a gap between three reasonably familiar areas of data protection law:
Read more
18 April 2019 at 8:48am

Recital 49: More than a Safe Harbour

Andrew Cormack
Data Protection Regulation
incident response
In data protection circles, the phrase "Safe Harbour" doesn't have a great reputation. Wikipedia describes those as setting hard boundaries around an area where "a vaguer, overall standard" applies. Famously, in 2015, the European Court of Justice struck down the data protection Safe Harbor arrangement negotiated between the European Commission and the US Government.
Read more
4 April 2019 at 11:55am

Intelligent Campus: Risks, Benefits and Ethics

Andrew Cormack
data protection
Privacy
Intelligent Campus
Data Protection Regulation
[Re-purposing an unused introduction to my full paper - "See no... Hear no... Track no..: Ethics and the Intelligent Campus" - that was published in the Journal of Information Rights, Policy and Practice this week]
Read more
22 March 2019 at 10:18am

Data Protection 3.0: law and ethics

Andrew Cormack
Data Protection Regulation
Ethics
To my ex-programmer ears, phrases like "web 2.0" and "industry 4.0" always sound a bit odd. Sectors don’t have release dates, unlike Windows 10, iOS 12 or Android Oreo. Oddly, one field that does have major version releases is the law: it would be quite reasonable to view 25th May 2018 as the launch of Data Protection 3.0 in the UK. Looking at past release cycles, it seems likely to be fifteen to twenty years before we see version 4.0.
Read more
11 February 2019 at 8:02pm

My Algorithmic "Friend"

Andrew Cormack
Learning Analytics
wellbeing
Data Protection Regulation
In a workshop at last week's AMOSSHE conference, we discussed how wellbeing analytics might be able to assist existing Student Support services.
Read more
31 January 2019 at 3:03pm

Revised DPIA cribsheet

Andrew Cormack
Data Protection Regulation
Data Protection Impact Assessment
Shortly after we did out first Data Protection Impact Assessments, on the Janet Security Operations Centre and the Jisc Learning Analytics Service, the ICO published its
Read more
28 January 2019 at 3:18pm

Attackers, CSIRTs, and Individual Rights

Andrew Cormack
incident response
Data Protection Regulation
Incident response teams often share information when investigating incidents. Some patterns may only become apparent when data from different networks are compared; other teams may have skills – such as analysing malware – to understand data in ways we cannot. Since much of this information includes IP or email addresses - information classed as Personal under data protection law - concerns have arisen that attackers might be able to use the law to frustrate this sharing.
Read more
Subscribe to Data Protection Regulation