GDPRtopics

24 April 2018 at 2:00pm

Are networks data processors?

Andrew Cormack
Data Protection Regulation
GDPRtopics
As the GDPR approaches, several customer organisations have asked us if the Janet network will be offering a data processor contract. Presumably the idea is that the organisation that creates an IP packet is the data controller for the source IP address and that all the other networks that handle the packet on its journey are (sub-)processors.
Read more
4 April 2018 at 10:08am

IP Addresses, Privacy and the GDPR

Andrew Cormack
Data Protection Regulation
GDPRtopics
IP address
It's well-known that the General Data Protection Regulation says that IP addresses should be treated as personal data because they can be used to single out individuals for different treatment, even if not to actually identify them.
Read more
23 March 2018 at 1:24pm

Federated Authentication and the GDPR Principles

Andrew Cormack
Data Protection Regulation
GDPRtopics
Access Management
The General Data Protection Regulation's Article 4(1) establishes six principles for any processing of personal data. It's interesting to compare how federated authentication – where a student authenticates to their university/college, which then provides relevant assurances to the website they want to access – performs against those principles when compared with traditional direct logins to websites.
Read more
22 March 2018 at 11:24am

Why should non-EU organisations care about GDPR?

Andrew Cormack
Data Protection Regulation
GDPRtopics
I was recently invited by EDUCAUSE to present a webinar on GDPR to their community of mostly North American universities and colleges. The number of participants indicates that European data protection law is a topic of interest. But the most common question was why, as non-EU organisations, they should care about GDPR. So I wrote a blog post, which EDUCAUSE have now published...
Read more
2 March 2018 at 9:55am

Helpdesks: how long to keep information?

Andrew Cormack
Data Protection Regulation
GDPRtopics
I've had a number of questions recently about how long help desks should keep personal data about the queries they receive. The correct answer is "as long as you need, and no longer". But I hope the following examples of why you might need to keep helpdesk tickets are more helpful than that bare statement:
Read more
2 March 2018 at 9:49am

Free Text and Data Protection

Andrew Cormack
Data Protection Regulation
GDPRtopics
Collections of free text – whether in database fields, documents or email archives – present a challenge both for operations and under data protection law. They may contain personal data but it's hard to find: whether you're trying to use it, to ensure compliance with the data protection principles, or to allow data subjects to exercise their legal rights. Some level of risk is unavoidable in these collections, but there are ways to reduce it.
Read more
28 February 2018 at 8:30am

GDPR Exports and Federated Authentication

Andrew Cormack
Data Protection Regulation
GDPRtopics
Access Management
Although the Article 29 Working Party seem to have had applications such as incident response in mind when drafting their guidance on exports, that guidance could also be helpful in the field of federated authentication.
Read more
20 February 2018 at 10:09am

Data Breaches: Be Prepared

Andrew Cormack
Data Protection Regulation
incident response
GDPRtopics
The Article 29 Working Party's guidance on Breach Notification suggests some things we should do before a security breach occurs. The GDPR expects data controllers, within 72 hours of becoming aware of any security breach, to determine whether there is a risk to individuals and, if so, to report to the national Data Protection Authority. It seems unlikely that an organisation that hasn't prepared is going to be able to manage that.
Read more
2 February 2018 at 9:30am

Sensitive/Special Category Data and Learning Analytics

Andrew Cormack
Learning Analytics
Data Protection Regulation
GDPRtopics
In thinking about the legal arrangements for Jisc's learning analytics services we consciously postponed incorporating medical and other information that Article 9(1) of the General Data Protection Regulation (GDPR) classifies as Special Category Data (SCD): "personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation" (mo
Read more
5 January 2018 at 1:24pm

How to Start Learning Analytics?

Andrew Cormack
Learning Analytics
GDPRtopics
Data Protection Regulation
One of my guidelines for when consent may be an appropriate basis for processing personal data is whether the individual is able to lie or walk away. If they can, then that practical possibility may indicate a legal possibility too.
Read more
Subscribe to GDPRtopics