Data Protection Directive

Data Protection

Andrew Cormack
Thursday, June 28, 2012 - 13:35
Data Protection Directive
Data Protection Regulation
Privacy
Various consultations relate to the European Data Protection Directive and its implementation
Read more
6 June 2012 at 11:48am

Consent - the last resort?

Andrew Cormack
Access Management
Data Protection Directive
Data Protection Regulation
I did a presentation at the EEMA eID Interoperability conference last month on alternatives to "consent" in federated access management. At the moment consent seems to be the most often cited justification for processing personal data – websites frequently say that "by using this site you consent to...".
Read more
6 June 2012 at 11:21am

Clouds and law enforcement access

Andrew Cormack
Cloud computing
Data Protection Directive
Data Protection Regulation
When talking about use of cloud services an issue that often comes up is whether the ability of foreign law enforcement services to access data makes it illegal to use a service in that country. The law that’s most often mentioned is the USA PATRIOT Act, but plenty of other countries (including the UK and others in Europe) give their law enforcement agencies powers to access material that’s either accessible from computers in those countries or crosses their networks.
Read more
6 June 2012 at 11:06am

Processing personal data for third party interests

Andrew Cormack
Access Management
Data Protection Directive
Privacy
incident response
An interesting reminder from the European Court of Justice (ECJ) that the Data Protection Directive (95/46/EC) is supposed to make processing and exchanging personal data easier as well as safer.
Read more
6 June 2012 at 11:03am

Privacy and Incident Response

Andrew Cormack
CSIRT
Data Protection Directive
Privacy
incident response
At a meeting of TERENA's CSIRT Task Force last week, I presented an updated version of my paper on Privacy and Incident Response.
Read more
6 June 2012 at 10:57am

The Definition of Consent

Andrew Cormack
Access Management
Data Protection Act
Data Protection Directive
Privacy
Although consent is a key concept in Data Protection, discussions of it often seem confused and legal interpretations inconsistent. For example the European Commission has in the past called both for a crackdown on the over-use of consent and for all processing of personal data to be based on consent!
Read more
6 June 2012 at 1:45pm

Privacy Riskiness for Access Management

Andrew Cormack
Access Management
Data Protection Directive
Privacy
On a privacy course I teach for system and network managers I suggest a scale of "privacy riskiness", the idea there being that if you can achieve an objective using information from lower down the scale then you run less risk of upsetting your users and/or being challenged under privacy law. That scale is very much a rule of thumb, derived by a kind of reverse engineering from various bits of European and UK telecommunications law by assuming that the more conditions a law places on a particular type of information, the more privacy invasive it is.
Read more
6 June 2012 at 10:55am

Explaining Attribute Release

Andrew Cormack
Access Management
Data Protection Directive
Privacy
Federated access management can make things nice and simple for both the user and the service they are accessing. By logging in to their home organisation the user can have that organisation release relevant information to the service - "I am a student", "this is my e-mail address" and so on. And because that information comes from the organisation, the service is likely to consider it more reliable than information self-asserted by the individual user (especially if being a student entitles you to benefits such as site licences, reduced prices, etc.).
Read more
6 June 2012 at 10:51am

US/EU Data Protection Comparison

Andrew Cormack
Access Management
Data Protection Directive
Privacy
Europe and the USA are often seen as having very different approaches to personal data: Europe has an over-arching law covering all personal data, the US has some specific laws on particular uses of personal data. One area that is covered by US legislation is the use by universities and colleges of information about their students; since there is increasing exchange of both students and their data across the Atlantic, it seemed worth spending a bit of my time to compare the two laws.
Read more
6 June 2012 at 10:51am

Data Protection: "recognition" or "identification"?

Andrew Cormack
Data Protection Directive
Privacy
Many of the problems in applying European Data Protection Law on-line arise from uncertainty over whether the law covers labels that allow an individual to be recognised (i.e. "same person as last time") but not - unless you are the issuer of the label - identified (i.e. "Andrew again").
Read more
Subscribe to Data Protection Directive