Last updated: 
1 week 13 hours ago
Blog Manager
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

Are networks data processors?

Tuesday, April 24, 2018 - 14:00

As the GDPR approaches, several customer organisations have asked us if the Janet network will be offering a data processor contract. Presumably the idea is that the organisation that creates an IP packet is the data controller for the source IP address and that all the other networks that handle the packet on its journey are (sub-)processors.

The law isn't clear on whether networks process personal data when they forward packets. But if you assume it does and that the relationship between originator and networks is a data controller-data processor one, then the law would also require the existence of a chain of sub-processor contracts, first with every network to whom we pass your packets on, then on all the way to the destination organisation. Similarly, we'd need a data sub-sub-(...)-processor contract with every customer organisation that receives packets from us, to make sure that the responding organisation also satisifed its data controller obligations. I hope it's obvious why - at least unless and until there's a clear statemement from data protection authorities - we favour interpretations that don't require that immense mesh of contracts to be in place before we can send and receive packets for you!

When processing packets for security - to protect our networks and those of connected customers - we are clearly data controllers, because we decide the purpose and means of that processing. As Recital 49 of the Regulation requires, we do that in ways that minimise the risk to users of the network and ensure that those risks are far outweighed by network and information security benefits that we all rely on.