Last updated: 
4 months 3 weeks ago
Blog Manager
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

Reducing the Impact of Privacy Breaches

Monday, April 14, 2014 - 11:13

At present only public telecommunications providers are required by European law to notify their customers of security breaches affecting their privacy, including breaches that the confidentiality, integrity or availability of personal data. In the UK the Information Commissioner has published recommendations on handling privacy breaches, including when to notify those affected. Requirements to notify privacy breaches are, however, contained in a number of draft laws currently being discussed by the European Parliament and Council, including the draft Network and Information Security Directive, draft eSignatures Directive and the draft Data Protection Regulation.

The formal effect of the Article 29 Working Party’s new Opinion on Personal Data Breach Notification will depend on the outcome of those legislative discussions. However its discussions of various breach scenarios are already useful in identifying the kinds of impact a breach may have and, in particular, the sorts of technical and organisational safeguards that organisations can put in place to reduce those impacts. According to the working party, these include

  • Data Minimisation
  • Pseudonymisation
  • Least Privilege
  • Awareness Raising
  • Vulnerability Management
  • Code Review
  • Encryption (provided state of the art algorithms are used and keys kept secure)
  • Salted, hashed password storage
  • Shredding (and other forms of secure disposal)
  • Backups
  • Incident Response

None of these should be unexpected but it’s helpful to have them all recognised as contributing to privacy protection. The wide range of the measures also highlights the need for organisations to use a variety of tools, chosen to provide a consistent level of privacy protection. Relying on a single tool, or a single part of the organisation, is likely to leave information open to other types of attack.