This session will provide an opportunity to discuss the latest legal developments and how they may affect networked services in education. Exact topics will depend on developments in Brussels and Westminster, but may include:
Data retention
Incident response
Data protection
Safe harbour.
2. Safe Harbor/Privacy Shield
»EU Data Protection compliance for exports to US private sector
»Original Safe Harbor ruled inadequate by ECJ, Sept 2015
› Largely on basis of Snowden revelations of NSA activity
»US/EU Commission announce “Privacy Shield”, Feb 2016
› Article 29WP expected to report mid-April on PS and other provisions
› Further legal/diplomatic argument likely thereafter
»Model clauses, Binding Corporate Rules, Consent more stable
»Or keep data in EU
22/03/2016 What's new in network law?
3. » Background
» So what does it all mean? (Spring 2018)
» Controllers and processors
» Data that’s covered
» Pseudonymisation
» Territorial scope
» Notification
» One stop shop – how laws are supervised
» Penalties
» Filing and record keeping
GDPR - General Data Protection Regulation
22/03/2016 Networkshopp 44
» DPOs
» Breach reporting
» Consent
» Data protection impact assessments
» Data subject rights
» Privacy by design and purpose limitation
» Export outside EU
» Transfers
» Data processors
» Digital consent for minors
» Exceptions
4. Incident Response/Breach Notification
»GDPR says prevention/detection/response = legitimate interests
› So OK to process personal data subject to balance of interests
»Breach notification a requirement for all controllers & processors
› All breaches affecting PD: record breach & response
› Risk to rights & freedoms: notify regulator asap (72 hr expectation)
– Nature of breach, consequences, #affected, steps taken/proposed
› High risk to individuals: notify them, in consultation with regulator
– Including what they can do to protect themselves
»Also notification requirements on trust services, telcos,
infrastructures…
22/03/2016 What's new in network law?
5. Investigatory Powers Bill
»Covers existing RIPA interception and comms data disclosure
»Also data retention, equipment interference, “technical facilities”
› Now extended to any “telecommunications operator”
› Not just data you generate or process; only limited by feasibility
»Creates Government powers, not operator duties
› No requirement till you receive an order
› Then probably can’t discuss it with anyone else
»Lack of clarity much criticised, including by all Parl’t committees
»Now at Committee stage in House of Commons
22/03/2016 What's new in network law?
6. »2005 - Fees/cost, time limits, exemptions
»2015 - Review launched – 3 central proposed changes
»2016 - After 10 years FOI is working well – some recommendations
»IPR and disclosures under FOI – Guidance Feb 2016
»FOI and research information: guidance for HE - 2015
Freedom of information
22/03/2016 Networkshopp 44
Pseudonymised Data is created by taking identifying fields within a database and replacing them with artificial identifiers, or pseudonyms.
1. Some History – Is anyone here directly involved in responding to FOI requests on a regular basis? I confess to being an FOI nerd not just because it causes embarrassment to public officials about the cost of refurbishing their offices or the fact that it is used to prise information out of Government such as the fact that British pilots are bombing Syria – But because it has made us all more conscious of records management and information Governance – good information practice and categorisation.
2. Three central proposed changes:
charging for the requests,
making it easier to refuse requests on cost grounds and
giving ministers more powers to veto disclosures so that Whitehall has a safe place where civil servants and ministers can devise policy out of the public eye
3. We were not kept in suspense very long - Commission instigated by Matthew Hancock, the Cabinet Office minister, found that after 10 years, FoI is working well - Some recommendations
publish all requests and responses where they provide information to a requestor
publish statistics
4. IPR and disclosures under FOI – Guidance Feb 2016
Once disclosed, the information is still protected by IP Intellectual property rights
5. How FOI should be applied to scientific research – particularly pre-publication research information - Different types of information are held by HEIs – information may be of particular public interest;
of commercial interest;
provided in confidence;
or sometimes controversial
This guidance provides practical case examples derived from ICO decision notices and Information Rights Tribunal decisions