I've been at several conferences recently on how Data Protection law is developing, and they've left me less than optimistic. By the end of 2015 Europe will have been working for four years on a Regulation "on the protection of individuals with regard to the processing of personal data and on the free movement of such data", but I’m now doubting whether the result will actually achieve either of those.
The Government has published its proposed guidance to universities, colleges and other specified authorities on what they will be expected to do to satisfy their duty under the Counter-Terrorism and Security Act 2015 to "to have due regard to the need to prevent people from being drawn into terrorism".
I was invited to speak at the Russell Group IT Directors' meeting yesterday, on the Counter-Terrorism and Security Act 2015 and its implications for universities. My slides are attached to this post.
Most of the Act is concerned with human, rather than technology, issues but the Act does require universities and colleges to have "due regard for the need to prevent people being drawn into terrorism". However, as I concluded:
Yesterday's excellent University of Cambridge conference on Internet Regulation After Google Spain suggested that data protection law will continue to affect a growing range of our activities, but that interpreting its requirements in novel circumstances will continue to be challenging.
In discussions of the "Right to be Forgotten" it is often observed that Google manages each month to deal with tens of millions of delisting requests for breach of copyright, as opposed to tens of thousands for inaccurate personal data. Often the implication seems to be that those numbers should be more similar.
A couple of discussions at Networkshop this week have raised the question of cyber-insurance, and whether this might be useful to universities and colleges. To think about that I split the question into three:
Yesterday UCISA published the Information Security Management Toolkit that provides guidance to higher education institutions wishing to establish systems to manage information security. Authors from across the sector contributed to the content including Andrew Cormack and myself from Jisc.
I'll be presenting a workshop and discussion session on 'From Mobile Device Policy to BYOD' at Jisc's Digifest on Monday 9th March. Come along and hear why Bring Your Own Device may not be as scary as you think
My slides are now published on slideshare