Access Management

25 June 2015 at 4:25pm
Last week the European Commission published their proposed new Data Protection legislation. This will now be discussed and probably amended by the European Parliament and Council of Ministers before it becomes law, a process that most commentators expect to take at least two years. There's a lot in the proposal so this post will just cover the general themes.
6 June 2012 at 11:06am
An interesting reminder from the European Court of Justice (ECJ) that the Data Protection Directive (95/46/EC) is supposed to make processing and exchanging personal data easier as well as safer.
6 June 2012 at 10:57am
Although consent is a key concept in Data Protection, discussions of it often seem confused and legal interpretations inconsistent. For example the European Commission has in the past called both for a crackdown on the over-use of consent and for all processing of personal data to be based on consent!
6 June 2012 at 1:45pm
On a privacy course I teach for system and network managers I suggest a scale of "privacy riskiness", the idea there being that if you can achieve an objective using information from lower down the scale then you run less risk of upsetting your users and/or being challenged under privacy law. That scale is very much a rule of thumb, derived by a kind of reverse engineering from various bits of European and UK telecommunications law by assuming that the more conditions a law places on a particular type of information, the more privacy invasive it is.
6 June 2012 at 10:55am
Federated access management can make things nice and simple for both the user and the service they are accessing. By logging in to their home organisation the user can have that organisation release relevant information to the service - "I am a student", "this is my e-mail address" and so on. And because that information comes from the organisation, the service is likely to consider it more reliable than information self-asserted by the individual user (especially if being a student entitles you to benefits such as site licences, reduced prices, etc.).
6 June 2012 at 10:51am
Europe and the USA are often seen as having very different approaches to personal data: Europe has an over-arching law covering all personal data, the US has some specific laws on particular uses of personal data. One area that is covered by US legislation is the use by universities and colleges of information about their students; since there is increasing exchange of both students and their data across the Atlantic, it seemed worth spending a bit of my time to compare the two laws.
6 June 2012 at 10:34am
An interesting morning yesterday at the launch of the Ministry of Justice's Response to the Call for Evidence on the Current Data Protection Legislative Framework.
6 June 2012 at 10:19am
I had an interesting day in Brussels yesterday, providing input for the Commission's revision of the 1995 Data Protection Directive. Invitations had been sent to those who responded to the consultation last year, so a wide variety of organisations were present, including banking, marketing, medical, consumer rights, content industries and telecommunications operators.
6 June 2012 at 10:18am
For a while I've been trying to understand how pseudonymous identifiers, such as IP addresses and the TargetedID value used in Federated Access Management, fit into privacy law. In most cases the organisation that issues such identifiers can link them to the people who use them, but other organisations who receive the identifiers can't. Indeed Access Management federations spend a lot of effort to make it as difficult as possible for the link to be made, using both technical and legal means to protect the privacy of users.
6 June 2012 at 10:10am
An Occasionally Asked Question (an OAQ?) is "are IP addresses personal data?". That question is probably too broad to ever get a simple answer, but a recent decision by the Irish High Court  (EMI Records & Others v Eircom Ltd [2010] IEHC 108) has at least answered the related question "are logs indexed by IP address always personal data?".
Subscribe to Access Management