This post is written by former #citylis research student and current visiting lecturer, David Haynes. Here he reports on the issues raised in an expert seminar he ran together with PhD candidate Cher Devey, on data protection. The seminar at City University London was held as part of international Data Privacy Day on 28/01/2016.
City University London celebrated Data Privacy Day on 28th January 2016 with a lunch-time seminar for researchers and practitioners concerned with data protection issues.
The seminar started with some context setting by David Haynes, who recently completed his Doctorate on Data Protection Regulation of Social Media at City University London. He highlighted recent judgements on: Google Spain and the right to be forgotten; the invalidation of the U.S.-EU Safe Harbor Agreement; and latterly the upholding of a judgment that allowed an employer to take disciplinary action against a staff member who sent private e-mails at work. Perhaps the most significant development is the agreement of the wording of the EU General Data Protection Regulation (GDPR) that was announced in December 2015. The new Regulation takes effect from 2018.
Cher Devey, a PhD researcher shared her fascinating insights into the Data Breach notifications that are one of the key provisions of the GDPR. Her research investigates models for security breaches and their relationship to privacy breaches. She also identified some of the concerns that arise when there is a privacy breach. How do you know when a breach has taken place? She suggested that current security models are inadequate for the requirements of the GDPR, because it is not always clear when a breach has occurred. She also pointed out that the processes involved in verifying a breach would take longer than the statutory notification periods in the regulation.
Discussions revolved around inadvertent privacy breaches. For instance when medical data is aggregated and anonymised, there may be sufficient information from external sources to identify individuals. Another example is the transmission of unencrypted cookie data to third parties, which allows them to mine a great deal of personal information.
The discussion also turned to the practicalities of fulfilling the requirements of the GDPR and the idea of proportionality came up. The Regulation allows for the fact that small businesses that do not handle large volumes of personal data do not have to put in place the same levels of process as larger organizations or those that handle large volumes of sensitive personal data.
Cher Devey is a PhD student in the Department of Computer Science at City University London. Cher is on Twitter as @datachainrisk
We are always pleased to discuss potential projects for PhD research. For more information please see our web pages and do get in touch! Initial enquiries can be made to Dr Lyn Robinson, or you can contact the member of staff whose work interests you.
For current and future Library and Information Science news, opportunities and events follow the #citylis blog on Twitter @citylis.