New EU Guidelines on Data Protection Impact Assessments

Posted on April 18, 2017 by Alison Knight • Leave a comment

Assessing the likelihood of a ‘deep impact’ – but how ‘deep’ is ‘deep enough’ and by whose standards? In other words, how exactly do you develop a methodology for determining whether processing is “likely to result in a high risk” to data subjects under the GDPR? Draft guidelines on conducting data protection impact assessments (DPIAs) … Continue reading →

Data protection / General Data Protection Regulation / ICO / Personal data / pseudonymisation / Risk-based approach / sensitive data

ICO Requests Feedback on New Data Protection Profiling Provisions

Posted on April 10, 2017 by Alison Knight • 1 Comment

If we stopped calling it ‘profiling’ and started calling it “creating composite, digital ‘mosaics’ by singling out, linking, and inferring personal attributes”, people might say “Well, it’s about time” The UK Information Commissioner’s Office (ICO) has published a discussion paper seeking feedback on profiling provisions under the EU’s General Data Protection Regulation (GDPR). The deadline … Continue reading →

Access to data / Data protection / General Data Protection Regulation / Law enforcement / Legitimate interest / Personal data / sensitive data

CJEU Advocate General Opines on the ‘Legitimate Interest’ Concept

Posted on January 28, 2017 by Alison Knight • 3 Comments

But how exactly does EU law achieve the weighing of competing legitimate interests and rights in a data protection law context? I’ve previously written (here) about the concept of legitimate interest under data protection law and how it has captured the attention of data protection agencies, as well as the EU institutions in informing the … Continue reading →

anonymisation / big data / Data protection / General Data Protection Regulation / ICO / Personal data / Privacy / pseudonymisation / research / Risk-based approach / sensitive data

The First-Tier Tribunal and the anonymisation of clinical trial data: a reasoned expression of Englishness…. which would have to be abandoned with the GDPR?

Posted on September 19, 2016 by Sophie Stalla-Bourdillon • 1 Comment

The Queen Mary University of London v (1) The Information Commissioner and (2) Alem Matthees, EA/2015/0269 case decided by the First-Tier Tribunal (Information Rights) (FTT(IR)) on 12 August 2016 is a fascinating decision. [Could it be a stylish expression of Englishness…. or otherness?] The case-facts concern a freedom of information request for clinical trial patient data … Continue reading →

anonymisation / big data / Data protection / General Data Protection Regulation / Personal data / pseudonymisation / research / sensitive data

What does the agreed version of the GDPR say about processing personal data for research purposes? Is the GDPR better than the Directive?

Posted on December 18, 2015 by Sophie Stalla-Bourdillon • 2 Comments

What does the agreed version of the GDPR say about processing personal data for research purposes? Is the GDPD better than the Directive? So here we are. It’s almost Christmas and after three years of intense debate the Council of the European Union and the European Parliament have announced that they have informally agreed on … Continue reading →

big data / consent / Data protection / health data / Privacy / sensitive data

Article 29 Working Party on the concept of health data: could it mean that we need to adapt the definition of health data as well as that of personal data?

Posted on February 10, 2015 by Sophie Stalla-Bourdillon • 1 Comment

On 5 February 2015, the Article 29 EU Data Protection Working Party (WP) issued a letter addressed to Paul Timmers – the Director of Sustainable and Secure Society at the European Commission. Within the Annex of this letter, the WP identifies relevant criteria to determine when data processed by lifestyle and wellbeing apps and devices … Continue reading →