big data / Data protection / data protection agencies / General Data Protection Regulation / Privacy impact assessment / Risk-based approach / sensitive data

New EU Guidelines on Data Protection Impact Assessments

Assessing the likelihood of a ‘deep impact’ – but how ‘deep’ is ‘deep enough’ and by whose standards? In other words, how exactly do you develop a methodology for determining whether processing is “likely to result in a high risk” to data subjects under the GDPR? Draft guidelines on conducting data protection impact assessments (DPIAs) … Continue reading

Data protection / General Data Protection Regulation / ICO / Personal data / pseudonymisation / Risk-based approach / sensitive data

ICO Requests Feedback on New Data Protection Profiling Provisions

If we stopped calling it ‘profiling’ and started calling it “creating composite, digital ‘mosaics’ by singling out, linking, and inferring personal attributes”, people might say “Well, it’s about time” The UK Information Commissioner’s Office (ICO) has published a discussion paper seeking feedback on profiling provisions under the EU’s General Data Protection Regulation (GDPR). The deadline … Continue reading

Access to data / Data protection / General Data Protection Regulation / Law enforcement / Legitimate interest / Personal data / sensitive data

CJEU Advocate General Opines on the ‘Legitimate Interest’ Concept

But how exactly does EU law achieve the weighing of competing legitimate interests and rights in a data protection law context? I’ve previously written (here) about the concept of legitimate interest under data protection law and how it has captured the attention of data protection agencies, as well as the EU institutions in informing the … Continue reading

anonymisation / big data / Data protection / General Data Protection Regulation / ICO / Personal data / Privacy / pseudonymisation / research / Risk-based approach / sensitive data

The First-Tier Tribunal and the anonymisation of clinical trial data: a reasoned expression of Englishness…. which would have to be abandoned with the GDPR?

The Queen Mary University of London v (1) The Information Commissioner and (2) Alem Matthees, EA/2015/0269 case decided by the First-Tier Tribunal (Information Rights) (FTT(IR)) on 12 August 2016 is a fascinating decision. [Could it be a stylish expression of Englishness…. or otherness?] The case-facts concern a freedom of information request for clinical trial patient data … Continue reading

anonymisation / big data / Data protection / General Data Protection Regulation / Personal data / pseudonymisation / research / sensitive data

What does the agreed version of the GDPR say about processing personal data for research purposes? Is the GDPR better than the Directive?

What does the agreed version of the GDPR say about processing personal data for research purposes? Is the GDPD better than the Directive? So here we are. It’s almost Christmas and after three years of intense debate the Council of the European Union and the European Parliament have announced that they have informally agreed on … Continue reading

big data / consent / Data protection / health data / Privacy / sensitive data

Article 29 Working Party on the concept of health data: could it mean that we need to adapt the definition of health data as well as that of personal data?

On 5 February 2015, the Article 29 EU Data Protection Working Party (WP) issued a letter addressed to Paul Timmers – the Director of Sustainable and Secure Society at the European Commission. Within the Annex of this letter, the WP identifies relevant criteria to determine when data processed by lifestyle and wellbeing apps and devices … Continue reading