What the CoFoE thinks about citizen privacy

What the CoFoE thinks about citizen privacy

The Conference on the Future of Europe, Democracy and Rule of Law panel has generated 39 recommendations to improve the EU’s Democracy and compliance with the Rule of Law. Three of these related to Privacy and one to Cybersecurity. I have drafted a response for CTOE, which I hope will become part of their response but did not form part of their first response, which is fortunate since I changed my mind slightly. The article, overleaf, covers regulations and sanctions, equality of arms, and enforcement and political will. ...

The 7 Principles

The  7 Principles

When evaluating Data Protection laws and enforcement appetite, one sometimes needs to refer to the 7 principles. These were agreed by the OECD in 1980 and I summarise them below.

  • Notice, Data subjects should be given notice when their data is being collected.
  • Purpose, Data should only be used for the purpose stated
  • Consent, Data should not be disclosed without the data subject’s consent
  • Security, Collected data should be kept secure from potential abuses
  • Disclosure, Data subjects should be informed as to who is collecting their data
  • Access, Data subjects should be allowed to access their data and make corrections to any inaccurate data.
  • Accountability, Data subjects should have a method available to them to hold data collectors accountable to the above principles.

Europe’s privacy laws are constructed by building legislative infrastructure based on treaties and then the creation of law. This diagram below shows the time line of European infrastructure (above the line) and law (below the line), it was made in a year or so ago and thus does not have the UK’s departure from the EU, nor the assignment of “Adequacy” by the Commission.

No alt text provided for this image

While much focus today is on the EU’s GDPR, the principles that underpin it, are more broadly accepted than that law, and in some areas, the GDPR maybe found wanting.

This blog post originally appeared on my LinkedIn blog. …

Lightening never strikes twice

Lightening never strikes twice

In my blogs on the Track & Trace failure [blog | linkedin], I make the throwaway comment that Govt. IT often fails repeatedly because no-one is accountable, nor punished and thus they fail to learn but in this case it’s not true; Dido Harding the CEO of the Track & Trace was CEO of Talk Talk when it was fined £ ½m for another data protection breach caused by another failure to in this case close down an application running on an out of date & unpatched version of MySQL, making it vulnerable to a SQL injection attack, one of the OWASP top 10 vulnerabilities.  How unlucky can you get? …