Anonymisation Decision-making Framework

I’ve received the following announcement from the team at UKAN, University of Manchester:

Just to let you know that the second edition of the Anonymisation Decision-making Framework has now been published.

The Framework has been given a significant overhaul and for the first time there is a systematic method for evaluating your data environment.

You can download the new book and the companion documents from here:

Many thanks to Prof Mark Eliot for sharing the book and the various companion documents.

From (Schrems): steps for EU companies

Following from the CJEU’s judgment on EU-US data transfers (SchremsII), Schrems has posted comprehensive steps and FAQs on

I tweeted the news on 24th July 2020:

International data transfer

I just browsed #Schrems on my twitter streams. We now have a sequel to SchremsI – SchremsII came into force on 16 July 2020. Never a dull day when it comes to human rights and fundamental freedoms especially when such inalienable rights shine as actionable rights against other ‘rights’.

The CJEU’s judgment and the press release have been summarised by various folks. The essence of #SchremsII – extracted from Center for Democracy & Technology:

  • The safeguards provided by U.S. laws on the access and use by public authorities of data transferred from the European Union do not satisfy the requirements of EU law because, among other things, they do not grant European citizens actionable rights against the U.S. authorities.
  • Even if the Standard Contractual Clauses (SCCs) remain valid, the competent national data protection authorities are required to suspend or prohibit a transfer of personal data to the U.S. where U.S. law fails to appropriately protect Europeans’ personal data.
  • No doubt international data transfer or international trade will continue to flow (and flourish) even without Privacy Shield as there is still GDPR Article 49. Data transfer has to be read in terms of adequacy, derogation, surveillance and also trade politics.

    For now, our inalienable rights shine until another round of drama in the courts.


    I’ve just posted in my ‘other blog’ (just for my PhD stuff). Been reflecting today…

    One practical application of my privacy harm model is for making sense of “high risk to individuals’ interests” in carrying out data protection impact assessments or privacy impact assessments.

    For anyone interested in what I did for my PhD, here’s a bit about it.

    runaway ethics

    I participated in SPRITE+ ‘Accountability & Ethics in a Digital Ecosystem’ Workshop led by Dr Jonathan Foster and Dr Julie Gore last week. There were many interesting brainstorming discussions via Zoom breakout rooms from diverse academics and industry practitioners. It was well facilitated and far more enjoyable (and productive) than all the Zoom and similar webinars and meetings that I’ve attended during the past couple of weeks. I will take a break from online meetings/webinars – ‘online’ fatigue :-) .

    Accountability & ethics are both interesting and topical issues not only in a digital ecosystem but beyond the digital sphere. A good example is the current lockdown situation whereby we are all dependent on getting connected online or digitally connected because we have to obey or adopt social distancing (outside the digital sphere). Have ethics or ethical norms changed because we’re or have experienced ‘social distancing’ (more time alone or with family) and are also spending more time online to connect with people? I think researchers need to ask new questions on the interplay between the digital and non-digital or ‘real world’ sphere and where accountability and/or ethics matters or not. Do we have accountability or can impose accountability (via laws?) when we have runaway ethics? Just a random question!

    Contact Tracing

    A long time ago I was involved in assessing and using contact tracking solutions. It was during the Kosovo War (1998-1999) and I was working with an international charity organisation. At that time, I have not heard of Data Protection or privacy or Human Rights and did not have any safety procedures or standards to follow.

    Did I do any impact assessments? I probably did but nothing related to data protection or privacy. Did the solution cause any harm to anyone? I don’t think so. However, I remembered I spent a fair amount of time reflecting on the users of the tracing systems. The main users were those affected /impacted by the War and the administrators of the systems. Would any Data Protection Impact Assessments (DPIAs) and Privacy Impact Assessments (PIAs) method help me back in 1998?

    As part of my PhD, I examined various DPIAs and PIAs and I can say I’m not any wiser in using those impact assessments method except that now I am aware of Data Protection, data privacy and Human Rights.

    Right now, I’m reflecting on the contact tracing app after reading the article – The NHS Contact Tracing App: 11 key talking points –published by the BCS. I wonder whether any of the DPIAs or PIAs method has been used by the app designers. I suspect not.


    Today, 25th May 2020 marks the 2nd anniversary of the GDPR. issued this report: TWO YEARS UNDER THE EU GDPR

    Extracted from the conclusion:

    Crippled by a lack of resources, tight budgets, and administrative hurdles, Data
    Protection Authorities have not yet been able to enforce the law adequately. Worse,
    some public authorities have misused the GDPR to undermine other fundamental rights.
    While the GDPR in itself is not to blame for these failures, fingers are sure to be pointed
    at the law if urgent actions are not taken. We hope that the recommendations put
    forward in this report will help address the situation.

    I wonder even with more resources available, would the DPAs be better able to enforce the law adequately?
    I suspect not. More resources will not guarantee better outcomes.

    Governments should ensure the application of the GDPR and the
    protect the right to data protection in their COVID-19 response,
    particularly in the areas concerning the collection and use of health
    data, the use of tracking and geolocation, and the conclusion of
    public-private partnerships for the development and deployment of
    contact-tracing apps.

    Balancing the rights – the rights and freedoms of individuals & public interests – for the Covid-19 response is probably where we will see or have seen the workings or misuses of GDPR.

    What is privacy?

    I was out walking in my local park today. I couldn’t help noticing that there were less people in the park today compared to 2 days ago. Why? Well the weather wasn’t as nice today, dry but not sunny (between 5.35-6.30pm). Also, I forgot to wear my mask today and didn’t notice this until I was back home. I suddenly realised that I’m back to my ‘normal’ self or routine. Well…what is ‘normal’ or the ‘new norm’? For me, breaking or changing my habits are not ‘normal’ for me. Perhaps, because I’m quite an introvert at heart and enjoy peaceful stroll in quiet parks and quiet spaces with less people around. Also, I tend to put my mobile on silent mode or forget to bring it with me.

    So, it’s just me and my mobile on my ‘normal’ walk. Do I want to be traced or tracked or monitored by my mobile or by ‘someone’ capturing my location or interaction with a tree or a passer-by or another nearby walker? Isn’t this an intrusion into my private life or space or sacred space? Sacred because I just want to be left in peace or to be left alone (privacy?) Does the ‘new norm’i.e. when the lockdown is removed, and we regain a sense of normality also means we regain our sense of freedom and privacy? Do I value my privacy above all else or above what the public or others demand? I value my privacy, but I know I don’t have absolute rights.

    In the current epidemic the public interests or public health or save our NHS take centre stage above an individual’s right to privacy. The NHS is the hero in saving lives and also other essential services which we ‘normally’ take for granted. What I find upsetting is the uptake and/or the urgency in using technology (tech) for tracing or locating people or contact tracing. Yes, we all want to be back to ‘normal’ and get rid of the virus. Which is more dreadful – the virus or being under surveillance or tracked (without the opt-out)? The virus can kill – if your immune system is weak & you have no access to the needed medical aids and care. With the contact tracing or any tech that collects data about our ‘normal’ life (privacy?), it won’t kill anyone outright, right? It can save lives, so we’re told.

    As we know we’re relying on tech to save lives like the use of tech in hospitals etc. Also, like in normal times, we use tech daily and now we rely on tech more than ever in lockdown. More than ever, we also need to check that we’re using tech that does not go beyond one’s safety net (our privacy) or intrude into one’s normal life. This is what privacy is all about, isn’t it? A crisis isn’t ‘normal’. Privacy is sacred in normal times and more so during a crisis.

    #SelfIsolationHelp #StayHomeSaveLives

    A new era is dawning

    I’m getting a whole swathe of Coronavirus (Covid-19) emails, WhatsApp messages and news from online/TV/Radios & social channels.

    It is ‘crazy time’, ‘panic food stocking/hoarding’, ‘deserted café/streets’, ‘unprecedented time’, ‘tumultuous time’ and government calling for lockdown or shutdown and/or social distancing.

    The WHO declared last Wednesday 11th March 2020 that COVID-19 can be characterized as a pandemic.

    Even the ICO and EDPB have announced news. So now we have 3 categories of DPAs approach to the pandemic. @EUstaran (11:47 AM · Mar 17, 2020) tweeted the DPAs’ positions as follows: Restrictive: BE, FR, LU, NL Neutral: DE, NO, SK, SI, SE Permissive: DK, IE, IT, PL, RU, ES, UK

    Whatever we call it – epidemic or pandemic – the one thing that matters to me is that I can stay healthy and have access to my basic needs (air, food, water, electricity & WiFi) and my family and friends.

    Scary time for people who feel that they are vulnerable or categorised as vulnerable due to their health or medical conditions. No doubt, everyone wants everyone to be safe.

    My student tenant already packed up and left for home (China) and now my niece is packing up to leave for home (Malaysia) too. Her university has shutdown.

    This is my 1st experience of what a virus can do to a person, to a country and also at local community. Good to hear/read that neighbourly folks at are reaching out and offering help for the less fortunate or those affected by the epidemic.

    Let us not forget that there are many people who can’t self-isolate or social avoidance or not go to work as they are in the ‘front-line’ and/or are providing essential or basic services that I and so many others rely on in times of crisis or emergencies.

    Although the current situation feels like a dawn of a new era, whatever that may be, humanity will find a way to survive. Hope for a new dawn!

    With hope…

    Simple self-help steps to do daily, check out these:
    For main central flows
    For immune system, watch Video and follow the simple steps
    For those interested in JinShinJyutsu, welcome to join a Facebook community