I asked whether the WP29 thinking (& their opinions) about the 3 properties are for the ‘direct and indirect’ way of identification of the personal data. The answer was not in the method itself but that the properties are for ‘all data types’ i.e. any dataset. Her exact wordings ‘ use by anyone on any dataset’. Also, the DPA (DPO/Organisation?) needs to prove (or justify or show) that the dataset has indeed been anonymised (using any of the 2 options). My understanding is that the anonymisation if done (risk-based, database and/or algorithmic-driven) should not enable the direct and indirect re-identification of the individual(s).
As noted on this slide: ‘No single technique eliminates all risks’.

It’s near impossible to identify/isolate ‘all the direct/indirect re-identification risks’ associated with any dataset, assuming the dataset is available and not hidden in some Cloud and/or in a chain of hidden registers.

We really need to re-think personal data in terms of ‘the harm to individuals’ as there’s no absolutely sure way of preventing re-identification risks (i.e. singling out, linkability or inference/deduction etc.)

Overall a great talk.

I just noticed the slides and talk are available online: BCS Law talk 29th March 2018

The url:

https://twitter.com/datachainrisk/status/971197667660492800

http://www.city.ac.uk/news/2016/jan/data-privacy-day-discussion

Headlines and content extracted and posted here;

City experts to discuss data privacy

The European Union (EU) General Data Protection Regulation (GDPR) and the recent European Court of Human Rights (ECHR) judgement are among several issues to be addressed by data privacy researchers.
The latest European Union (EU) General Data Protection Regulation (GDPR) and the recent European Court of Human Rights (ECHR) judgement are among several issues which will be discussed by City University London researchers on Data Privacy Day, 28th January 2016. The event will take place in Room AG07a from Noon to 1pm.

The wording of the General Data Protection Regulation (GDPR) was agreed in December 2015.

The new Regulation began life as a draft document in 2012 and after being debated in the European Parliament and a trilogue between the three EU institutions (the European Council, the European Commission and the European Parliament) the final wording has been agreed. The GDPR will take effect from 2018 and strengthens the protection offered to individuals within the EU.

Among its new provisions are:

1. Better control of personal data by individuals.

2. Better access by individuals to their own data.

3. Data portability.

4. The right to be forgotten.

5. The right to know about serious data breaches.

Following active lobbying the new Regulation also aims to be more business-friendly by cutting out the red tape. SMEs that handle personal data (such as employee records) will no longer be required to register with the data protection authorities, so long as processing personal data is not their main business. Unlike the current Data Protection Directive, the new Regulation will automatically apply across all EU states – it does not have to be passed into national law, such as the UK’s Data Protection Act 1998. Businesses working across Europe will only have to deal with one authority, rather than the regulatory body in each state that it operates in.

A recent judgement by the European Court of Human Rights (ECHR) has highlighted some of these issues by ruling that employers are entitled to monitor employee communications when they are using the Internet during work hours. A Romanian worker sacked in 2007 for use of personal e-mail during work hours had appealed against a ruling by the Romanian courts that upheld his dismissal.

However the ECHR upheld a ruling by the Romanian Court, stating that it was not ‘unreasonable that an employer would want to verify that employees were completing their professional tasks during working hours’. This raises important issues for employees throughout the EU.

Definition Data Privacy Day
Data Privacy Day began in the United States and Canada in January 2008 as an extension of the Data Protection Day celebration in Europe. Data Protection Day commemorates the 28th January 1981, signing of Convention 108, the first legally binding international treaty dealing with privacy and data protection. Data Privacy Day is now a celebration for everyone, observed annually on 28th January.

Hope to get this celebration to be an annual event at City University London.
I’ll be doing a 5 mins talk on my current research.

Individuals, organisations, governments etc i.e. EVERYone who cares about their privacy should read the publication and decide what ‘identity’ to attach to (their) data. (Identity Governance for all).

Like picking up any new technology or looking to make sense of the new technology, I start with looking at the new technology with references to established methodologies, approaches or techniques or simply methods. These established methods are still around, come cloud or no cloud.

I have heard references of cloud computing in terms of outsourcing or another way of addressing or outsourcing your computing costs. So folks also talk about cloud computing in terms of opex and/or capex. Is cloud computing new technology or another way to talk about outsourcing your computing costs?

After reading this excellent write up on Cloud Computing, my initial skepticism on cloud computing turns into childish delight! Ah! It makes sense to have the 4 letters i.e. SaaS, PaaS, IaaS to describe cloud computing in terms of services. It seems that cloud computing does resemble outsourcing except that with outsourcing one is led to address business function/activities instead of computing services. My next question -what services are offered by cloud computing that will radically change the way I work or use technology? An ediscovery question in cloud computing – will (or is) cloud computing radically change (changing) the ediscovery scene?

Right now I can’t think of any (cloud) services except that I will have to figure out what data do I consider cloud worthy. This sounds familiar in outsourcing too. The same question as what is core to my business, I keep in control and not outsource also applies to cloud computing. At the lowest level, is data core to my business? A tough question or a non question! There will be established or seasoned/reasoned questions which are irrelevant in cloud computing.

Businesses outsource their core function as ‘core’ is not an accounting concept or an IT concept. We don’t talk about core accounting costs or core computing/technological data or services. Do we?

It seems the focus is no longer on ‘core business’ or even services. Cloud computing is driving the way we handle or our ability to handle data – period. The signs are around us e.g. ‘Big Data’ and ‘BYOD’.

I am not interested in what cloud computing delivers, it is what data to ‘outsource’/give up to cloud service providers. There is data protection act (soon a law in itself) and privacy related concerns. It will be interesting to see whether the changes to the data regime will define further questions or will the changes redefine the way cloud computing is currently defined. I have not come across a piece of legislation that changes the way technology is defined (& hence it’s course of design, development and deployment). It is a known fact that law plays catch up in terms of technology. The ‘right to be forgotten‘ is probably the policy/rule makers’ way of acknowledging that computing is beyond ‘legal codifying’. Perhaps the policy makers in mixing data protection with privacy wanted to recapture the concept of privacy as defined by Judge Thomas Cooley in 1888 – The Law of Torts 29 (2d ed. 1888) – ‘the right to be left alone’.

So where does this lead to in terms of ediscovery, which is also here to stay whether cloud or no cloud.

One term that comes to mind is disruption as in disruptive technology with the intended consequences and (perceived) benefits.

Cloud computing is disruptive technology/computing for ediscovery at many levels as it touches on several areas where ediscovery is weak (in terms of uncertainty or complexity in data access and processing). Similar to the concept of ‘core’, ‘control’ and ‘trust’ are meaningless in disruptive technology. Meaningless in the sense that one invariably (even with contractual agreements in place) loses control of data (in the cloud). The issue with trust is – how can we trust cloud providers if we loses control of data? Control of data and issues of trust are interlock or meshed up as seen in the measures to deal with data protection and privacy rights. The emphasis on ‘protect’ data (as in data protection rather than ‘control’ ) seems to have lost its lustre in the attempt to address privacy of individual in the non physical data world.

So it is back to ‘handling of data’ which is essentially what we do when we do ediscovery. We ‘handle’ – as this cover all aspects of accessing or processing – as it is human that handle the data not computer.If this is not the case, why do we have ediscovery rules (CPR) that has description of ‘how to do…’ . Like all changes in rules/law, there will be disruption initially. So it is safe to say, changes in the data regime will disrupt the ediscovery rules or more accurately further disrupt the handling of data.

Can we define data in terms of services? It’s like defining personal and sensitive data (or secret data/info) as services for cloud computing. Maybe we are getting there in terms of 4 letters, as data is 4 letters too.

In the ediscovery world, these two ‘B something’ not only add extra vocabulary but also highlighted that data is ‘Big-ish to the petra super server level’ and also ‘small-ish to the device level’.

Where do we start?

For those of us who create applications (apps) or build systems we do so to meet business needs or to make a living or some other reasons. How we use the data subsequently (created by the apps) is generally not build into the apps. We don’t design apps to limit data generation or to identify data with meta data such that we know every bit of data being created. It is like asking for an app that will track every bit of data being created without the app creating data too. Imagine an app for this and guess what will top the chart for next year end ediscovery survey!

Is it the same as uttering or saying less (e-mail or phone) to convey a message without the message being short circuited or miss-interpreted?

I use applications every day. I create data every day too. I make dumb decision some day. Today I make a decision which is dumb due to lack of data being conveyed.
Dumb apps or dumb data or dumb me?

Why five principles?

This principle – Privacy by design -  sounds great with the 3 words title which is rather arty and catchy like a company’s business motto.

The description – ‘New technical developments have to observe data privacy requirements at an early development stage, thus permitting the introduction of data protecting hardware and software’.

Only ‘new’ technical developments and at an ‘early’ development stage?

Just another play with words for my own amusement.

In terms of designing hardware and software for data privacy and/or protection, the play with words will not help software folks.

When I am asleep, I guess I have nothing to do with technology unless I am in a technological related dream. This will probably be the end of my spirited being.

Here is an interesting question (or a dream question?) raised by someone at the Sociotechnology and Knowledge Development (sociotech) Group. I see nothing wrong in raising the question in my blog here. Any objections and concerns, please post here or contact cher at iedisc.com

Gosh! has technology got me to be so so cautious?!

The question coming from the sociotech group:

What do we really mean by technology?

This question sound similar to several questions raised by law/policy makers during an ediscovery conference I attended in 2009 in Barcelona.

Substitute the word ‘technology’ with ‘processing’ or ‘privacy’ or ‘consent’ (as in data protection), we end up with more dreamy questions with little common understanding or agreement, especially when discussing on ‘what are the real issues with cross border ediscovery?’.

The questions were based on this statement (or an opinion?):

There is no legal basis (or justification) for ‘processing’ which includes transferring, viewing, accessing etc, of data in ediscovery across the Atlantic (i.e. the Europe & US divide). What? No viewing, i.e. I can’t even open-view the file/data !

I guess the answers were not in the questions being raised, as the only answer that the policy makers were seeking to get assurance is: ‘how safe is my (personal) data’?

So, ‘What do we really mean by technology?’

My dreamy reply: ‘technology’ is a beast and also a non beast, a thing and also a thingy.

What is your view(s)?