23012022 Ticketing Systems and the GDPR Andrew Cormack

  • Slides: 6
Download presentation
23/01/2022 Ticketing Systems and the GDPR Andrew Cormack, Chief Regulatory Adviser (@Janet_Leg. Reg)

23/01/2022 Ticketing Systems and the GDPR Andrew Cormack, Chief Regulatory Adviser (@Janet_Leg. Reg)

2 General Data Protection Regulation In force 25 th May 2018 Applies to personal

2 General Data Protection Regulation In force 25 th May 2018 Applies to personal data if person, processing or processor is in EU » PD includes indirect identifiers: IP/MAC/email address, as well as names Replaces 1995 Data Protection Directive » Principles, legal bases, etc. largely unchanged » New accountability principle expects controllers to explain processing Particular things to think about for ticketing systems » How long to retain data » Personal data in free text fields

3 Data Retention Can retain data as long as “necessary” for a purpose »

3 Data Retention Can retain data as long as “necessary” for a purpose » i. e. no less intrusive way to achieve that purpose » Then delete/aggregate/anonymise personal data fields Some possible purposes of tickets (and retention times) » Resolve the question (till question resolved) » Identify training etc. requirements (as soon as possible! Months? ) » Statistical reporting (unlikely to require personal data) » Collate FAQs (no need for personal data) » Long-term performance (linked to equipment etc. , not people) » Others?

4 Free-text fields May contain personal data, but hard to find » So an

4 Free-text fields May contain personal data, but hard to find » So an unknown DP risk, and not particularly useful either » You will be expected to find/redact it for subject access requests Ways to reduce the risk » Provide structured fields for personal data (then apply retention rules) » Set policies for use of unstructured fields » Set retention periods for unstructured fields too » For high-risk situations/activities, consider human or auto-redaction? I. e. minimise risk, then check that benefit justifies what remains

5 References GDPR » http: //eur-lex. europa. eu/legal-content/EN/TXT/PDF/? uri=CELEX: 32016 R 0679 Blog on

5 References GDPR » http: //eur-lex. europa. eu/legal-content/EN/TXT/PDF/? uri=CELEX: 32016 R 0679 Blog on purposes/retention » https: //community. jisc. ac. uk/blogs/regulatorydevelopments/article/helpdesks-how-long-keep-information Blog on free text » https: //community. jisc. ac. uk/blogs/regulatory-developments/article/freetext-and-data-protection

6 Thanks Andrew Cormack Chief Regulatory Adviser, Jisc Technologies Andrew. Cormack@jisc. ac. uk https:

6 Thanks Andrew Cormack Chief Regulatory Adviser, Jisc Technologies Andrew. Cormack@jisc. ac. uk https: //community. jisc. ac. uk/blogs/regulatorydevelopments/tags/Data-Protection-Regulation Except where otherwise noted, this work is licensed under CC-BY-NC-ND

24052021 Ticketing Systems and the GDPR Andrew Cormack24052021 Ticketing Systems and the GDPR Andrew Cormack
23012022 All students should use all slides 2301202223012022 All students should use all slides 23012022
09112020 General Data Protection Regulation GDPR Andrew Cormack09112020 General Data Protection Regulation GDPR Andrew Cormack
12122021 General Data Protection Regulation GDPR Andrew Cormack12122021 General Data Protection Regulation GDPR Andrew Cormack
30122021 General Data Protection Regulation GDPR Andrew Cormack30122021 General Data Protection Regulation GDPR Andrew Cormack