Personal Data and Consent Management: A Briefing Paper
The aim of this briefing paper is to help institutions understand the potential ramifications arising from the creation and dissemination of personal data, their roles and responsibilities regarding consent management, arising issues associated with anonymised data as well as the possible role of risk management decisions. This briefing paper is based on a more comprehensive report by JISC Legal “Consent Management: Handling Personalisation Data Lawfully” - http://www.jisclegal.ac.uk/Themes/IdentityManagement.aspx - which was commissioned by JISC’s Information Environment team.
The Briefing Paper by Naomi Korn and Professor Charles Oppenheim includes -
- A Risk Assessment Checklist
- FAQS on Library Activity Data and
- Good Practice Recommendations
and is available in pdf format and Microsoft Word format.
16 November 2011
The material below was delivered as part of JISC Legal's involvement in JISC's Information Environment Programme. For ongoing guidance into the issues involved refer to our Identity Management page at http://www.jisclegal.ac.uk/Themes/IdentityManagement.aspx.
Consent Management - Handling Personalisation Data Lawfully - Full Report
A JISC Legal report, funded by JISC's Information Environment Programme, 2009-2011
For FE and HE institutions, providing secure and convenient access to a comprehensive collection of scholarly and educational material from external services is central to building an online information environment. Considering the vast quantities of user activity information generated as learners interact with learning materials held by third party providers, universities and colleges face many challenges in effectively and securely ensuring that individuals’ rights are protected.
JISC Legal, in its latest study, ‘Consent Management - Handling Personalisation Data Lawfully,’ addresses clear questions that arise in relation to learners’ access and identity:
- Must an institution always get the consent of learners if it wants to process their information in a new and innovative way?
- What is the best means of administering the individual consent of learners to various processing activities that will occur with their data?
- What laws apply to the vast quantities of user activity data that are generated as learners participate in and engage with online resources?
Download the full report here - Word or PDF format.
Consent Management - Good Practice Recommendations
In addition, for those looking for a brief overview of the main practical issues affecting those working at the sharp end, we have extracted our Good Practice recommendations from within the report and published these separately. Again you can download these here in Word or PDF format.
Consent Management - An Introduction
Institutional Consent Management Policy and Processes Supporting Personalisation
What is JISC Legal's Consent Management Project?
The study will assist the use of technologies which, for data protection or other legal reasons, require the consent of a user to the release of their personal data. The release of such data may be required in order to verify that a user has the right to access a particular resource, or to allow personalisation features. The project complements work being done on access management generally, and in particular, federated access management and Shibboleth. More information on these initiatives can be found on the JISC website: http://www.jisc.ac.uk/.
What is Consent Management about?
In many cases it may be possible, for an institution, to provide online services without the release of information that identifies a particular person, and in this case, no data protection issues arise. However, in other circumstances, identity will be necessary to the provision of access or personalisation. The processing of personal information will only be legal if done in compliance with the principles laid down by the Data Protection Act 1998. The first, core principle requires processing (including transfer) to be fair and lawful. In order to meet this requirement, one of the "Schedule 2" conditions for processing must be met. The most commonly relied on condition is "consent", in other words, that the data subject has agreed to the processing after having reasonable notice of what processing is proposed.
Legal Issues Involved in Managing Identity - The Identity Management Toolkit
JISC has launched a toolkit to allow information officers, IT directors, security managers and their staff to better understand the legal issues involved in managing identity issues. Identity management is key to many processes and services that universities and colleges provide for students, staff and other individuals and the sector as a whole can benefit from improved identity management practice. The toolkit can be accessed here -http://www.jisc.ac.uk/news/stories/2010/03/identity.aspx.
Feasibility of a Common Template For Access Management Federations
This JISC-funded project was intended to identify the extent to which a common template is feasible for access management federations across a number of jurisdictions. If a common template is possible, this will make it easier for service providers to sign-up to federations in different coutries, and will make peering between federations easier.
Preliminary Findings Documents
Prior to the publication of the final report, please find below documents related to the preliminary findings:
* Report on Preliminary Findings
* PowerPoint Presentation of the Preliminary Findings
* Outline Report on a Comparison of Attributes
If you require any of these documents in a different format, please contact JISC Legal.
For more details of the project funding, please visit:
We hope that representatives of federations, service providers and federation users will all contribute to this study, in order to provide the best framework of agreements to ease transition to the most user-friendly of systems for all.