Educause Security Discussion mailing list archives
Re: GDPR Question
From: John Denune <jdenune () UCI EDU>
Date: Mon, 8 Jan 2018 17:23:01 +0000
Brad, From the EDUCAUSE/Tambellini Group webinar, one of the scenarios presented involved a US faculty member visiting Finland on sabbatical. While in Finland, the scenario concluded that: * All personal data the faculty member sends back to the home institution falls under GDPR * This includes the personal data of her US PhD students that she may send back to the US * This also may include all personal data she has with her when she returns to the US. So, from this webinar GDPR scope seems to be based on the data flow of personal information from the EU to somewhere else. It doesn’t seem to matter the citizenship or the residency of the subject. At least that was my take based on scenarios in the webinar. I also echo that working with legal counsel is the way to go to help clarify as there seem to be a lot of interpretations out there. ---John -- John Denune Security Risk and Compliance Program Manager Office of Information Technology University of California, Irvine jdenune () uci edu<mailto:jdenune () uci edu> (949) 824-8301 From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Brad Judy <brad.judy () CU EDU> Reply-To: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> Date: Monday, January 8, 2018 at 8:57 AM To: "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] GDPR Question In the case of GDPR, I strongly recommend working with legal counsel about how your institution wishes to handle it. International extra-jurisdictional law is an interesting space and while I think there is some consistency on the interpretation of the intent of GDPR, it seems like different institutions have different views of what that means for them. As to Ben’s point about the law not applying to EU citizens residing outside the EU (definitely true from my understanding), here’s another way to think about it: In order for countries to be sovereign, they aren’t subject to the local laws of other countries. So, some part of the equation must be within EU borders for the law to apply. In other situations, the focus has been on the data physically residing within borders. In the case of EU GDPR, it doesn’t care where the data resides, only that the human subject of the data is within EU borders. This creates interesting discussions about individuals who are temporarily within EU borders (visiting for a week, studying/working for a semester, etc.). Brad Judy Information Security Officer Office of Information Security University of Colorado 1800 Grant Street, Suite 300 Denver, CO 80203 Office: (303) 860-4293 Fax: (303) 860-4302 www.cu.edu<http://www.cu.edu/> [-logo_fl] From: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Ben Marsden <bmarsden () SMITH EDU> Reply-To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU> Date: Monday, January 8, 2018 at 9:18 AM To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] GDPR Question expanding a bit (and with the standard IANAL caveat, it is my evolving understanding that...), the regulation also states that EU citizens living abroad (ie, outside EU-covered states) are NOT covered by the regulation while they remain abroad. Ie. ex-pats aren't covered, so your faculty members who may have EU citizenship but live & work at your US-based institution are not covered by GDPR (erm, unless they go visit the homeland and then exchange PI covered data while there). yes, ymmv ... On Mon, Jan 8, 2018 at 11:09 AM, Brian T. Huntley <bhuntley () clarkson edu<mailto:bhuntley () clarkson edu>> wrote: Hi Jim - Most everything I've seen and council advice we've received would indicate that a US student studying abroad would indeed be entitled to protections under the GDPR. In fact, some have gone so far as to suggest that based on the somewhat vague definition in Article 3: "...data subjects who are in the Union..." would include anyone who was physically within the bounds of the EU - whether expat, resident, citizen or "just visiting". YMMV though, so definitely worth engaging your GC to get their take and enable your senior management to make an informed risk decision about the whole thing. Brian -- Brian T. Huntley Director of Network Services and Information Security Office of Information Technology Clarkson University 315.268.6723<tel:(315)%20268-6723> On Mon, Jan 8, 2018 at 9:50 AM, Pardonek, Jim <jpardonek () luc edu<mailto:jpardonek () luc edu>> wrote: Good Morning, We have been having some discussions regarding what population’s records are subject to GDPR. The discussion centers around whether or not the records of US citizens that study abroad fall under GDPR. Some say it’s only those who are citizens of the EU. Is there any guidance on this topic? Thanks and have a great day. Jim James Pardonek, MS, CISSP, CEH Information Security Officer Loyola University Chicago 1032 W. Sheridan Road | Chicago, IL<https://maps.google.com/?q=1032+W.+Sheridan+Road+%7C+Chicago,+IL%C2%A0%C2%A060660+%0D+*+%0D+(**:+(773*&entry=gmail&source=g> <https://maps.google.com/?q=1032+W.+Sheridan+Road+%7C+Chicago,+IL%C2%A0%C2%A060660+%3Chttps://maps.google.com/?q%3D1032%2BW.%2BSheridan%2BRoad%2B%257C%2BChicago,%2BIL%25C2%25A0%25C2%25A060660%2B%250D%2B*%2B%250D%2B(**:%2B(773*%26entry%3Dgmail%26source%3Dg%3E+%0D+*+%0D+(**:+(773+%3Chttps://maps.google.com/?q%3D1032%2BW.%2BSheridan%2BRoad%2B%257C%2BChicago,%2BIL%25C2%25A0%25C2%25A060660%2B%250D%2B*%2B%250D%2B(**:%2B(773*%26entry%3Dgmail%26source%3Dg%3E*&entry=gmail&source=g> 60660<https://maps.google.com/?q=1032+W.+Sheridan+Road+%7C+Chicago,+IL%C2%A0%C2%A060660+%0D+*+%0D+(**:+(773*&entry=gmail&source=g> •: (773<https://maps.google.com/?q=1032+W.+Sheridan+Road+%7C+Chicago,+IL%C2%A0%C2%A060660+%0D+*+%0D+(**:+(773*&entry=gmail&source=g>) 508-6086 Loyola University Chicago will never ask your for your username or password. For the lastest information security news at Loyola, please follow us online, Twitter: @LUCUISO Facebook: https://www.facebook.com/lucuiso/ Our Blog http://blogs.luc.edu/uiso/ From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>] On Behalf Of Joanna Grama Sent: Monday, October 2, 2017 9:16 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] October 24 GDPR Webinar from Tambellini Group and EDUCAUSE Good morning, Many of us continue to struggle with understanding the scope and finer points of the EU GDPR and its application to US higher education institutions. To that end, EDUCAUSE and the Tambellini Group have been working together to share more information on this topic and we are pleased to announce an upcoming webinar that you may be interested in. The jointly sponsored webinar will be held on Tuesday, October 24, 2017, from 1-2pm ET. You can register for the webinar and read more about the webinar content here: https://marketing.thetambellinigroup.com/acton/media/10722/gdpr-and-us-higher-education-institutions-webinar As GDPR questions have been coming up on our various EDUCAUSE lists, we have been sharing those questions with the Tambellini group so that they can be specifically addressed in the upcoming webinar. Kind regards, Joanna (This message has been cross posted on the EDUCAUSE security, privacy, and IT GRC discussion listservs.) Joanna Grama, JD, CISSP, CRISC, CIPT Director of Cybersecurity and IT GRC Programs EDUCAUSE Uncommon Thinking for the Common Good 282 Century Place, Suite 5000, Louisville, CO 80027<https://maps.google.com/?q=282+Century+Place,+Suite+5000,+Louisville,+CO+80027&entry=gmail&source=g> direct: 720.406.6769<tel:(720)%20406-6769> | cell: 720.507.5983<tel:(720)%20507-5983> | jgrama () educause edu<mailto:jgrama () educause edu> Become a Member- Everyone at your organization is an EDUCAUSE member when you join | Access discounts, resources, and valuable peer networks | Discover membership<https://www.educause.edu/about/discover-membership> -- [}--> BEWARE of links and attachments in email! * Stop, Think before you click * ============================================ Ben Marsden : Information Security Director, CISSP ITS, 201 Stoddard Hall, Smith College, Northampton, MA 01063 --------------------------------------------------------------------- =--> Any request to reveal your Smith password via email is fraudulent!
Current thread:
- GDPR Question Pardonek, Jim (Jan 08)
- Re: GDPR Question Joanna Grama (Jan 08)
- Re: GDPR Question Hudson, Edward (Jan 08)
- Re: GDPR Question Brian T. Huntley (Jan 08)
- Re: GDPR Question David Sheryn (Jan 08)
- Re: GDPR Question Ben Marsden (Jan 08)
- Re: GDPR Question Brad Judy (Jan 08)
- Re: GDPR Question John Denune (Jan 08)
- Re: GDPR Question Brad Judy (Jan 08)
- Re: GDPR Question Jennifer Svensson (Jan 08)
- Re: GDPR Question David Sheryn (Jan 08)
- Re: GDPR Question Adam Maynard (Jan 08)
- Re: GDPR Question Brad Judy (Jan 08)
- Re: GDPR Question Ben Marsden (Jan 08)
- Re: GDPR Question Joanna Grama (Jan 08)
- Re: GDPR Question Adam Menos (Jan 09)