* re privacy - the fact that someone with authority (over the domain) has requested said reports suffices for GDPR legal/consent coverage IANAL, but that’s my understanding as well. If it would be helpful, I can get a formal legal opinion and a statement from the UK Information Commissioner’s Office.
Ta. I. -- Dr Ian Levy Technical Director National Cyber Security Centre Staff Officer : Kate Atkins, [email protected]<mailto:[email protected]> From: dmarc <[email protected]> On Behalf Of Kurt Andersen (b) Sent: 17 March 2018 09:41 To: Steven M Jones <[email protected]> Cc: [email protected] Subject: Re: [dmarc-ietf] Agenda for IETF 101 DMARC session On Fri, Mar 16, 2018 at 10:47 AM, Steven M Jones <[email protected]<mailto:[email protected]>> wrote: On 3/15/18 10:19 AM, Kurt Andersen (b) wrote: * Creating a diagnostic report that would have some additional information (such as sending address) and URLs without going quite as far as a forensic report - so something between the aggregate and forensic levels I'm probably missing something, but -- aren't email addresses usually classed as PII in the EU, whether they're sending or receiving at the moment? Seems to me it would run afoul of the privacy regs that tend to rule out forensic reports in certain jurisdictions... Maybe there's a batch/aggregate angle vs. per-message that helps avoid that concern? Would time and URLs alone be useful enough to warrant the effort and expense? There are two aspects to this - 1. batching (lightens the load for reporting receivers), and 2. re privacy - the fact that someone with authority (over the domain) has requested said reports suffices for GDPR legal/consent coverage --Kurt This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to [email protected]
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
