WRT to the information security point:
> I am not sure the information security approach works. The quick counter
> argument is to show that the material has been scanned and is clear of
> viruses or malware. If that is the case, then the information security
> or the integrity of the system is moot.
This rather misses the point of such a policy, which is not to treat
material on case-by-case basis, as that is to (surely erroneously) assume
that all staff are technically literate enough to ensure their material is
clean. Such a policy bars all private material because it only takes one
member of staff fail to sanitize their material properly for the system to
be potentially compromised. Therefore, whether an individual staff member
can demonstrate 'clean' material is irrelevant to the objective of the
policy, and thus irrelevant to the question of whether it is OK for them to
import the material.
WRT (one last time) to the DP angle:
> The problem, as I see it, is that personal information has been uploaded
> onto an organisation's systems and computers without consent. Once it is
> on the system, the organisation becomes a data controller. If someone
> gives you a package and you accept it into your home, you are potentially
> liable for what is inside the package because it is in your possession.
> The DPA does state that the data controller is one who stores the
> personal data.
The first sentence is correct " ... personal data has been uploaded onto an
organisation's systems and computers without consent."
The second sentence is wrong. "Once it is on the system, the organisation
becomes a data controller." It does not (even if it is a public
authority), see (s.1(1) DPA 1998).
The third sentence is, and remains, a non sequiteur in this context, no
matter how often repeated.
The fourth sentence is wrong. "The DPA does state that the data controller
is one who stores the personal data." It does not, see (s.1(1) DPA 1998).
The determining factor in DP is not who is holding the data (hence the
differentiation between data controllers and data processors), but, as I
noted, "who (either alone or jointly or in common with other persons)
determines the purposes for which and the manner in which any personal data
are, or are to be, processed" (s.1(1) DPA 1998). That is the precise
statutory definition of a 'data controller'.
S.1(1)(e), as Peter notes, is irrelevant to this determination, as it does
not change the definition of data controller. Even if it was potentially
relevant, the data referred to would already be caught by S.1(1)(a) DPA and
thus S.1(1)(e) is not triggered. Further speculation, however well
researched, built on the basis of s.1(1)(e) is thus built on sand.
For the record, "held" is clearly NOT synonymous with "stored"; although as
Lawrence notes, what it *does* mean is not wholly clarified.
The Council makes no determination about the purposes for which, and the
manner in which the personal data (the photographs) are, or are to be,
processed. Therefore the Council is not a data controller for the purposes
of the DPA. The staff member does make a determination about the purposes
for which, and the manner in which the personal data (the photographs) are,
or are to be, processed (dissemination to friends) and thus is a data
controller (but the images probably fall under s.36 DPA Domestic purposes).
Where the data is stored is simply not relevant for DP purposes, it's the
determination of purpose of processing which is the key.
- If I process work data about my students on my work computer, it is
personal data for which my university determines the purposes for which and
the manner in which any personal data are, or are to be, processed. My
university is the data controller and not me. If I lose it, the university
is responsible in DP terms, as data controller. I will probably be subject
to internal disciplinary proceedings, as my university has specific
regulations on the safe handling of student data by staff.
- If I process my local caving club's records on my university computer,
the University does not determine the purposes for which and the manner in
which any personal data are, or are to be, processed (running the caving
club). The university is not the data controller, and if I lose the data,
the University will face no sanction under the DPA or I under the
university's DP-related regulations. Depending on the arrangements between
the club and myself, either I or the caving club could face sanction as the
data controller.
- If my University regulations state that I may not use university
computer systems for personal or non-work related matters, my processing of
the caving club's records on my university computer will breach those
regulations, and may lead to disciplinary action, regardless of whether
they are stored safely or not for DP purposes.
- If the University provides storage for personal or non-work related
matters, and I use it to process my local caving club's records, it is up
to me (or the club) as data controller to determine whether the
university's facilities are adequate to meet my obligations as a data
controller. The University is at most simply a data processor, it holds no
direct DP obligations, except those which it enters into with me as the
data controller. If the records are lost because the system is insecure,
that's my problem as a data controller. If the university has
contractually agreed to ensure safe storage, then I may be able to mitigate
any losses incurred as a result of data subject action against me by
pursuing the University for breach. Otherwise, I'm on my own.
> The key for me is that the organisation has not consented to receive the
> information on its system and once on its system it is held for the
> purposes of the FOIA (albeit against its will) and for the purposes of
> the DPA. (With the caveat mentioned above.)
I would refer to the ICO' guidance, again, in terms of FOI (only)
b) Personal written communications (emails, etc)
In most circumstances private emails sent or received by staff in the
workplace
would not be held by the authority as it has no interest in them. It will
be a
question of fact and degree whether a public authority does hold them,
dependent on the level of access and control it has over the e mail system
and
on the computer use policies. It is likely to be the exception rather than
the rule
that the public authority does hold them.
Problems can arise with hybrid emails, those which contain a mixture of
personal
content and that relating to the duties of the employee. The information
which
falls within the latter classification is potentially disclosable, and so
as part of
good email management the formulation of such emails should be avoided.
<http://www.ico.gov.uk/upload/documents/library/freedom_of_information/detailed_specialist_guides/awareness_guidance_12_info_caught_by_foi_act.pdf>
In terms of the DPA, the question cannot arise as the Council cannot, by
clear statutory definition, be the data controller for the private material.
> In sum, I would argue that uploading personal images or information onto
> an organisation's computer system without permission will put the
> organisation in breach of the DPA unless there are specific policies,
> procedures and guidance in place stating that this is not acceptable. Or
> to put it positively, anyone wanting to upload personal information onto
> the organisation's system needs to have the consent (permission) of the
> organisation. If the information has been uploaded without consent of the
> organisation, the organisation (as a data controller) can take steps, as
> authorised by the DPA (and any other legislation) to remove the
> information so that it complies with the DPA. In one sense, the
> organisation is in danger of holding personal information that is
> incompatible with the purposes for which it notified the ICO.
>
> I am happy to be corrected on any of these points as this is something I
> want to get right if only for my own understanding of the DPA.
In rebuttal:
1) The organization cannot be in breach of the DPA as a 'data controller',
because it is not, by statutory definition, a 'data controller'.
2) The staff member may breach the DPA - they are the 'data controller' for
that material, as they are the ones determining the purposes for which, and
the manner in which the personal data are, or are to be, processed.
3) I am unclear as to what section of the DPA the organisation could have
breached regarding the material, as it is not the 'data controller'. I
would be interested in Lawrence's thoughts on this point.
4) As an employer, you are perfectly within your rights to
a) refuse to let your systems be used for their private purposes by your
staff;
b) subject to the conditions in the RIPA and the LBPR, to monitor to ensure
that this is the case.
I think I've now said all that I can say on this thread, and if Lawrence
remains unconvinced, then I doubt I'm going to change his mind through
further discussion. In the long run, I suppose on a pragmatic view if a
Council wishes to bar staff from uploading private material (including
material containing personal data) onto its computers, then for 99% of
people, that's all that's relevant. The precise rationale for a Council
doing so is not going to worry them unduly - so "the DPA 1998 says 'No'" is
as good a reason as any, even if the precise reasoning behind the policy
is, in my opinion, erroneous. I also doubt many people are going to
subject that reasoning to the degree of scrutiny that this group can being
to bear, or be able to identify the flaws in it.
This whole discussion is, I think, another argument for the need to review
the DP regime, which, it will be clear from the debate, is an extremely
blunt tool to address the complexities of the modern technology environment
- I'm willing to bet that when the EU Directive was being debated in the
late 1980s, the fact that national implementing legislation would have to
deal with situations as complex as individuals (as data controllers in
their own right) importing privately generated digital materials containing
personal data into their employer's computer systems, was not considered in
any detail...
Andrew
Andrew Charlesworth
Reader in IT and Law
Director, Centre for IT and Law
School of Law/Department of Computer Science
University of Bristol
Wills Memorial Building
Queens Road, Bristol BS8 1RJ
Tel: 0117 954 5633 (CompSci)
Fax: 0117 954 5208 (CompSci)
E-mail: [log in to unmask]
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|