Dear friends,
As Colin Work and I appeared to be the only 'Web people' present
at the 'DPA 1998 Implications for Higher and Further Education
Institutions - An Update' conference in London yesterday, I
thought others might like a report on two of the Web site
related points raised.
1. 'Consent'
============
Phil Boyd (Senior Compliance Manager at the Office of the
Data Protection Registrar) and others were quizzed quite
extensively about the issue of public on-line e-mail and phone
directories and the exact meaning of 'consent'. Some interesting
points emerged.
If at the time at which the data is gathered from data subjects
for placing in an on-line directory, sujects are asked whether
they object to being included and they do not object, i.e. they
choose not to opt OUT, then that seems to count as consent, both
under the 1984 and 1998 Acts. If, however, you construct the
directory from data you already hold and simply inform the subjects
that you are going to make (or have already made!) a directory
available publicly on your Web site, and give them the opportunity
to opt OUT at that point, failing to get a reply from someone would
probably NOT count as consent - they simple haven't replied, perhaps
because they didn't get your message or didn't understand your
message. In other words, you ought to have an opt IN rather than an
opt OUT policy, if you are intending to create a directory from
subject data you already hold.
Of course, the 1998 Act restriction on transfer of data beyond the
European Economic Area can only be overcome if you have the data
subject's consent anyway, so if the directory is already in place,
you really need a positive opt IN from the subjects to be able to
rely on the consent exemption. Administratively, this is more
cumbersome than having an opt OUT policy, but seems to be the safest
way of ensuring compliance with the Acts.
This way of thinking stems from a decision made by the Data Protection
Tribunal against "Innovations", in which the company acquired contact
data from subjects for sending their catalogues etc, then later informed
the subjects that their details were on a list that was rented out to
others, and that if the subject objected they could have their details
removed by writing to the company and requesting to do so (i.e. an
opt OUT policy). The company relied on a failure to opt out as
amounting to consent to use their details in this way. The Tribunal
found otherwise.
An opt OUT system should still be OK at the point at which data is
gathered (i.e. at the point at which staff/students enter the Uni and
e-mail or telephone accounts are set up).
If you fear that this will result in a fairly incomplete and useless
directory, there may be ways round this. You don't have to use a
form to obtain consent. Phil Boyd suggested having departmental
staff meetings and explaining the intentions of having a public
directory etc and asking staff then to tell you if they want to opt
OUT. That way, you know that the staff concerned got your message
and understood it, so by choosing not to opt OUT they are indeed
giving their consent. Alternatively you could send out forms with
the existing data on it, asking subjects to check its accuracy and
return it, having an 'I opt OUT of the public directory' tick box as
well.
Of course, the complacent will feel that this is a lot of fuss over
nothing and will probably do nothing about it!
2. Students as Data Controllers?
================================
It was suggested that we should assume that students are Data
Controllers as far as any personal data held on their disc space
on the university server(s) is concerned, and that the Uni itself
is then just a Data Processor. This tactic places the duty on the
student, not the Uni, to notify the DP Commissioner re their use of
personal data, in theory absolving the Uni from responsibilities
under the Act for this data.
Personally I think this is an assumption fraught with danger, and I
certainly wouldn't want to rely on it!! What do others think?
Apologies for the length of this e-mail!
Best wishes,
Adrian
Adrian Tribe <[log in to unmask]>
Web Editor, CCS, Birkbeck College, Malet Street, London WC1E 7HX
Tel: 0171 631 6291; Mobile: 0403 288192; Fax: 0171 631 6556
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|