Thanks Ian for the reply.
>If your assumptions are correct about employees having to have sight of
the data to make the Uni a controller, I wonder why every "over-stretched"
head teacher in England and Wales had to register "Projects undertaken by
pupils in the course of their studies" as a purpose and had to issue
instructions to the teachers on compliance with the DPA? And how come all governing bodies had to register as data users despite the fact they generally didn't use the school computers?
You may be right. However school students are generally not adult and HE students generally are. I suggest that, although it may not be entirely clear, there is a different legal relationship. Governing bodies are responsible for all kinds of functions they don't carry out and institutions employ a contractor - again it's a different legal relationship than supervisor and student. Institutions may purport to sweeping intellectual property rights - does that cover this?
>Maybe I've just misunderstood what "data controller" actually means, but
in my view:
>a) if the student would not be undertaking the research were it not for
being on that particular course; and/or
>... then . . .
>. . . the university is likely to be the data controller.
The ODPC guidance says:
Data controller means a person who (either alone or jointly or in common with other persons)determines the purposes for which and the manner in which any personal data are, or are to be, processed.
Do universities 'determine' these things for students, even in legal fiction? I wonder whether you hold the same view if this is the *only* point on the list that applies. What do other people think?
Paul
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|