In a message dated 04/04/2000 15:09:37 GMT Daylight Time,
[log in to unmask] writes that he got confusing replies to his
original e-mail, which was:
> Who is the Data Controller responsible for personal data obtained,
> processed and maybe disclosed by students in the course of their
> academic studies? Does it make any difference whether the data is
> held on a university computer, the students own or is not
> computerized? Lastly what about data held on university computers by
> students and staff which is not work related and is effectively
> their private data. I know they should not do it but they do.
David
It is essential to separate the data held by the student for academic
purposes from that held for private purposes.
Personal data (i.e relating to living individuals) processed by the student
in the course of their studies is controlled by the University. It sets the
rules for processing, it tells the student what sort of data is required, it
even approves any research project proposed by the student, so the University
is the data controller.
In terms of other personal data held, say for private use, it may fall
outside the scope of the DPA if it is for their personal and private use and
only relates to their personal, domestic or household affairs (or those of
their family). It may also fall outside the Act if it is merely information
about members of an unincorporated members club or a straight mailing list -
but only until 23 October 2001, after that date it must comply with the
Principles, even though (because they are not making a profit) the student
may not have to notify.
If your university allows its computers to be used in this way you should
tell students the rules that apply (i.e. the conditions for private use
exemption and non-profit-making exemption).
If the student is making a profit or goes beyond the rules for qualifying for
the exemptions, the student will be the data controller liable for any
breach. You should make this clear to them, otherwise you may be negligent
or reckless.
Ian Buckland
MD
Keep IT Legal Ltd
Please Note: The information contained in this document does not replace or
negate the need for proper legal advice and/or representation. It is
essential that you do not rely upon any advice given without contacting your
solicitor. If you need further explanation of any points raised please
contact Keep I.T. Legal Ltd at the address below:
55 Curbar Curve
Inkersall, Chesterfield
Derbyshire S43 3HP
(Reg 3822335)
Tel: 01246 473999
Fax: 01246 470742
E-mail: [log in to unmask]
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|