In a message dated 05/04/2000 11:46:30 GMT Daylight Time, [log in to unmask]
writes:
<< After David Marsh posted the original query I looked at the ODPC guidance
and drew the opposite conclusion. Students may collect, compile and disclose
data in the course of their studies without any employee of the University
ever having sight or meaningful control of it, regardless of whether any of
the processing is done on University facilities or not. For example, a
student may receive supervision in the course of a project which uses a
questionnaire, but it is frequently the source of complaint that this is
insufficient for academic purposes. The data may only come into the hands of
the University employees at present in an anonymised form. If over-stretched
academics or technical support staff are going to be lumbered with DPA
responsibility for the data collected, they're going to have to do a lot more
than tell students what the rules are, aren't they? If Universities are
controllers of such data, aren't the student also controllers? Does this make
any difference?
Sorry if I'm just muddying the water >>
If your assumptions are correct about employees having to have sight of the
data to make the Uni a controller, I wonder why every "over-stretched" head
teacher in England and Wales had to register "Projects undertaken by pupils
in the course of their studies" as a purpose and had to issue instructions to
the teachers on compliance with the DPA? And how come all governing bodies
had to register as data users despite the fact they generally didn't use the
school computers? Is it also not the case that where data are processed by
an outside contractor the client is still the data controller even though
they might never see the data again?
Maybe I've just misunderstood what "data controller" actually means, but in
my view:
a) if the student would not be undertaking the research were it not for being
on that particular course; and/or
b) the university decides what information it requires to prove a theory;
and/or
c) the university retains the evidence after the person finishes the course;
and/or
d) the university uses the data to check the validity/accuracy of the
statistics/ conclusions; and/or
e) the university provides not just the computer and software but also the
security and backup and maintenance facilities, and controls who has access
(and who does not), then . . .
. . . the university is likely to be the data controller. But if it also
allocates space for private use by the students and does not monitor its
usage, surely it cannot control the contents of that area.
Muddy waters run deep.
Ian Buckland
MD
Keep IT Legal Ltd
Please Note: The information contained in this document does not replace or
negate the need for proper legal advice and/or representation. It is
essential that you do not rely upon any advice given without contacting your
solicitor. If you need further explanation of any points raised please
contact Keep I.T. Legal Ltd at the address below:
55 Curbar Curve
Inkersall, Chesterfield
Derbyshire S43 3HP
(Reg 3822335)
Tel: 01246 473999
Fax: 01246 470742
E-mail: [log in to unmask]
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|