----- Original Message -----
From: Hubert, Paul [STU] <[log in to unmask]>
Sent: Wednesday, April 05, 2000 1:04 PM
Subject: RE: Student Computing
Follow on to the debate between Ian Buckland and Paul Hubert which has
culminated so far in:-
> The ODPC guidance says:
> Data controller means a person who (either alone or jointly or in common
with other persons)determines the purposes for which and the manner in which
any personal data are, or are to be, processed.
>
> Do universities 'determine' these things for students, even in legal
fiction? I wonder whether you hold the same view if this is the *only* point
on the list that applies. What do other people think?
>
The university cannot be the data controller for the students private
material. To take on that responsibility would clearly leave it holding
excessive information for the purpose.
If the university does not provide students with sufficient guidance in
their use of computers (including data protection act training) to enable
the students to know how to follow the DPA requirements it (the uni) is in
breach of Principle 7 - the appropriate security principle.
e.g. Appropriate technical and organisational measures shall be taken
against unauthorised or unlawful processing of personal data.............
A nice little loop which I interpret means that organisations have to take
control of what their equipment is used for!!
Any other views regarding this.....
Ian Welton
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|