I wonder if I could pass on this real but edited request for info, partly as a
check on action to be taken and partly to help others who may in future
have similar situations. I just received this request from a colleague in
central administration, referring to Department XX.
"Dept X want me to give them addresses and info on XX students to do some
marketing research for XX courses. I have told them so far that I will not do
this as they are using an outside company to carry out the research. I have
offered, as usual, if they send us the info we would pass it on to students but
they do not want to do this. What do you think?"
======
What I think is that (since we are covered for such activity under at least one
purpose of previous registration) it would be ok to use "agents" in this way,
but only if a contract was drawn up which stipulated safeguards against further
use or disclosure. Subject to a contract, release outside is not really
different from release/disclosure within the organisation.
I also assume that since this will probably count as NEW processing, all
relevant provisions of the new Act will apply - and if the data includes
sensitive data there will a need for appropriately worded notes and consent.
The precise point I would like to check is the apparent local custom whereby
hitherto we have gone "to the top" for authorisation to release any personal
data to outside agents. Am I right in assuming that there is no NECESSARY
reason why one should get such top-level permission. If the action is legal,
it's legal. (The creation of a contract may, of course, be a reason for
bringing in a senior officer, but that is a different issue).
----------------------
Dr Trevor Field
Senior Assistant Secretary
University of Aberdeen
++44 (0)1224 272077
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|