Request for comments
The Internet and World Wide Web
General Institutional Webpages
Most HE and FE institutions now have an Internet presence,
normally in the form of a website containing a range of information
about the institution. Within the set of webpages that make up an
institutional website there will be webpages that contain personal
data. The personal data in question is usually in the form of text
and pictures, and primarily relates to the role that certain
individuals play in the institution. That data is, by virtue of the
background technology, available both outside the institution and
outside the UK, including countries outside the European
Economic Area (EEA) that do not have data privacy regimes
considered adequate by the EU Commission. Where HE and FE
institutions use personal data in this way consideration needs to
be given to the reasons for the display of the data.
Staff personal data which is required to be supplied for the
purposes of the normal organisational functioning and management
of the institution and, in particular, information which is already
supplied in publicly available hardcopy publications such as
Calendars and prospectuses should not require the consent of data
subjects to be placed on the website. However, data subjects
whose personal data is used in this way should be informed of this
use and must still retain the right to object to the use of their data
where it would cause them significant damage or distress.
All other non-essential uses of personal data on an institutional
website, including the use of photographs of data subjects for
general publicity (background shots, panoramas etc.) where the
data subject is clearly identifiable will require the consent of the
relevant data subjects. Where such consent is not forthcoming,
the personal data in question should not be used.
* HE and FE institutions may use non-sensitive staff personal data
on institutional webpages without consent where:
- its display facilitates the normal organisational functioning and
management of the institution. This may be indicated by its
inclusion in existing publicly available hardcopy publications.
- staff are informed that certain personal data will be displayed on
institutional webpages, and have the right to object to the use of
their data where it would cause them significant damage or
distress
* HE and FE institutions should obtain the consent of all data
subjects, staff and student, to use non-sensitive personal data
(including photographs) on institutional webpages, where such use
is not for the purposes of the normal organisational functioning and
management of the institution (e.g. publicity photographs etc.).
* HE and FE institutions should not use sensitive staff or student
personal data on institutional webpages without explicit consent.
Institutional Staff and Student Directories
Staff and student on-line telephone and e-mail directories (including
the X500 database), being essential to the organisational
functioning and management of HE and FE institutions, should not
require the consent of the data subjects, if restricted to internal
use. However, data subjects whose personal data is used in this
way should still retain the right to object to the use of their data
where it would cause them significant damage or distress.
Where staff on-line telephone and e-mail directories are made
available outside the institution for the purposes of the normal
organisational functioning and management of the institution this
should not require the consent of data subjects. However, data
subjects whose personal data is used in this way should be
informed of this use and should retain the right to object to the use
of their data where it would cause them significant damage or
distress.
Where student on-line e-mail directories are made available outside
the institution, this will not be for the purposes of the normal
organisational functioning and management of the institution and
thus consent should be obtained from data subjects and they
should be able to opt out of having their details displayed.
* HE and FE institutions may use internal institutional staff and
student on-line telephone and e-mail directories where:
- these facilitate the normal organisational functioning and
management of the institution.
- staff and students are informed that certain personal data will be
included in such directories, and have the right to object to the use
of their data where it would cause them significant damage or
distress
* HE and FE institutions may use external staff on-line telephone
and e-mail directories where:
- these facilitate the normal organisational functioning and
management of the institution.
- staff are informed that certain personal data will be included in
such directories, and have the right to object to the use of their
data where it would cause them significant damage or distress
* HE and FE institutions should obtain consent from student data
subjects before including their personal data in on-line e-mail
directories available outside the institution and student data
subjects should be able to opt out of having their details displayed.
Web pages used to collect personal data
Many HE and FE institutions use web pages to collect personal
data, such as names and addresses of individuals who request
documentation e.g. prospectuses. It is important that the rationale
for data collected is clear, and that no personal data other than that
which is required for the particular transaction is collected. Use of
web browser “cookies” to track users of institutional websites
should be carried out for specified reasons, and not just because
the software permits it.
* HE and FE institutions should ensure that at the point of
collection (i.e. on the relevant web page) the following information is
provided to the data subject:
- the purpose for which the data is collected
- the recipients or classes of recipients to whom the data may be
disclosed
- the period for which the data will be kept
* HE and FE institutions should ensure that subsequent use of the
data conforms to the information provided to the data subject, and
before any further subsequent use that was not disclosed at the
time of collection further consent must be obtained from the data
subject.
Internetand Intranet Monitoring
In the business environment, it is becoming the norm for
companies to routinely monitor all data held on their equipment and
to inspect all e-mail and other electronic data entering, leaving, or
within, their networks. FE and HE institutions require the ability to
inspect all data held on their computer equipment, and to inspect
all e-mail and other electronic data entering, leaving, or within, the
University network to ensure conformity with:
- Institutional regulations
- Contractual agreements with third parties
- UK law
FE and HE institutions are obliged by virtue of the agreement
entered into with UKERNA to ensure as far as possible that their
users do not use the SuperJANET system to transmit or transfer
certain types of electronic data. They are obliged by law to report
to the police the discovery of certain types of electronic data, if that
data is found on their equipment, or transmitted across their
networks.
Many types of routine computer service tasks will involve members
of FE and HE institutions’ staff (such as network administrators)
having access to various levels of staff and student held data.
Examples include:
- e-mail postmasters receiving mail failure notifications will often be
sent the text of the failed message by the e-mail server which has
rejected or redirected it.
- staff making archive copies from fileservers will, as part of the
archiving process, often be able to read the names of files held in
staff and student accounts.
- staff sorting output from printers prior to its dissemination to
users will be able to view the content of that output.
It is inevitable that under these routine circumstances, members of
staff will, on occasion, and in the course of their legitimate
organisational functions, be required to access, process and
possibly disclose personal data held on FE and HE institutions’
computers systems. Internal guidelines should be provided to
ensure both those running institutional computer systems and
those using them are aware of the circumstances under which their
personal data may be accessed, processed and disclosed and the
safeguards against misuse of that personal data.
* HE and FE institutions may permit authorised staff to access,
process and disclose personal data held on institutional computer
systems, where this is required in the course of their legitimate
organisational functions, and where the institutions are required to
comply with legal and contractual obligations
* HE and FE institutions should ensure that:
- authorised staff are adequately informed of the circumstances in
which they may legitimately access, process and disclose
personal data held on institutional computer systems
- institutional computer system users are adequately informed of
the circumstances in which authorised staff may legitimately
access, process and disclose personal data held on institutional
computer systems
* HE and FE institutions should provide:
- a mechanism for data subjects to object to the accessing,
processing and disclosure of their personal data held on
institutional computer systems of their data where it would cause
them significant damage or distress
- a mechanism for data subjects to ensure that where personal
data held on institutional computer systems is accessed,
processed or disclosed for legitimate organisational functions, or
where the institutions are required to comply with legal and
contractual obligations, it is not misused for other purposes
Andrew Charlesworth
Senior Lecturer in IT law
Director, Information Law and Technology Unit
University of Hull Law School
Hull, UK, HU6 7RX
Voice: 01482 466387 Fax: 01482 466388
E-mail: [log in to unmask]
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|