Request for comments

The Internet and World Wide Web

General Institutional Webpages

Most HE and FE institutions now have an Internet presence, 
normally in the form of a website containing a range of information 
about the institution.  Within the set of webpages that make up an 
institutional website there will be webpages that contain personal 
data.  The personal data in question is usually in the form of text 
and pictures, and primarily relates to the role that certain 
individuals play in the institution.  That data is, by virtue of the 
background technology, available both outside the institution and 
outside the UK, including countries outside the European 
Economic Area (EEA) that do not have data privacy regimes 
considered adequate by the EU Commission.  Where HE and FE 
institutions use personal data in this way consideration needs to 
be given to the reasons for the display of the data.
Staff personal data which is required to be supplied for the 
purposes of the normal organisational functioning and management 
of the institution and, in particular, information which is already 
supplied in publicly available hardcopy publications such as 
Calendars and prospectuses should not require the consent of data 
subjects to be placed on the website.  However, data subjects 
whose personal data is used in this way should be informed of this 
use and must still retain the right to object to the use of their data 
where it would cause them significant damage or distress.
All other non-essential uses of personal data on an institutional 
website, including the use of photographs of data subjects for 
general publicity (background shots, panoramas etc.) where the 
data subject is clearly identifiable will require the consent of the 
relevant data subjects.  Where such consent is not forthcoming, 
the personal data in question should not be used. 

* HE and FE institutions may use non-sensitive staff personal data 
on institutional webpages without consent where:

       - its display facilitates the normal organisational functioning and 
    management of the institution.  This may be indicated by its 
    inclusion in existing publicly available hardcopy publications.
     - staff are informed that certain personal data will be displayed on 
    institutional webpages, and have the right to object to the use of 
    their data where it would cause them significant damage or 
    distress

* HE and FE institutions should obtain the consent of all data 
subjects, staff and student, to use non-sensitive personal data 
(including photographs) on institutional webpages, where such use 
is not for the purposes of the normal organisational functioning and 
management of the institution (e.g. publicity photographs etc.).

* HE and FE institutions should not use sensitive staff or student 
personal data on institutional webpages without explicit consent.

Institutional Staff and Student Directories

Staff and student on-line telephone and e-mail directories (including 
the X500 database), being essential to the organisational 
functioning and management of HE and FE institutions, should not 
require the consent of the data subjects, if restricted to internal 
use.  However, data subjects whose personal data is used in this 
way should still retain the right to object to the use of their data 
where it would cause them significant damage or distress.  
Where staff on-line telephone and e-mail directories are made 
available outside the institution for the purposes of the normal 
organisational functioning and management of the institution this 
should not require the consent of data subjects. However, data 
subjects whose personal data is used in this way should be 
informed of this use and should retain the right to object to the use 
of their data where it would cause them significant damage or 
distress.
Where student on-line e-mail directories are made available outside 
the institution, this will not be for the purposes of the normal 
organisational functioning and management of the institution and 
thus consent should be obtained from data subjects and they 
should be able to opt out of having their details displayed.

* HE and FE institutions may use internal institutional staff and 
student on-line telephone and e-mail directories where:

 - these facilitate the normal organisational functioning and 
management of the institution.
 - staff and students are informed that certain personal data will be 
included in such directories, and have the right to object to the use 
of their data where it would cause them significant damage or 
distress

* HE and FE institutions may use external staff on-line telephone 
and e-mail directories where:

 - these facilitate the normal organisational functioning and 
management of the institution.
 - staff are informed that certain personal data will be included in 
such directories, and have the right to object to the use of their 
data where it would cause them significant damage or distress

* HE and FE institutions should obtain consent from student data 
subjects before including their personal data in on-line e-mail 
directories available outside the institution and student data 
subjects should be able to opt out of having their details displayed.

Web pages used to collect personal data

  Many HE and FE institutions use web pages to collect personal 
data, such as names and addresses of individuals who request 
documentation e.g. prospectuses.  It is important that the rationale 
for data collected is clear, and that no personal data other than that 
which is required for the particular transaction is collected.  Use of 
web browser “cookies” to track users of institutional websites 
should be carried out for specified reasons, and not just because 
the software permits it.
* HE and FE institutions should ensure that at the point of 
collection (i.e. on the relevant web page) the following information is 
provided to the data subject:

 - the purpose for which the data is collected
 - the recipients or classes of recipients to whom the data may be 
disclosed
 - the period for which the data will be kept

* HE and FE institutions should ensure that subsequent use of the 
data conforms to the information provided to the data subject, and 
before any further subsequent use that was not disclosed at the 
time of collection further consent must be obtained from the data 
subject.

  Internetand Intranet Monitoring
In the business environment, it is becoming the norm for 
companies to routinely monitor all data held on their equipment and 
to inspect all e-mail and other electronic data entering, leaving, or 
within, their networks.  FE and HE institutions require the ability to 
inspect all data held on their computer equipment, and to inspect 
all e-mail and other electronic data entering, leaving, or within, the 
University network to ensure conformity with:

 - Institutional regulations 
 - Contractual agreements with third parties 
 - UK law

FE and HE institutions are obliged by virtue of the agreement 
entered into with UKERNA to ensure as far as possible that their 
users do not use the SuperJANET system to transmit or transfer 
certain types of electronic data.  They are obliged by law to report 
to the police the discovery of certain types of electronic data, if that 
data is found on their equipment, or transmitted across their 
networks.
Many types of routine computer service tasks will involve members 
of FE and HE institutions’ staff (such as network administrators) 
having access to various levels of staff and student held data. 
Examples include:

 - e-mail postmasters receiving mail failure notifications will often be 
sent the text of the failed message by the e-mail server which has 
rejected or redirected it. 
 - staff making archive copies from fileservers will, as part of the 
archiving process, often be able to read the names of files held in 
staff and student accounts. 
 - staff sorting output from printers prior to its dissemination to 
users will be able to view the content of that output.

It is inevitable that under these routine circumstances, members of 
staff will, on occasion, and in the course of their legitimate 
organisational functions, be required to access, process and 
possibly disclose personal data held on FE and HE institutions’ 
computers systems.  Internal guidelines should be provided to 
ensure both those running institutional computer systems and 
those using them are aware of the circumstances under which their 
personal data may be accessed, processed and disclosed and the 
safeguards against misuse of that personal data.

* HE and FE institutions may permit authorised staff to access, 
process and disclose personal data held on institutional computer 
systems, where this is required in the course of their legitimate 
organisational functions, and where the institutions are required to 
comply with legal and contractual obligations

* HE and FE institutions should ensure that:

 - authorised staff are adequately informed of the circumstances in 
which they may legitimately access, process and disclose 
personal data held on institutional computer systems
 - institutional computer system users are adequately informed of 
the circumstances in which authorised staff may legitimately 
access, process and disclose personal data held on institutional 
computer systems



* HE and FE institutions should provide:

 - a mechanism for data subjects to object to the accessing, 
processing and disclosure of their personal data held on 
institutional computer systems of their data where it would cause 
them significant damage or distress
 - a mechanism for data subjects to ensure that where personal 
data held on institutional computer systems is accessed, 
processed or disclosed for legitimate organisational functions, or 
where the institutions are required to comply with legal and 
contractual obligations, it is not misused for other purposes

Andrew Charlesworth
Senior Lecturer in IT law
Director, Information Law and Technology Unit
University of Hull Law School
Hull, UK, HU6 7RX
Voice: 01482 466387   Fax:   01482 466388
E-mail: [log in to unmask]


%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%