At 16:27 30/05/00 +0100, Andrew Charlesworth wrote:
>Request for comments
First very many thanks for this. When published it, and the other
guidelines, will be very useful to us.
Probably the most common DPA query which comes to JANET-CERT is on the use
of log files from web and e-mail servers. In conjunction with a list of the
owners of desktop workstations (which many computer services maintain) I
can see an argument that this could become personal data. The sorts of
information which could be gained from these logs include what web pages an
individual looked at (and when), and with whom (and with what subject) they
exchanged e-mail messages. I think this information is covered by your
existing paragraphs, but it might be helpful to include it as one of the
forms of incidental disclosure.
My response to sites has been that I could see no problem in using this
information for reasonable operational purposes (e.g. to plan network
capacity to suit the observed traffic) but that, for example, using it as
evidence in disciplinary hearings seemed to me to fall well beyond the pale
of the DPA principle of fairness. I hope that is somewhere near the mark?
Incidentally, the process of monitoring will also be subject to the
Regulation of Investigatory Powers Bill, if that becomes law, which seems
to require staff to have formal authority to perform such activities.
Andrew Cormack
>The Internet and World Wide Web
>
> Internetand Intranet Monitoring
>In the business environment, it is becoming the norm for
>companies to routinely monitor all data held on their equipment and
>to inspect all e-mail and other electronic data entering, leaving, or
>within, their networks. FE and HE institutions require the ability to
>inspect all data held on their computer equipment, and to inspect
>all e-mail and other electronic data entering, leaving, or within, the
>University network to ensure conformity with:
>
> - Institutional regulations
> - Contractual agreements with third parties
> - UK law
>
>FE and HE institutions are obliged by virtue of the agreement
>entered into with UKERNA to ensure as far as possible that their
>users do not use the SuperJANET system to transmit or transfer
>certain types of electronic data. They are obliged by law to report
>to the police the discovery of certain types of electronic data, if that
>data is found on their equipment, or transmitted across their
>networks.
>Many types of routine computer service tasks will involve members
>of FE and HE institutions' staff (such as network administrators)
>having access to various levels of staff and student held data.
>Examples include:
>
> - e-mail postmasters receiving mail failure notifications will often be
>sent the text of the failed message by the e-mail server which has
>rejected or redirected it.
> - staff making archive copies from fileservers will, as part of the
>archiving process, often be able to read the names of files held in
>staff and student accounts.
> - staff sorting output from printers prior to its dissemination to
>users will be able to view the content of that output.
>
>It is inevitable that under these routine circumstances, members of
>staff will, on occasion, and in the course of their legitimate
>organisational functions, be required to access, process and
>possibly disclose personal data held on FE and HE institutions'
>computers systems. Internal guidelines should be provided to
>ensure both those running institutional computer systems and
>those using them are aware of the circumstances under which their
>personal data may be accessed, processed and disclosed and the
>safeguards against misuse of that personal data.
--------------------------------------------------------------
Andrew Cormack
Head of CERT
UKERNA, Atlas Centre, Chilton, Didcot, Oxon. OX11 0QS
Phone: 01235 822 302 E-mail: [log in to unmask]
Fax: 01235 822 398
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|