I'm concerned about Andrew Cormack's point on usage logs. This University
explicitly states in its staff Internet usage policy that it reserves the
right to monitor web access because it is provided for business use only and
that staff should assume such monitoring is in place.

We consider that fair warning and have indicated that web usage explicitly
gives consent to process.  

I don't think that contravenes the principle of fairness.

Owen Parry
Pennaeth Cyfrifiadura Gweinyddol/
         Head of Administrative Computing
Prifysgol Cymru/
         University of Wales
Tel: (029) 2038 2656   Ffacs/Fax: (029) 2039 6040


-----Original Message-----
From: Andrew Cormack [mailto:[log in to unmask]]
Sent: Tuesday, May 30, 2000 5:04 PM
To: [log in to unmask]; [log in to unmask]
Subject: Re: CoP - The Internet and WWW


At 16:27 30/05/00 +0100, Andrew Charlesworth wrote:
>Request for comments

First very many thanks for this. When published it, and the other 
guidelines, will be very useful to us.

Probably the most common DPA query which comes to JANET-CERT is on the use 
of log files from web and e-mail servers. In conjunction with a list of the 
owners of desktop workstations (which many computer services maintain) I 
can see an argument that this could become personal data. The sorts of 
information which could be gained from these logs include what web pages an 
individual looked at (and when), and with whom (and with what subject) they 
exchanged e-mail messages. I think this information is covered by your 
existing paragraphs, but it might be helpful to include it as one of the 
forms of incidental disclosure.

My response to sites has been that I could see no problem in using this 
information for reasonable operational purposes (e.g. to plan network 
capacity to suit the observed traffic) but that, for example, using it as 
evidence in disciplinary hearings seemed to me to fall well beyond the pale 
of the DPA principle of fairness. I hope that is somewhere near the mark?

Incidentally, the process of monitoring will also be subject to the 
Regulation of Investigatory Powers Bill, if that becomes law, which seems 
to require staff to have formal authority to perform such activities.

Andrew Cormack

>The Internet and World Wide Web
>
>   Internetand Intranet Monitoring
>In the business environment, it is becoming the norm for
>companies to routinely monitor all data held on their equipment and
>to inspect all e-mail and other electronic data entering, leaving, or
>within, their networks.  FE and HE institutions require the ability to
>inspect all data held on their computer equipment, and to inspect
>all e-mail and other electronic data entering, leaving, or within, the
>University network to ensure conformity with:
>
>  - Institutional regulations
>  - Contractual agreements with third parties
>  - UK law
>
>FE and HE institutions are obliged by virtue of the agreement
>entered into with UKERNA to ensure as far as possible that their
>users do not use the SuperJANET system to transmit or transfer
>certain types of electronic data.  They are obliged by law to report
>to the police the discovery of certain types of electronic data, if that
>data is found on their equipment, or transmitted across their
>networks.
>Many types of routine computer service tasks will involve members
>of FE and HE institutions' staff (such as network administrators)
>having access to various levels of staff and student held data.
>Examples include:
>
>  - e-mail postmasters receiving mail failure notifications will often be
>sent the text of the failed message by the e-mail server which has
>rejected or redirected it.
>  - staff making archive copies from fileservers will, as part of the
>archiving process, often be able to read the names of files held in
>staff and student accounts.
>  - staff sorting output from printers prior to its dissemination to
>users will be able to view the content of that output.
>
>It is inevitable that under these routine circumstances, members of
>staff will, on occasion, and in the course of their legitimate
>organisational functions, be required to access, process and
>possibly disclose personal data held on FE and HE institutions'
>computers systems.  Internal guidelines should be provided to
>ensure both those running institutional computer systems and
>those using them are aware of the circumstances under which their
>personal data may be accessed, processed and disclosed and the
>safeguards against misuse of that personal data.

--------------------------------------------------------------
Andrew Cormack
Head of CERT
UKERNA, Atlas Centre, Chilton, Didcot, Oxon. OX11 0QS

Phone:  01235 822 302    E-mail: [log in to unmask]
Fax:    01235 822 398


%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%