Comments (with ------>) on extracts from:
>
> The Internet and World Wide Web
>
> General Institutional Webpages
>
...The personal data in question is usually in the form of text
> and pictures,
----> "text and sometimes pictures" ?
That data is, by virtue of the background technology, available both outside
the institution and outside the UK, including countries outside the European
> Economic Area (EEA) ...
-----> Might it be as well here to add or make explicit a note that the
publication via Web actually runs counter (by definition) to DP Principle 8.
It has always seemed to me to be an unstoppable argument to offer to those who
pooh-pooh examples of estranged or deranged partners living elsewhere in the
UK. Something like: "Such data, when released on the Worldwide Web, by
definition goes beyond the E...E...A..., and therefore contravenes the Eighth
DP Principle unless (for example) one has the consent of the data subject.
Even without this technicality, it is a very open form of publication, and data
subjects should be able to exert their normal rights (as in DP Principle 6)."
> Staff personal data which is required to be supplied for the
> purposes of the normal organisational functioning and management
> of the institution...
------> this - in its various appearances - seems very good to me.
However, data subjects whose personal data is used in this way should be
informed of this
> use and must still retain the right to object to the use of their data
> where it would cause them significant damage or distress..
----> One question here is that the Act (S.10) says that people can object if
there is to be substantial damage or s. distress AND if said d. or d. is
unwarranted. Would it be wise to build in some notion that the data subject
can't just say "Sorry, nope, it would cause me great distress. Full stop." and
that (s)he would need to show that the likelihood outweighed the benefit to the
institution or the requirements of the job? Same for Directories later.
> All other non-essential uses of personal data on an institutional
> website, including the use of photographs of data subjects for
> general publicity (background shots, panoramas etc.) where the
> data subject is clearly identifiable will require the consent of the
> relevant data subjects.
-------> I have a slight worry about this - and website can be extended to
propectus. We all have some great photos of our places (street scenes,
students sitting on lawns, let alone labs) with photos which surely make people
identifiable. I suppose technically this is what is meant by "identity" in the
Act (no name is necessary). But Student X who was snapped while cycling down
the High Street surely need not/cannot be stopped to ask for permission, even
if the HEI/FEI were to go to the lengths of checking back for permission of
Student Y caught leaving the stage after graduating. I would have thought that
insistence on permission for this general background material would show excess
of zeal, and would very soon bump into the "disproportionate effort" category.
So I'd tone it down to suggest that where institution is taking photos with
intention of later use for publicity (Web or not) every reasonable effort
should be made to check permission of participants.
>
> Web pages used to collect personal data
> * HE and FE institutions should ensure that at the point of
> collection (i.e. on the relevant web page) the following information is
> provided to the data subject:
[...]
> > - the period for which the data will be kept
------> I'm not so clear why the period of rentention is needed here, more
than in any other material - and presumably it is possible to use "no longer
than is necessary". For relevant Web page, would it not be very sensible for
institutions just to have an all-purpose note on such policy matters on a
central page - then pages which collect would link to that. (This may seem
obvious, and perhaps it was intended, but it does link to comments elsewhere
about indicating things on paper forms at point of collecting data - the Web
makes such duplication unnecessary, I think.)
-----> All points about monitoring/checking (like all those many points not
commented) are excellent. Thanks, Andrew
----------------------
Dr Trevor Field
Senior Assistant Secretary
University of Aberdeen
++44 (0)1224 272077
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|