Thank you for all your hard work on these documents Andrew!

At 16:27 30/05/00 +0100, Andrew Charlesworth wrote:
>Request for comments

My comments are below

>General Institutional Webpages
><snip>
>Staff personal data which is required to be supplied for the
>purposes of the normal organisational functioning and management
>of the institution and, in particular, information which is already
>supplied in publicly available hardcopy publications such as
>Calendars and prospectuses should not require the consent of data
>subjects to be placed on the website.

This runs counter to the advice that the ODPR (as it was then)
gave in their 1997 (?) publication regarding DP and the Internet.
It was made very clear that publication on the Web was a different
matter from publication on paper due to the much greater degree
of availability of the former.  This, plus consideration of the
8th Principle, which doesn't have a "...processing is necessary
for the purposes of legitimate interests pursued by the data
controller..." exemption (which the 1st Principle does) would
mean surely that it would not be wise to just publish on the Web
the personal data that appears in hardcopy publications without
getting consent for such additional publication.

>   However, data subjects
>whose personal data is used in this way should be informed of this
>use and must still retain the right to object to the use of their data
>where it would cause them significant damage or distress.

They must certainly be informed, but I think they would have to
be asked for their consent (opt in) rather than have to prove
damage or distress to be able to opt out.

><snip>
>Institutional Staff and Student Directories
>
>Staff and student on-line telephone and e-mail directories (including
>the X500 database), being essential to the organisational
>functioning and management of HE and FE institutions, should not
>require the consent of the data subjects, if restricted to internal
>use.  However, data subjects whose personal data is used in this
>way should still retain the right to object to the use of their data
>where it would cause them significant damage or distress.

Agreed - internal use can be justified on the basis of "...processing
... necessary for the purposes of legitimate interests pursued by the
data controller..."

>Where staff on-line telephone and e-mail directories are made
>available outside the institution for the purposes of the normal
>organisational functioning and management of the institution this
>should not require the consent of data subjects.

I disagree - see arguments above.  No such exemption from the 8th
Principle is given in the DPA.

>However, data
>subjects whose personal data is used in this way should be
>informed of this use and should retain the right to object to the use
>of their data where it would cause them significant damage or
>distress.

See arguments above.

><snip>
>Web pages used to collect personal data
><snip>
>* HE and FE institutions should ensure that at the point of
>collection (i.e. on the relevant web page) the following information is
>provided to the data subject:
>
>  - the purpose for which the data is collected
>  - the recipients or classes of recipients to whom the data may be
>disclosed
>  - the period for which the data will be kept

I would add:
- and any other information that may be required to ensure
   that the processing is 'fair', just to cover all eventualities !

Best wishes,
Adrian


Adrian Tribe <[log in to unmask]>
Web Editor, Birkbeck College, University of London



%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%