I've had quite detailed passage of email on this with the DP Compliance
Officer concerning whether we needed explicit consent to publish staff email
addresses on our web site, particularly in view of the fact that the
information has appeared on the web site before the Act and in several
University (printed) publications.

I include here the answer and reasoning behind his position and hope it
helps resolve your query:

Start  Quote:
-------------

It seems to me that it is important to distinguish between two questions.
The first is whether or not e-mail addresses constitute personal data.  It
seems to me that an e-mail address such as your own clearly falls within the
definition of personal data in that it identifies a living individual.  The
purpose for which personal data in question may be processed, whether for
business or private use, is not relevant to the judgement as to whether or
not a particular item constitutes personal data.  

The second question concerns the right of individuals to object to the
processing of their personal data.  The eight data protection principle
requires that personal date should not be transferred outside the European
Economic Area unless adequate safeguards for the protection of individuals
exists.  Since placing personal data on a website is a tantamount to
allowing its transfer outside the European Economic Areas to states where
there is no data protection legislation, this principle would appear to
prevent the placing of personal data including e-mails on websites.
However, the Act is by no means as absolute as it appears at first sight.
In considering whether there are appropriate safeguards for the protection
of individuals it is necessary to carry out a basic risk assessment.  If the
effect of placing an e-mail address on a website is simply that it allows a
member of your staff to be contacted from anywhere in the world, you may
wish to argue that there is no additional risk as compared to say the
publication of the names of academic staff in a university year book or
directory.  While this argument would certainly hold a good for academic
staff, there may be arguments to the contrary in respect of certain junior
members of staff whose details may not normally be made publicly available.
The same would certainly be true of students who would not normally expect
the fact that they had enrolled on particular courses to be made publicly
available.  Certainly most universities have policies in place to prevent
the disclosure of names, addresses, telephone numbers etc. of students to
casual enquiries.  In the case of students, therefore, it would seem to me
there is an appreciable risk to the privacy of individuals by placing their
details on a website.

End Quote
----------------------- 

Owen Parry
Pennaeth Cyfrifiadura Gweinyddol/
         Head of Administrative Computing
Prifysgol Cymru/
         University of Wales
Tel: (029) 2038 2656   Ffacs/Fax: (029) 2039 6040


-----Original Message-----
From: Martin Jones [mailto:[log in to unmask]]
Sent: 20 July 2000 13:04
To: [log in to unmask]
Subject: Staff Contact Details


Hi,

we have a research and commercial dept. who wish to place Staff 
Contact Details (in particular by Speciality/Research Area) on the 
Web.  This info currently exists in a book published by ourselves, 
but would we need to get explicit permission from the100 or so 
individuals before we could publish this electonically ???

Thanks,
Martin


%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%