I have been trying to find out the statutory basis for us to return
individual personal data on staff and students to HESA, and whether the
University is acting as data controller or data processor for this.
I have assumed there is a statutory basis otherwise some other criteria will
have to apply to legitimise the processing, and if that were to be consent
how to cope if a data subject withdraws or refuses to consent.
On contacting HESA I was informed that the statutory basis is in the
Financial Memorandum from the Funding Council to the institution. The web
address for HEFCE model version is given below:
http://www.hefce.ac.uk/pubs/hefce/2000/00_25.htm
In this para 28 states
"The institution shall subscribe to HESA and to the QAA. "
and para 24 states
"The institution shall provide the Council, or its agents acting on its
behalf, with whatever information the Council requires to exercise its
functions under the 1992 Act. This information shall be of a satisfactory
quality and shall be provided at the times and in the formats specified by
the Council or its agents. "
Do I assume that HESA is acting as an agent for the Funding Council in all
its requests for personal data? Does anyone know if there is a more explicit
Financial Memorandum which states the precise data to be retruned to HESA?
The above para seems rather too widely drafted, i.e they can ask for
anything!
Mike Lloyd
Assistant Head (Academic)
ISaCS
University of Glamorgan
Llantwit Road
Treforest
Pontypridd CF37 1DL
tel: 01443 482417
email: [log in to unmask]
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|