Update on my attempt to determine who is responsible under the Data
Protection Act for personal data collected by HESA. Looks like we have to
wait for the outcome of further deliberatons.
Reply from HESA:
HESA are not in a position to give a definitive answer to your questions at
present as we are awaiting advice from DfEE, Funding Councils and their
legal advisers. I will be in touch when we have that advice.
-----Original Message-----
From: Lloyd M J B (ISaCS) [mailto:[log in to unmask]]
Sent: 23 August 2000 09:46
To: <snip>
Subject: HESA, Funding Councils and the Data Protection Act
Dear <snip>,
I have been given your name by HESA Liaison as the Data Protection
contact at HESA.
As part of my duties, I am responsible for advising the University
on compliance with the Data Protection Act 1998.
I have been trying to ascertain the exact statutory basis for our
return of staff and student data to HESA and which organisation is acting as
data controller. I have attached correspondence with HEFCW on this matter.
Advice over the phone from HESA was that the statutory basis was in
the Financial Memorandum from HEFCW. HEFCW have confirmed that the F&HE
Education Act 1992 is the statute authorising collection of data related to
funding matters. However, HEFCW see HESA as the data controller.
It is my understanding of the Data Protection Act, that the Funding
Councils are the data controllers as they have the statutory duty to collect
and process this information. HESA and individual HE establishment will be
acting as data processors. In any case, there should be formal contracts for
the processing of this personal data.
I would be grateful if you would let me know your view on HESA's
status in these matters.
<<RE: Statutory requirement to send data to HESA>>
Mike Lloyd
Assistant Head (Academic)
ISaCS
University of Glamorgan
Llantwit Road
Treforest
Pontypridd CF37 1DL
tel: 01443 482417
email: [log in to unmask]
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|