Dave

I have followed this issue with a great deal of interest since it is very
relevant at the moment, especially with regard to e-Gov and the new inter agency
approach (phone/staff directories are likely to be in high demand).   My advice
would always be go generic, ensuring that contact details are always up to date
and consent therefore no longer an issue.

I was asked the question by our IS department if they could take images of staff
captured originally for the purpose of administering the flexitime-system (image
to appear on clocking in card, but otherwise access to staff images held on
computer restricted to central services staff operating the computer system).

The point you raised about advising staff at data collection what the data is to
used for in relevant. Although it might be argued that we gathered it under the
"necessary for the administration/functioning of the organisation" purpose and
therefore putting the images on the Intranet would be a natural extension of
that (as long as we inform staff), I would go for consent every time.

My argument being that:-

At the point of data collection (taking the photo) we have never informed staff
that a copy of the image will be used for anything other than making their staff
ID card (therefore access to that image is restricted), if we proceed without
informed consent then we risk misleading staff.

We obtained the photos for the purpose of ID cards not to form part of an
internal phone directory.

Almost as important as the Data Protection Act and its principles is the fact we
need the co-operation of staff if we as a Council are to make progress with
e-Government.  If we don't get the consent of staff, we risk sending out the
wrong message to them that we cannot be trusted with their personal data.

My role in all of this (I am also an auditor) is to ensure that we act within
the spirit of the legislation and make a judgement in terms of risk, I consider
the risks of putting staff photos on the Intranet (without consent, especially
if photo might indicate religious tendencies) far outweigh the benefits.
Apologies for rambling but I'm new to bulletin boards!

Chris Gunn
Data Protection Officer/Auditor
Taunton Deane Borough Council

____________________Reply Separator____________________
Subject:    Re: Staff Directory on Internet?
Author: "Dave Wyatt" <[log in to unmask]>
Date:       19/09/2001 22:28

I agree

The DP Act 98 association to this guide comes from using Schedule 2 6
Processing condition coupled with the notice of use (fairness) requirements
in Sch 1 part II section 1 to 3.

Opt out (withdrawal of consent) may not be necessary unless

a) the individual makes a case for substantial damage being caused by the
processing (Section 10)- Unlikely to be a volume problem.
b) An individual argues the balance of proportionality as being in their
favour under the Schedule 2 Section 6 processing condition. - Again unlikely
to be a volume problem

Objectors are generally likely to be few and easily dealt with as occurred.
Provided the request gets to a person empowered to force the correction.

The main problem appears to be ensuring that individuals were / are advised
of the general directory purpose as per conditions in Sch 1 part II section
1 to 3. How difficulat this is dependant on what individuals were advised
when the information was collected.

Not sure from a top of head response whether there are impacts for directory
data in this context in the Telecoms Orders linked to Data Protection.

David Wyatt


> -----Original Message-----
> From: This list is for those interested in Data Protection issues
> [mailto:[log in to unmask]]On Behalf Of Taylor, Mike
> Sent: 17 September 2001 17:51
> To: [log in to unmask]
> Subject: Re: Staff Directory on Internet?
>
>
> >
> > It may be possible that you can do the job on an opt out basis, after
> > sufficient warning has been given to your staff and they are
> > invited to opt
> > out. (Now I will be killed for saying that).
>
> Charles
>
> I think you're right. See the document - "JISC data protection code of
> practice for the HE and FE sectors (ver 2.0)" produced by the Information
> Law and Technology Unit at the University of Hull Law School.
>
> http://www.jisc.ac.uk/pub00/dp_code.html
>
> Section 13.2 - quote:
>
> "Where staff on-line telephone and e-mail directories are made
> available on
> the Internet, for the purposes of the normal organisational
> functioning and
> management of the institution, this should not require the consent of data
> subjects. However, data subjects whose personal data is used in this way
> should be informed of this use and should retain the right to
> object to the
> use of their data where it would cause them significant damage or
> distress."
>
> So it seems the opt-out route is permissible, provided the
> institution makes
> all reasonable endeavours to inform staff that they intend to do this at a
> certain point in time and, furthermore, give staff the opportunity to
> opt-out before their directory entry is made available on the
> internet. The
> important phrase here is "normal organisational functioning and management
> of the institution". Note, publishing _student_ email addresses does not
> fall into this category and therefore explicit consent (ie opt-in) of the
> data subject is required.
>
> Regards,
> Mike
>
> --------------------------------------------
> Mike Taylor, Project Manager
> DELTA Project
> The University of Manchester
> 188 Oxford Road, Manchester M13 9GP
>
> t: 0161 2757330
> f: 0161 2758333
> e: [log in to unmask]
> --------------------------------------------
> DELTA - "Delivering the Electronic Learning
>  and Teaching Advantage"
> http://www.delta.man.ac.uk
> --------------------------------------------
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>     If you wish to leave this list please send the command
>        leave data-protection to [log in to unmask]
>             All user commands can be found at : -
>     www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
> all commands go to [log in to unmask] not the list please!
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
            All user commands can be found at : -
    www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
all commands go to [log in to unmask] not the list please!
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^


IMPORTANT NOTICE.

This communication is intended solely for the person (s) or organisation to whom
it is addressed.  It may contain privileged and confidential information and if
you are not the intended recipient (s), you must not copy, distribute or take
any action in reliance on it.  If you have received this e-mail in error please
notify the sender and copy the message to [log in to unmask]

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
            All user commands can be found at : -
    www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
all commands go to [log in to unmask] not the list please!
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^