From:   MX%"[log in to unmask]"  "Okey, Andrew"  8-FEB-2001 10:03:55.97
To:     MX%"[log in to unmask]"
CC:
Subj:   RE: Consent to Process Clause

Return-Path: <[log in to unmask]>
Received: from CSDAlpha2.sbu.ac.uk (136.148.1.111) by fire.sbu.ac.uk (MX
          V5.1-AX AnDn) with ESMTP for <[log in to unmask]>;
          Thu, 8 Feb 2001 10:03:54 +0000
Received: from rebo.lancs.ac.uk (rebo.lancs.ac.uk [148.88.16.230]) by
          CSDAlpha2.sbu.ac.uk (8.11.0.Beta1/8.8.8) with ESMTP id f18AAGF21857
          for <[log in to unmask]>; Thu, 8 Feb 2001 10:10:16 GMT
Received: from exchange-ims.lancs.ac.uk ([148.88.17.22]) by rebo.lancs.ac.uk
          with esmtp (Exim 3.16 #2) id 14Qnw1-0001ig-00 for
          [log in to unmask]; Thu, 08 Feb 2001 10:04:17 +0000
Received: by exchange-ims.lancs.ac.uk with Internet Mail Service (5.5.2650.21)
          id <1M721SM7>; Thu, 8 Feb 2001 10:04:21 -0000
Message-ID: <[log in to unmask]>
From: "Okey, Andrew" <[log in to unmask]>
To: "[log in to unmask]" <[log in to unmask]>
Subject: RE: Consent to Process Clause
Date: Thu, 8 Feb 2001 10:04:17 -0000
X-Mailer: Internet Mail Service (5.5.2650.21)

At our last meeting with the OPDC compliance people, we were advised that
extensive/legalistic consent statements were undesirable because they often
obscured what students really needed to know. Given that many data processes in
an HEI are self-evident, any statement given to students should focus more
properly on those things which a student might not be able deduce from their
basic knowledge of how universities work (for example, the chances of an 18
year old knowing who HESA are is very small, so disclosure to HESA should be
mentioned specifically).

I'm with Ian and Sally on this - the Coventry statement seems to obscure/avoid
really crucial points because of its emphasis on extracting some kind of
quasi-legally phrased blanket consent from the student. This seems especially
problematic when it comes to consent for disclosures, which is particularly
sweeping here (NB. intriguingly, Coventry say they will release to
"sponsors......but not to relatives" - this is something the Lancaster DP
project is scratching its head over at the moment, because providing a sensible
definition of "sponsor" which avoids including relatives who pay fees has
proved difficult, and will need careful thought).

One aim of the Lancaster DP project is to provide a few examples (or maybe one
ur-example that can be adapted to taste) of OPDC-approved consent/registration
statements. If anyone else out there has a statement they are happy with, we'd
welcome receiving a copy (email either myself or Mark Mukerji, the project
Officer, at [log in to unmask]).

Andrew Okey
Lancaster DP project

> -----Original Message-----
> From: Sally Justice [SMTP:[log in to unmask]]
> Sent: 08 February 2001 09:33
> To:   [log in to unmask]
> Subject:      Re: Consent to Process Clause
>
> Ian B of Keept it Legal said
>
> # >1)  The Uni will not need consent for all the processing it does, so the
> # >premise contained in the first two sentences is actually incorrect;
>
> Yes I agree with you
>
> I also think it's too long winded, who on earth would understand all that
> at first glance? I think it's missing the point of fair collection notice
> I certainly don't encourage staff to use blanket statements but to think
> about the processing purposes etc and then use an appropriate form of
> words. Things such as 'as regulated by DPA' are completely useless as far
> I am concerned, don't you think so to? what does that mean to joe punter?
> We have agreed a corporate form of words for student applications which says
>
> ..........................................
> I am aware that :-
>
> the University will create and maintain computer and paper
> records on me, both during my course and after I leave the University;
> these records will be processed in compliance with the the Data
> Protection Act 1998.
>
> I consent that the information in the records may be used for reports both
> internally within the university and to external bodies including
> information required for grant, loan and other bursary administration,
> and references to employers  and other organisations.
>
> any comments please?
>
> We also have a statement in the student handbook
> for students who fail to pay their debts to the library/halls etc
> which says we will pass data to our debt collection agency. they cannot
> opt out of this!
>
> I also thought that processing of sensitive data needs express consent
> from a data subject who is quite clear about the processing, not maybe or
> perhaps etc?
>
> # >better to include a tick box at this point, rather than asking them to
> # >contact someone else.  Consent is always best obtained at the time of
> # >collection;
> Yes I agree but I have to say with 20K users and all student accounts
> created automatically we cannot expect users to opt in to our on line
> directory services  as this is part of the service we offer as a
> business as it where. It must be the other way round to opt out. I understand
> this is acceptable to the ODPC
>
> # >4)  Although it seems to be a comprehensive (and long) statement of intent
> it
> # >is rather lacking in substance and appears to give the Uni "carte blanche"
> to
> # >process data to their heart's content.  In fact it doesn't but how many
> # >students will realise that?
> not a good idea I don't think, controllers won't even think about what
> they are doing is have 'carte blanche' I am sure?
>
> Sally Justice
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>     If you wish to leave this list please send the command
>        leave data-protection to [log in to unmask]
>             All user commands can be found at : -
>     www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
> all commands go to [log in to unmask] not the list please!
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
            All user commands can be found at : -
    www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
all commands go to [log in to unmask] not the list please!
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^