Apologies for this long message.  I hope others will find this
correspondence useful. I have the agreement of Ian Gross to post his
comments.

I think the message is saying that the Funding Councils because they can ask
for any data under the FE&HE Act 1992, we have to comply and yet we remain
the data controller.

It is my understanding that,for example, in complying with employment law or
health and safety legislation, we will be the data controller, but where a
body has a statutory to process data, e.g a Funding Council,  it is the data
controller and in those circumstances we would be the data processor.

I would welcome others' comments on this.

Mike

> ----------
> From:         Ian GROSS (7169)
> Sent:         Thursday, April 26, 2001 10:56 AM
> To:   'Lloyd M J B (ISaCS)'
> Subject:      RE: FDS Survey for HE's
>
> Mike
>
> Your request requires a longer answer than the shorthand comment we gave
> previously. In summary, for this audit HEFCE is a data controller. HEIs
> are
> also data controllers and are processing the information when they give it
> to us for statutory purposes. We believe this does not have to mean HEIs
> are
> formally 'data processors' in the sense of your question (and, indeed,
> most
> or all of them won't be), see below.
>
> The telephone number, name, address is not on the original HESA record and
> so HEFCE is collecting a new data set. We are issuing the instructions
> regarding how that data is processed and so are quite clearly the data
> controller.
>
> If HEI's are having to do additional work to get the telephone numbers
> then
> they could possibly be said to be data processors working on our behalf,
> but
> I think we can assume that they already have this information and are
> therefore data controllers in their own right and this is just one of the
> disclosures they are obliged to make, i.e. HEI's are data controllers in
> respect of their own alumni records. In responding to our request for
> information they are complying with the statutory purpose. HEI's should
> therefore be reminded of the advice in the original note:
>
> "....compliance with any legal obligation to which the data controller
> (i.e.
> the institution) is subject.  In this case, section 79 of the Further &
> Higher Education (FHE) Act 1992 places an obligation upon HEIs to give the
> Council such information as it may require to carry out its functions.
> Consequently, institutions do not need the consent of their graduates to
> pass on the information to the Council (or HESA acting on the Council's
> behalf)............................
>
> Summary
>
> Institutions do not need the consent of their graduates in order to pass
> the
> information requested to HEFCE. However, for their own assurance,
> institutions may wish to:
> *     Advise their existing and prospective students (and staff if this
> does not already happen, e.g. for RAE purposes) that some personal data
> may
> be transferred to HESA, HEFCE and other bodies to enable them to carry out
> their statutory functions.
> *     Updating their own DP registration to ensure that the obligation to
> provide data to such bodies is more clearly described.
>
> Institutions are required to provide HEFCE with any information it
> reasonably requires."
>
> To the first bullet point above one might add that HEIs should be telling
> their students at some stage that they keep alumni records and may contact
> them for various purposes (FDS, fund raising, invitations) or be asked to
> confirm their qualifications to future employers etc etc.
>
> I have no objection to this being posted on the mailbase. I am hopeful
> that,
> by doing so, it will provide HEIs with more assurance that our request is
> legitimate and that HEIs need have no concern about providing us the
> information we request. The questions that are arising clearly reflect
> uncertainty within HEIs about how best to comply with DPA 1998. This is
> originally why we obtained legal advice on the matter and why I have made
> the suggestions above to help HEIs comply more effectively. If I learn any
> more I consider to be of value to HEIs then I will let you know, although
> you should all be aware that JISC has issued guidance on DPA98, see
> http://www.jisc.ac.uk/pub99/sm09_data_prot.html
>
<snip>

> Regards
>
> Ian
> Ian Gross
> Head of Internal Audit & Projects
> HEFCE Audit Service
> Tel 0117 931 7169
> Fax 0117 931 7396
> email:  [log in to unmask]
>
>
> > -----Original Message-----
> > From:       Lloyd M J B (ISaCS) [SMTP:[log in to unmask]]
> > Sent:       25 April 2001 14:55
> > To: 'Ian GROSS (7169)'
> > Subject:    RE: FDS Survey for HE's
> >
> > Dear Ian,
> >
> >     Thank you for your detailed reply. Would you mind if I posted the
> > part on HEFCE being data controller and HEI's being data processors to
> the
> > data-protection JISCMail list?
> > <snip>
> > Mike
> >
> > > ----------
> > > From:     Ian GROSS (7169)
> > > Sent:     Wednesday, April 25, 2001 2:01 PM
> > > To:       'Lloyd M J B (ISaCS)'
> > > Cc:       Pramod PHILIP [7380]
> > > Subject:  RE: FDS Survey for HE's
> > >
> > > Dear Mike
> > >
> > > Thank you for your email, my response is as follows:
> > >
> > > In asking for the personal data from HEIs in respect of former
> students,
> > > we
> > > believe HEFCE (in Glamorgan's case HEFCE is agent for HEFCW) is a data
> > > controller and that the HEI is, as our agent in that respect, a data
> > > processor.
> > >
        <snip>.
> > >
> > > Regards
> > >
> > > Ian
> > > Ian Gross
> > > Head of Internal Audit & Projects
> > > HEFCE Audit Service
> > > Tel 0117 931 7169
> > > Fax 0117 931 7396
> > > email:  [log in to unmask]
> > >
> > > > -----Original Message-----
> > > > From:   Lloyd M J B (ISaCS) [SMTP:[log in to unmask]]
> > > > Sent:   24 April 2001 15:27
> > > > To:     [log in to unmask]
> > > > Subject:        FW: FDS Survey for HE's
> > > >
> > > > Dear Ian,
> > > >
> > > >         This message was posted on the data-protection JISCMail list
> and
> > > > gives your name for those seeking clariication.
> > > >
> > > >         Are you able to clarify that where there is a statutory
> requirment
> > > > to disclose personal data to the Funding Councils, the Funding
> > Councils
> > > > will
> > > > be acting as data controller and the University's acting as data
> > > > processor?
> > > > <snip>
> > > >
> > > > Mike Lloyd
> > > >
> > > > Assistant Head (ISaCS)
> > > > ISaCS
> > > > University of Glamorgan
> > > > Llantwit Road
> > > > Treforest
> > > > Pontypridd CF37 1DL
> > > >
> > > > tel: 01443 482417
> > > > fax: 01443 482424
> > > > email: [log in to unmask]
> > > >
> > > > > ----------
> > > > > From:         Carol Thompson
> > > > > Reply To:     Carol Thompson
> > > > > Sent:         Tuesday, April 24, 2001 12:14 PM
> > > > > To:   [log in to unmask]
> > > > > Subject:      FDS Survey for HE's
> > > > >
> > > > > > We are being 'encouraged' to provide information to HEFCE we
> feel
> > > > > > contravenes DP legislation. Other institutions have been put in
> > the
> > > > same
> > > > > > position and I know some have declined. The following might be
> of
> > > some
> > > > > > interest to HE institutions. Comments welcome!
> > > > > >
> > > > > >
> > > > > Audit of the 2000 First Destination Survey (FDS)
> > > > >
> > > > > Note on Data Protection (DP) issues
> > > > >
> > > > > Some institutions have expressed concern about the data protection
> > act
> > > > > implications of passing personal information to HEFCE for the
> > purpose
> > > of
> > > > > the
> > > > > FDS audit.  This note describes HEFCE's interpretation of the
> issue,
> > > and
> > > > > takes into account legal advice we have specifically procured in
> > > respect
> > > > > of
> > > > > the FDS.
> > > > >
> > > > > We accept that some of the information passed to HESA and
> forwarded
> > to
> > > > > HEFCE, and the information sought directly by HEFCE from
> > institutions,
> > > > is
> > > > > 'personal data' and that HEFCE is 'processing' it.  Consequently,
> > > HEFCE
> > > > > accepts that it must comply with the DP principles.
> > > > >
> > > > > Looking at the most relevant DP principles:
> > > > >
> > > > > First DP principle
> > > > >
> > > > > Personal data . . . . .shall not be processed unless at least one
> of
> > > the
> > > > > conditions in schedule 2 is met . . . . .
> > > > >
> > > > > One of the conditions is that the data subject (i.e. the graduate)
> > has
> > > > > given
> > > > > his/her consent to the processing of the data.  However, the
> consent
> > > of
> > > > > the
> > > > > graduate is not necessary if one of the other conditions of
> schedule
> > 2
> > > > > applies.  In this case, the relevant condition is that the
> > processing
> > > is
> > > > > necessary for compliance with any legal obligation to which the
> data
> > > > > controller (i.e. the institution) is subject.  In this case,
> section
> > > 79
> > > > of
> > > > > the Further & Higher Education (FHE) Act 1992 places an obligation
> > > upon
> > > > > HEIs
> > > > > to give the Council such information as it may require to carry
> out
> > > its
> > > > > functions.  Consequently, institutions do not need the consent of
> > > their
> > > > > graduates to pass on the information to the Council (or HESA
> acting
> > on
> > > > the
> > > > > Council's behalf).  However, institutions may wish to advise
> > > prospective
> > > > > students in future that personal information may be required to be
> > > > > provided
> > > > > to HEFCE and other bodies.
> > > > >
> > > > > Supplementary to the above condition of schedule 2, the Council
> can
> > > rely
> > > > > on
> > > > > another condition (5b), which states that the processing is
> > necessary
> > > > for
> > > > > the exercise of any functions conferred on any person by or under
> > any
> > > > > enactment.  In the Council's view, this information is required in
> > > > > connection with our statutory functions.  Schedule 1 of FHE Act
> 1992
> > > > > states
> > > > > that the Council may do anything which appears to them to be
> > necessary
> > > > or
> > > > > expedient for the purpose of or in connection with the discharge
> of
> > > > their
> > > > > functions.
> > > > >
> > > > > The Council's rights under the FHE Act to ask for information are
> > also
> > > > > stated in the Financial Memorandum (ref 00/25; this is the funding
> > > > > contract
> > > > > each institution has with HEFCE) and the Audit Code of Practice
> (ref
> > > > > 98/28).
> > > > > Relevant extracts from these documents are available on request.
> > > > >   > > > > > Third DP principle
> > > > >
> > > > > Personal data shall be adequate, relevant and not excessive in
> > > relation
> > > > to
> > > > > the purpose or purposes for which they are processed.
> > > > >
> > > > > In this case, HEFCE is asking for names, addresses and telephone
> > > > numbers.
> > > > > It could be argued that telephone numbers are not necessary for a
> > > > survey,
> > > > > which could be conducted by post. This might be considered less
> > > > intrusive.
> > > > > However, as HEIs themselves find, telephone surveys are usually
> > > > necessary
> > > > > to
> > > > > complete the FDS anyway.  Some HEIs have identified that, once
> they
> > > have
> > > > > graduated, the graduates are private citizens.  This fact does not
> > > > > normally
> > > > > prevent the HEI telephoning them for FDS purposes if this proves
> > > > > necessary.
> > > > > For both HEFCE and the HEI therefore, there is a risk that the use
> > of
> > > a
> > > > > telephone call would breach the DP Act.  To prove a breach and
> bring
> > a
> > > > > claim
> > > > > for damages would require a graduate to show they had suffered
> > > distress
> > > > or
> > > > > damage.  Our advice is that a single (or a few) unsolicited
> > telephone
> > > > > calls
> > > > > is unlikely to result in compensation.  Similarly our advice is
> that
> > a
> > > > > telephone call is unlikely to interfere with a graduate's rights
> > under
> > > > the
> > > > > Human Rights Act 1998.
> > > > >
> > > > >
> > > > > Other information
> > > > >
> > > > > HEFCE is using an agent to conduct its telephone re-survey work.
> Our
> > > > > understanding is that this does not affect the position as the
> > Council
> > > > has
> > > > > a
> > > > > clear right in law to contract out the performance of any of its
> > > > statutory
> > > > > functions so long as it retains discretion as to how the function
> is
> > > > > exercised and it acts reasonably in doing so. Our contractual
> > > > arrangements
> > > > > with our agent provide for adequate confidentiality. The telephone
> > > > numbers
> > > > > provided will be checked against those held by the Telephone
> > > Preference
> > > > > Service so that people who have indicated they do not wish to be
> > > > contacted
> > > > > by phone can be excluded from the re-survey. The personal data
> > > provided
> > > > > (name, address and telephone number) will be destroyed at the end
> of
> > > the
> > > > > audit process (around July 2001), in accordance with the DP
> > > requirement
> > > > > not
> > > > > to hold data any longer than is necessary.
> > > > >
> > > > > None of the personal data will be used in a report. We intend to
> use
> > > the
> > > > > data only to test the original survey results. These results will
> be
> > > > > analysed anonymously by institution. Once anonymised, they are no
> > > longer
> > > > > personal data and will not be subject to the data protection act.
> > > > >
> > > > >
> > > > > Summary
> > > > >
> > > > > Institutions do not need the consent of their graduates in order
> to
> > > pass
> > > > > the
> > > > > information requested to HEFCE. However, for their own assurance,
> > > > > institutions may wish to:
> > > > > *       Advise their existing and prospective students (and staff
> if
> > > > this
> > > > > does not already happen, e.g. for RAE purposes) that some personal
> > > data
> > > > > may
> > > > > be transferred to HESA, HEFCE and other bodies to enable them to
> > carry
> > > > out
> > > > > their statutory functions.
> > > > > *       Update their own DP registration to ensure that the
> > obligation
> > > > to
> > > > > provide data to such bodies is more clearly described.
> > > > >
> > > > > Institutions are required to provide HEFCE with any information it
> > > > > reasonably requires.
> > > > >
> > > > >
> > > > > Further information
> > > > >
> > > > > If further information or clarification of any of the above is
> > > required,
> > > > > please contact Ian Gross, Head of Internal Audit & Projects at
> HEFCE
> > > on
> > > > > 0117
> > > > > 931 7169, [log in to unmask]
> > > > >
> > > > >
> > > > >
> > > > > > --------------------------------------------
> > > > > > Carol Thompson                  Tel: 0191 215 6546
> > > > > > Information Officer         Fax: 0191 215 6560
> > > > > > & Data Protection Supervisor
> > > > > > University of Northumbria
> > > > > > Coach Lane Learning Resources Centre
> > > > > > Benton
> > > > > > Newcastle Upon Tyne
> > > > > > NE7 7XA           e-mail: [log in to unmask]
> > > > > >
> > > > > >
> > > > >
> > > > > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> > > > >     If you wish to leave this list please send the command
> > > > >        leave data-protection to [log in to unmask]
> > > > >             All user commands can be found at : -
> > > > >     www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
> > > > > all commands go to [log in to unmask] not the list please!
> > > > > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> > > > >
> > > > >
> > >
> > >
>
>

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
            All user commands can be found at : -
    www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
all commands go to [log in to unmask] not the list please!
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^