I had thought that this issue had been resolved following the withdrawal of
the contact details request from the pilot exercise last year.  My thoughts
are unchanged in that the Funding Council do not have the right to ask for ANY
information they feel like - it has to be specifically for carrying out their
functions under the Act.  It is not entirely clear to me that they need HEIs
to supply student contact addresses and telephone numbers to fulfil their
functions.  Presumably if this is allowed to happen the next stage will be for
HEFCE to say that HEIs have already conceded the principle of supplying the
data so we will all be required to supply contact details to HESA next year.

I copy below some extracts from my email to HESA regarding this last year.
Incidentally, I never did get a response to this, nor did I see a copy of the
response made by the then Data Protection Commissioner to HESA.  I think it
would be helpful if HEFCE were to publicise this as well as their own legal
advice so that HEIs can decide what action they should take.

'The 1992 Act requires HEIs to "give a [funding] council such information as
they may require for the purposes of the exercise of any of their functions
under the Education Acts".

The Model Financial Memorandum between HEFCE and HEIs states the "the
institution shall provide the Council, or its agents acting on its behalf,
with whatever information the Council requires to exercise it functions under
the 1992 Act. This information shall be of a satisfactory quality and shall be
provided at the times and in the format specified by the Council or its
agents.  The Council will act reasonably in its requests for information and
will have regard to the costs of providing this information, and where
appropriate, to its confidentiality."

(Note the words 'reasonably' and 'confidentiality' in the last sentence.
Contact data is extremely confidential data).

The question then is whether the data that you are requiring us to supply is
necessary for the funding council to exercise their functions.  The new FDS
return requires us to supply the data on first destinations of students - we
are prepared to do this and have made the necessary arrangements.  What you
are now asking is for an alternative means of collecting this same information
to be tried out.  That is fine and well but I don't think that our declining
to participate will stop the funding council for being able to exercise its
functions as we will be supplying the information ourselves anyway - so we are
not refusing to supply the FDS data, only the contact addresses and phone
numbers for an alternative scheme.........

......Clearly that has to be a limit on the data that HEIs can be required to
supply to a funding council for the exercise of its functions.  For example it
would be unreasonable to supply medical data on students to HESA.   There is a
recognised mechanism for agreeing the data that funding councils and HESA
require which is agreed in advance with HEIs through the consultative process.
Funding Councils need to justify their data requirements and I can recall
robust discussions during the review of the Student Record the other year.  To
go beyond that without the agreement of HEIs in advance is not acceptable
unless there is a major new requirement and the required data is not
contentious.  A pilot of this nature does not, in my opinion, form such a new
requirement.  Furthermore, it raises many contentious issues about supplying
contact data to an outside body.  (Who knows what the future holds....there
have been countries where such data could be used to eliminate certain
students).  I think therefore that there is an important principle at stake
which I am not willing to concede for a pilot.  I would imagine that should
the pilot be successful then the next step will surely be to seek additional
fields on the HESA record for address and phone no which would no doubt be
argued on the basis that HEIs had already supplied this data for the pilot.'

Dennis Barrington-Light
Head of Student Records and Statistics and
University Data Protection Officer
University of Cambridge,
10 Peas Hill, Cambridge CB2 3PN, UK
Tel: +44(0)1223 332303  Fax: +44(0)1223 331200
E-mail:  [log in to unmask]





Carol Thompson <[log in to unmask]> on 24/04/2001 12:14:31

Please respond to Carol Thompson <[log in to unmask]>

To:   [log in to unmask]
cc:    (bcc: Dennis Barrington-Light/REG/Central-Admin)

Subject:  FDS Survey for HE's




> We are being 'encouraged' to provide information to HEFCE we feel
> contravenes DP legislation. Other institutions have been put in the same
> position and I know some have declined. The following might be of some
> interest to HE institutions. Comments welcome!
>
>
Audit of the 2000 First Destination Survey (FDS)

Note on Data Protection (DP) issues

Some institutions have expressed concern about the data protection act
implications of passing personal information to HEFCE for the purpose of the
FDS audit.  This note describes HEFCE's interpretation of the issue, and
takes into account legal advice we have specifically procured in respect of
the FDS.

We accept that some of the information passed to HESA and forwarded to
HEFCE, and the information sought directly by HEFCE from institutions, is
'personal data' and that HEFCE is 'processing' it.  Consequently, HEFCE
accepts that it must comply with the DP principles.

Looking at the most relevant DP principles:

First DP principle

Personal data . . . . .shall not be processed unless at least one of the
conditions in schedule 2 is met . . . . .

One of the conditions is that the data subject (i.e. the graduate) has given
his/her consent to the processing of the data.  However, the consent of the
graduate is not necessary if one of the other conditions of schedule 2
applies.  In this case, the relevant condition is that the processing is
necessary for compliance with any legal obligation to which the data
controller (i.e. the institution) is subject.  In this case, section 79 of
the Further & Higher Education (FHE) Act 1992 places an obligation upon HEIs
to give the Council such information as it may require to carry out its
functions.  Consequently, institutions do not need the consent of their
graduates to pass on the information to the Council (or HESA acting on the
Council's behalf).  However, institutions may wish to advise prospective
students in future that personal information may be required to be provided
to HEFCE and other bodies.

Supplementary to the above condition of schedule 2, the Council can rely on
another condition (5b), which states that the processing is necessary for
the exercise of any functions conferred on any person by or under any
enactment.  In the Council's view, this information is required in
connection with our statutory functions.  Schedule 1 of FHE Act 1992 states
that the Council may do anything which appears to them to be necessary or
expedient for the purpose of or in connection with the discharge of their
functions.

The Council's rights under the FHE Act to ask for information are also
stated in the Financial Memorandum (ref 00/25; this is the funding contract
each institution has with HEFCE) and the Audit Code of Practice (ref 98/28).
Relevant extracts from these documents are available on request.

Third DP principle

Personal data shall be adequate, relevant and not excessive in relation to
the purpose or purposes for which they are processed.

In this case, HEFCE is asking for names, addresses and telephone numbers.
It could be argued that telephone numbers are not necessary for a survey,
which could be conducted by post. This might be considered less intrusive.
However, as HEIs themselves find, telephone surveys are usually necessary to
complete the FDS anyway.  Some HEIs have identified that, once they have
graduated, the graduates are private citizens.  This fact does not normally
prevent the HEI telephoning them for FDS purposes if this proves necessary.
For both HEFCE and the HEI therefore, there is a risk that the use of a
telephone call would breach the DP Act.  To prove a breach and bring a claim
for damages would require a graduate to show they had suffered distress or
damage.  Our advice is that a single (or a few) unsolicited telephone calls
is unlikely to result in compensation.  Similarly our advice is that a
telephone call is unlikely to interfere with a graduate's rights under the
Human Rights Act 1998.


Other information

HEFCE is using an agent to conduct its telephone re-survey work. Our
understanding is that this does not affect the position as the Council has a
clear right in law to contract out the performance of any of its statutory
functions so long as it retains discretion as to how the function is
exercised and it acts reasonably in doing so. Our contractual arrangements
with our agent provide for adequate confidentiality. The telephone numbers
provided will be checked against those held by the Telephone Preference
Service so that people who have indicated they do not wish to be contacted
by phone can be excluded from the re-survey. The personal data provided
(name, address and telephone number) will be destroyed at the end of the
audit process (around July 2001), in accordance with the DP requirement not
to hold data any longer than is necessary.

None of the personal data will be used in a report. We intend to use the
data only to test the original survey results. These results will be
analysed anonymously by institution. Once anonymised, they are no longer
personal data and will not be subject to the data protection act.


Summary

Institutions do not need the consent of their graduates in order to pass the
information requested to HEFCE. However, for their own assurance,
institutions may wish to:
*       Advise their existing and prospective students (and staff if this
does not already happen, e.g. for RAE purposes) that some personal data may
be transferred to HESA, HEFCE and other bodies to enable them to carry out
their statutory functions.
*       Update their own DP registration to ensure that the obligation to
provide data to such bodies is more clearly described.

Institutions are required to provide HEFCE with any information it
reasonably requires.


Further information

If further information or clarification of any of the above is required,
please contact Ian Gross, Head of Internal Audit & Projects at HEFCE on 0117
931 7169, [log in to unmask]



> --------------------------------------------
> Carol Thompson                  Tel: 0191 215 6546
> Information Officer         Fax: 0191 215 6560
> & Data Protection Supervisor
> University of Northumbria
> Coach Lane Learning Resources Centre
> Benton
> Newcastle Upon Tyne
> NE7 7XA           e-mail: [log in to unmask]
>
>

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
            All user commands can be found at : -
    www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
all commands go to [log in to unmask] not the list please!
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
            All user commands can be found at : -
    www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
all commands go to [log in to unmask] not the list please!
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^