Mr Goss
Thank you for your swift response. You are correct in saying that I largely
referred to the Central Pilot but it seems to me the issues relating to the
release of contact details for the audit are much the same. I note that you
have not responded to my request to publish on the jiscmail list the reply
from the Information Commissioner to the letter from HESA asking for her views
on the pilot. I'm sure it would be very helpful to HEIs faced with similar
problems in releasing contact details for the audit.
You are correct in you view that if is ultimately for the courts to decide
whether the funding council has exceeded its powers under the F&HE Act. What
HEIs need to decide is whether they are willing to supply data with the risk
that they may be contravening the DPA 1998 (the possibility is that the
funding council do not have the legal authority to request the data) or risk
being taken to court or penalised by the funding council. I think it would
help us if we could see the ruling from the IC before considering the matter
further. Another alternative would be for the funding council to give an
undertaking to indemnify any HEI taken to court by one of its students for
breaching the DPA.
Dennis Barrington-Light
Head of Student Records and Statistics and
University Data Protection Officer
University of Cambridge,
10 Peas Hill, Cambridge CB2 3PN, UK
Tel: +44(0)1223 332303 Fax: +44(0)1223 331200
E-mail: [log in to unmask]
"Ian GROSS (7169)" <[log in to unmask]> on 26/04/2001 17:09:23
To: Dennis Barrington-Light/REG/Central-Admin@Central-Admin,
[log in to unmask]
cc: "Ian GROSS (7169)" <[log in to unmask]>
Subject: RE: FDS Survey for HE's
Mr Barrington-Light
Thank you for your email. There are some errors in your comments which I
should respond to immediately.
You largely refer to the central collection pilot FDS conducted last year.
This audit has nothing whatsoever to do with that pilot exercise and so
consequently, some of the points that follow are not relevant. I must
specifically correct one point before others on the mailbase feel concerned
about it. You basically state that, in your view, our requests are not
reasonable. However, our legal advice on the same point you made about the
central collection pilot last year is quite clear - it is not for
institutions to decide whether or not the information requested by the
funding council is required for the exercise of its functions. That decision
is clearly for the funding council - subject to the view of a court of
course.
My note, which has been posted on the mailbase, summarises our legal advice
fairly and accurately and I see no need to publish it.
Ian Gross
Head of Internal Audit & Projects
HEFCE Audit Service
Tel 0117 931 7169
Fax 0117 931 7396
email: [log in to unmask]
> -----Original Message-----
> From: Dennis Barrington-Light [SMTP:[log in to unmask]]
> Sent: 26 April 2001 16:18
> To: [log in to unmask]
> Cc: [log in to unmask]
> Subject: Re: FDS Survey for HE's
>
>
>
> I had thought that this issue had been resolved following the withdrawal
> of
> the contact details request from the pilot exercise last year. My
> thoughts
> are unchanged in that the Funding Council do not have the right to ask for
> ANY
> information they feel like - it has to be specifically for carrying out
> their
> functions under the Act. It is not entirely clear to me that they need
> HEIs
> to supply student contact addresses and telephone numbers to fulfil their
> functions. Presumably if this is allowed to happen the next stage will be
> for
> HEFCE to say that HEIs have already conceded the principle of supplying
> the
> data so we will all be required to supply contact details to HESA next
> year.
>
> I copy below some extracts from my email to HESA regarding this last year.
> Incidentally, I never did get a response to this, nor did I see a copy of
> the
> response made by the then Data Protection Commissioner to HESA. I think
> it
> would be helpful if HEFCE were to publicise this as well as their own
> legal
> advice so that HEIs can decide what action they should take.
>
> 'The 1992 Act requires HEIs to "give a [funding] council such information
> as
> they may require for the purposes of the exercise of any of their
> functions
> under the Education Acts".
>
> The Model Financial Memorandum between HEFCE and HEIs states the "the
> institution shall provide the Council, or its agents acting on its behalf,
> with whatever information the Council requires to exercise it functions
> under
> the 1992 Act. This information shall be of a satisfactory quality and
> shall be
> provided at the times and in the format specified by the Council or its
> agents. The Council will act reasonably in its requests for information
> and
> will have regard to the costs of providing this information, and where
> appropriate, to its confidentiality."
>
> (Note the words 'reasonably' and 'confidentiality' in the last sentence.
> Contact data is extremely confidential data).
>
> The question then is whether the data that you are requiring us to supply
> is
> necessary for the funding council to exercise their functions. The new
> FDS
> return requires us to supply the data on first destinations of students -
> we
> are prepared to do this and have made the necessary arrangements. What
> you
> are now asking is for an alternative means of collecting this same
> information
> to be tried out. That is fine and well but I don't think that our
> declining
> to participate will stop the funding council for being able to exercise
> its
> functions as we will be supplying the information ourselves anyway - so we
> are
> not refusing to supply the FDS data, only the contact addresses and phone
> numbers for an alternative scheme.........
>
> ......Clearly that has to be a limit on the data that HEIs can be required
> to
> supply to a funding council for the exercise of its functions. For
> example it
> would be unreasonable to supply medical data on students to HESA. There
> is a
> recognised mechanism for agreeing the data that funding councils and HESA
> require which is agreed in advance with HEIs through the consultative
> process.
> Funding Councils need to justify their data requirements and I can recall
> robust discussions during the review of the Student Record the other year.
> To
> go beyond that without the agreement of HEIs in advance is not acceptable
> unless there is a major new requirement and the required data is not
> contentious. A pilot of this nature does not, in my opinion, form such a
> new
> requirement. Furthermore, it raises many contentious issues about
> supplying
> contact data to an outside body. (Who knows what the future
> holds....there
> have been countries where such data could be used to eliminate certain
> students). I think therefore that there is an important principle at
> stake
> which I am not willing to concede for a pilot. I would imagine that
> should
> the pilot be successful then the next step will surely be to seek
> additional
> fields on the HESA record for address and phone no which would no doubt be
> argued on the basis that HEIs had already supplied this data for the
> pilot.'
>
> Dennis Barrington-Light
> Head of Student Records and Statistics and
> University Data Protection Officer
> University of Cambridge,
> 10 Peas Hill, Cambridge CB2 3PN, UK
> Tel: +44(0)1223 332303 Fax: +44(0)1223 331200
> E-mail: [log in to unmask]
>
>
>
>
>
> Carol Thompson <[log in to unmask]> on 24/04/2001 12:14:31
>
> Please respond to Carol Thompson <[log in to unmask]>
>
> To: [log in to unmask]
> cc: (bcc: Dennis Barrington-Light/REG/Central-Admin)
>
> Subject: FDS Survey for HE's
>
>
>
>
> > We are being 'encouraged' to provide information to HEFCE we feel
> > contravenes DP legislation. Other institutions have been put in the same
> > position and I know some have declined. The following might be of some
> > interest to HE institutions. Comments welcome!
> >
> >
> Audit of the 2000 First Destination Survey (FDS)
>
> Note on Data Protection (DP) issues
>
> Some institutions have expressed concern about the data protection act
> implications of passing personal information to HEFCE for the purpose of
> the
> FDS audit. This note describes HEFCE's interpretation of the issue, and
> takes into account legal advice we have specifically procured in respect
> of
> the FDS.
>
> We accept that some of the information passed to HESA and forwarded to
> HEFCE, and the information sought directly by HEFCE from institutions, is
> 'personal data' and that HEFCE is 'processing' it. Consequently, HEFCE
> accepts that it must comply with the DP principles.
>
> Looking at the most relevant DP principles:
>
> First DP principle
>
> Personal data . . . . .shall not be processed unless at least one of the
> conditions in schedule 2 is met . . . . .
>
> One of the conditions is that the data subject (i.e. the graduate) has
> given
> his/her consent to the processing of the data. However, the consent of
> the
> graduate is not necessary if one of the other conditions of schedule 2
> applies. In this case, the relevant condition is that the processing is
> necessary for compliance with any legal obligation to which the data
> controller (i.e. the institution) is subject. In this case, section 79 of
> the Further & Higher Education (FHE) Act 1992 places an obligation upon
> HEIs
> to give the Council such information as it may require to carry out its
> functions. Consequently, institutions do not need the consent of their
> graduates to pass on the information to the Council (or HESA acting on the
> Council's behalf). However, institutions may wish to advise prospective
> students in future that personal information may be required to be
> provided
> to HEFCE and other bodies.
>
> Supplementary to the above condition of schedule 2, the Council can rely
> on
> another condition (5b), which states that the processing is necessary for
> the exercise of any functions conferred on any person by or under any
> enactment. In the Council's view, this information is required in
> connection with our statutory functions. Schedule 1 of FHE Act 1992
> states
> that the Council may do anything which appears to them to be necessary or
> expedient for the purpose of or in connection with the discharge of their
> functions.
>
> The Council's rights under the FHE Act to ask for information are also
> stated in the Financial Memorandum (ref 00/25; this is the funding
> contract
> each institution has with HEFCE) and the Audit Code of Practice (ref
> 98/28).
> Relevant extracts from these documents are available on request.
>
> Third DP principle
>
> Personal data shall be adequate, relevant and not excessive in relation to
> the purpose or purposes for which they are processed.
>
> In this case, HEFCE is asking for names, addresses and telephone numbers.
> It could be argued that telephone numbers are not necessary for a survey,
> which could be conducted by post. This might be considered less intrusive.
> However, as HEIs themselves find, telephone surveys are usually necessary
> to
> complete the FDS anyway. Some HEIs have identified that, once they have
> graduated, the graduates are private citizens. This fact does not
> normally
> prevent the HEI telephoning them for FDS purposes if this proves
> necessary.
> For both HEFCE and the HEI therefore, there is a risk that the use of a
> telephone call would breach the DP Act. To prove a breach and bring a
> claim
> for damages would require a graduate to show they had suffered distress or
> damage. Our advice is that a single (or a few) unsolicited telephone
> calls
> is unlikely to result in compensation. Similarly our advice is that a
> telephone call is unlikely to interfere with a graduate's rights under the
> Human Rights Act 1998.
>
>
> Other information
>
> HEFCE is using an agent to conduct its telephone re-survey work. Our
> understanding is that this does not affect the position as the Council has
> a
> clear right in law to contract out the performance of any of its statutory
> functions so long as it retains discretion as to how the function is
> exercised and it acts reasonably in doing so. Our contractual arrangements
> with our agent provide for adequate confidentiality. The telephone numbers
> provided will be checked against those held by the Telephone Preference
> Service so that people who have indicated they do not wish to be contacted
> by phone can be excluded from the re-survey. The personal data provided
> (name, address and telephone number) will be destroyed at the end of the
> audit process (around July 2001), in accordance with the DP requirement
> not
> to hold data any longer than is necessary.
>
> None of the personal data will be used in a report. We intend to use the
> data only to test the original survey results. These results will be
> analysed anonymously by institution. Once anonymised, they are no longer
> personal data and will not be subject to the data protection act.
>
>
> Summary
>
> Institutions do not need the consent of their graduates in order to pass
> the
> information requested to HEFCE. However, for their own assurance,
> institutions may wish to:
> * Advise their existing and prospective students (and staff if this
> does not already happen, e.g. for RAE purposes) that some personal data
> may
> be transferred to HESA, HEFCE and other bodies to enable them to carry out
> their statutory functions.
> * Update their own DP registration to ensure that the obligation to
> provide data to such bodies is more clearly described.
>
> Institutions are required to provide HEFCE with any information it
> reasonably requires.
>
>
> Further information
>
> If further information or clarification of any of the above is required,
> please contact Ian Gross, Head of Internal Audit & Projects at HEFCE on
> 0117
> 931 7169, [log in to unmask]
>
>
>
> > --------------------------------------------
> > Carol Thompson Tel: 0191 215 6546
> > Information Officer Fax: 0191 215 6560
> > & Data Protection Supervisor
> > University of Northumbria
> > Coach Lane Learning Resources Centre
> > Benton
> > Newcastle Upon Tyne
> > NE7 7XA e-mail: [log in to unmask]
> >
> >
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> If you wish to leave this list please send the command
> leave data-protection to [log in to unmask]
> All user commands can be found at : -
> www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
> all commands go to [log in to unmask] not the list please!
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
>
>
>
>
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
all commands go to [log in to unmask] not the list please!
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|