I have found the correspondence on this topic most useful, and to my mind
progress has been made.
It is now clear to me that:
The Funding Councils are the data controllers in respect of any data
demanded under a statutory obligation;
The Funding Councils therefore are responsible for complying with
the DP Principles in respect of that specific processing, and the data
subjects rights;
HEI's are the data processors in respect of that specfic processing.
We can therefore expect a written contract to cover all of this;
HESA will also be a data processor on behalf on the Funding Councils
for data demanded under a statutory obligation. Presumably, that data can
only be processed for that statutory purpose by HESA.
I dont think it is unreasonalbe for HEI's to question the legitimate
basis, and if we consider it necessary to ask for an assessment. We cannot
rely on the 'Nuremberg defence'.
There leaves only the matter of the cost of all this.
Anyone disagree with that analysis?
Mike
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
all commands go to [log in to unmask] not the list please!
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|