** Reply to note from GRAHAM Susan <[log in to unmask]> Tue, 11 Feb 2003 17:04:30 -0000
> As I review the University's notification entry, I am prompted to wonder
> if notification actually serves a useful purpose? (Except possibly as a
> source of income for the Office of the Information Commissioner.) Given
> that we have to tell data subjects what information we hold about them
> and what we do with it in any case, does the current notification regime
> give data subjects any added protection? I suppose the contact details
> are useful for OIC if they are dealing with a complaint, but does that
> justify the work involved in putting together a notification entry?
>
> What does everyone else think?
>
> Susan Graham.
Hi Susan,
There is a partial truth in what you say ... and not disputing Andrew's comments
here is what I made of it (when I had to do it).
a. It is partially a "legacy" exercise following on from the 1984 Act which was
much more detailed in defining exactly what we held, what for, how it was
obtained, where it was disclosed and so on. I find the current format trully
simplified compared to what it was.
b. On the 1984 Act it would have been easier for the OIC or a similar body to
work out if bad or risky practices were in place (tick the wrong boxes and alarm
bells would start ringing). I doubt that the same is possible with the current Act
as there is not enough detail in the notification.
c. As Fiona said it helps focus the mind. Organisations are supposed to be
making an audit of the data they process, have rules, retention periods,
information statements where data are collected 'n all that. Having tried it I had
to split the process into two.
First I had to find what we processed and I used the OICs form for internal use.
Things I had completely missed on my first 1992 version notification came up
very quickly. Then, I came accross data I had not even thought we were
processing let alone I was processing data myself and I had not clicked on it.
Second, having got a picture of what we did ... I would have gone (my
successor listening on the list is now the lucky one) round and take the various
units by the hand .... etc etc.
----------------------
If you have an audit that works (convincing your staff to do it is another matter) it
would be easy to produce the necessary data to fill the notification form ... or
that is how I felt about when I had to update our notification.
Call me sad and although I would not like to see it again I found it challenging
as it reached brain cells other bureaucratic exercises (like HESA stuff) fail to
reach. Surely the OIC does not make money out of it. They have gangs of
people copy-typing all the stuff we send them. Just imagine being there and
receiving the forms :-)
Just a half-penny of thoughts.
Charles
==============================================
Charles Christacopoulos, Management Information Officer,
Planning & Information, University of Dundee, Dundee, DD1 4HN,
Scotland, United Kingdom. Tel: 44(0)1382-344891. Fax: 44(0)1382-201604.
http://www.somis.dundee.ac.uk/
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|