Sally
I think this probably arises from uncertainty in relation to the anonymisation of personal data and whether or not anonymised information is caught by the Act. Under UK law I understand the present position to be that the act of anonymisation itself is processing. Therefore best practice (and maybe even the law!) dictates that the data subject is told of this. The HESA wording is detailed enough to make this clear.
There are also all sorts of arguments about when data is truly anonymous. Where a college anonymises personal data as the data controller it will be very hard to say that the data is anonymous while it remains under their control unless sophisticated techniques are used to de-personify the personal data so that no further link back to the data subject is possible. In most cases the data controller could work back from the de-personalised data to find out the identity of the data subject.
At the very least, as you suggest, this means that the disclosure to HESA should be notified. However I think there wording does make it clear to the data subject how the information will be used.
nicola
Nicola Mckilligan
Director
Privacy & Information Plus
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
http://www.jiscmail.ac.uk/help/commandref.htm
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|