A question for others in the Higher Education sector:
Lancaster (in common with most universities and colleges) is a subscriber to Athens, a JISC-supported service that is used to provide staff and students with simple, stream-lined access to multiple research databases.
For the last few years (though I've only just found out!), it has been the habit of our systems unit to submit the basic details of ALL our staff and students to Athens automatically, so that they all get accounts with the service. This makes life easy for them because they then don't have to set up separate accounts for students individually on request. However, it does raise the issue of fair processing, and also possibly of security in relation to data processors acting on behalf of a controller.
So, can anyone answer the following please -
(i) Does your institution submit student/staff details to Athens (and, if so, is this clearly stated in your Fair Processing notice/s?)
(ii) If your institution does submit details automatically, do you offer an opt-out? (we have just fielded a couple of complaints from students who never wanted their details submitted to Athens, which raises interesting questions about "legitimate interests")?
(iii) Are you content that the 'contractual' relationship between your institution and Athens answers the requirements of Schedule 1 Part 2 Para 12 that "where processing...is carried out by a data processor on behalf of a data controller, the data controller is not regarded as complying with the 7th principle unless the processing is carried out under a contract.....[which] requires the data processor to comply with obligations equivalent to those imposed on the data controller by the 7th principle? (or do you think that Athens is actually a controller in its own right here, not a processor?)
Opinions and information gratefully received (to be logged on www.dpa.lancs.ac.uk in due course).
Andrew Okey
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
http://www.jiscmail.ac.uk/help/commandref.htm
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|