OK, I'll have a go.
Principle 7 requires "appropriate" - not perfect - security. So you are
always expected to protect people as far as you can, but balance this with
what is technically feasible and economically realistic, and with what does
not unduly inhibit legitimate users and uses of the data.
Your option (b) explicitly permits access by people who have no reason to
access the information. On the face of it, it is therefore not compliant.
However, Principle 7 also says that your security measures must be
"technical and organisational". If you can unequivocally guarantee the
probity of all your staff, and their adherence to guidelines and rules, then
you could argue that you have organisational measures - which amount to
telling them not to misbehave - and that these are appropriate and
sufficient to prevent unauthorised access.
In your position I would be disinclined to rely on trust to that extent. I
would want to put in an additional access restriction - without necessarily
going to the level of individual staff - whereby a link was created between
students and those staff who were involved with their tuition. Access would
then be restricted to those staff who had a genuine need to know the details
of that student. I would also want to record each access event. There is
still the risk that an unscrupulous staff member might access a student's
record for unauthorised purposes, whether malicious or well-meaning, but (a)
you might catch them through your access records, and (b) you would be in a
stronger position to argue that the balance was right between the risk of
misuse and the need to have access.
What concerns me perhaps more is the range of data that is being made
available on each student, without making the case that it is actually
necessary for staff to have access, especially to the sensitive personal
data. As a student I would be very concerned, and would want to see
evidence from the Data Controller that Principles 1, 2 and 3, in particular,
were being complied with.
All in all, the whole thing makes me very uneasy. Sometimes, if you want
the benefit you have to accept the cost, and I think your option (b) is far
too much of a short cut.
Paul Ticher
0116 273 8191
22 Stoughton Drive North, Leicester LE5 5UB
I hereby require any recipient of this message not to use my personal data
for direct marketing purposes.
----- Original Message -----
From: "S McCain" <[log in to unmask]>
To: <[log in to unmask]>
Sent: Friday, October 21, 2005 10:46 AM
Subject: web application access control: follow-up
> Friday may not be a particularly good day for flogging a dead horse but
> here goes ...
>
> I posted the query below on a 7th principle issue a while ago and had a
> couple of very helpful replies from other universities. But I really need
> more than 2 responses so I'm asking again for comment, this time
> from the whole list not just from the academic sector. Come on you good
> people - help me out, please.
>
> Steve McCain
>
>
> ===================================================================
> Original message (23/9) ...
>
> We have a new web interface to our student record system. Staff will be
> able to see biographical details of the students (photo, name, address,
> phone no, mobile no, personal email address, dob, ethnicity, disability,
> next of kin details etc) as well as details of their courses.
>
> We have two options to control access to the web application:-
>
> a) on a per individual staff member basis
>
> b) by bulk-loading the details of staff from extracts from our personnel
> system based on staff grouping (eg all academic & related staff, all
> clerical staff etc)
>
> Option a) is probably the purest in terms of DPA 7th principle but has
> high overheads in manually maintaining access controls.
>
> Option b) will give a very broad-brush access control so that many
> members of staff will be granted access who probably don't need to see
> student records but it has very low overheads in managing access.
>
> In total we are talking about hundreds of members of staff, each
> accessing the web application by their individual usernames and passwords.
> Access is all or nothing - if you have access you
> can see the details of all students. At the moment users can also change
> some of the students' data via the web application (eg home address);
> there is no read-only access but this may be introduced at some point.
>
> I'd welcome comment on the two options & advice on how to proceed. I'd
> be very interested to learn how other academic institutions manage this
> type of access control.
>
> many thanks
>
> Steve McCain
> University of Bradford
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> All archives of messages are stored permanently and are
> available to the world wide web community at large at
> http://www.jiscmail.ac.uk/lists/data-protection.html
> If you wish to leave this list please send the command
> leave data-protection to [log in to unmask]
> All user commands can be found at : -
> http://www.jiscmail.ac.uk/help/commandref.htm
> Any queries about sending or receiving message please send to the list
> owner
> [log in to unmask]
> (all commands go to [log in to unmask] not the list please)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving message please send to the list owner
[log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|