----- Original Message ----- 
From: "Graham Donelan" <[log in to unmask]>
To: <[log in to unmask]>
Sent: Tuesday, February 27, 2007 5:13 PM
Subject: [data-protection] National Student Survey


> This will be of particular interest to higher education institutions.
>
> On what basis does our release of student contact details to Ipsos-Mori
> to conduct the National Student Survey not breach the Data Protection
> Act?
>

The FAQ's website for the survey says:

"Who has access to students' contact details?

Higher educations institutions have passed contact details for eligible 
final year students to Ipsos MORI, the research agency responsible for 
carrying out the survey.

Ipsos MORI is a member of the Market Research Society and all details and 
responses will be handled in full accordance with data protection 
legislation.

Student personal data will be used only for the purposes of the NSS, and 
contact details will be destroyed at the end of the survey."

http://www.thestudentsurvey.com/faq.asp#access

Then see "MRS & AURA Market research processes (client) & the Data 
Protection Act 1998 January 2004

"1.4 Client Sourced Sample

It should be noted that any breach of the Act that occurs while personal 
data is held by a market
research organisation, on the client's behalf, e.g. a list supplied by a 
client for sampling purposes,
would result in the client being liable for the breach - unless a contract 
has been agreed where
the agency accepts responsibility. In serious cases clients would have to 
answer to the
Information Commissioner or the courts. In addition any compensation that 
might have to be paid
to a data subject/respondent as a result of a breach of the Act by a 
research organisation would
result in the owner of the data (the client) paying the compensation. 
Therefore it is essential that
clients check that market research organisations have adequate security 
processes to meet
clients' and the Acts needs.

If a client owned file or database of customers is to be used for sampling 
purposes, then clients
need to consider the following:

§ The Notification covers market research and that appropriate safeguards 
are in place within
the contract to cover security and prevent misuse by third parties (see 
Appendix 2 for
Notification procedures).

§ If feedback is required (Categories 2/3/4), then this should be specified.

§ If it is a Category 6 project then the file will need to be screened as 
described in the
guidelines.

§ In instances where a client has supplied their own database for sampling 
the respondent has
the legal right to know the source of the data if it is requested.

If sub-contractors (e.g. fieldwork agencies, freelance recruiters, data 
processors etc) are to be
used then only those contractors who can offer appropriate safeguards (for 
security etc) must be
retained. This condition applies to all stages of the market research 
process including
interviewing.

§ Market research organisations must offer sufficient assurances that they 
have appropriate
technical and organisational measures in place to safeguard the personal 
data passed to
them for processing.

§ Any agreement to send data from a client to a market research organisation 
must be
evidenced in writing.

§ Clients need to consider how to respond if any respondents drawn from a 
client supplied list
query the right to transfer their details to an agency to use for market 
research purposes. The
client Notification covering the source must include market research."

http://www.mrs.org.uk/standards/downloads/revised/legal/mrprocesses.pdf

(Note I have given a continuous quote rather than cherry-picked).

Nick Landau 

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
     All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
     If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
 Any queries about sending or receiving messages please send to the list owner
              [log in to unmask]
  Full help Desk - please email [log in to unmask] describing your needs
        To receive these emails in HTML format send the command:
         SET data-protection HTML to [log in to unmask]
   (all commands go to [log in to unmask] not the list please)
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^