Charles Christacopoulos said ...
>
> In my view the key is to find a way of getting:
> (a) most of your staff to opt in
> (b) automatically or with little work create a list of those who are "in"
> (c) ditto for students.
Loads of fun - BUT Phil Boyd emphasised the "spirit of the act" and he
and other speakers also talked about "reasonableness". It MAY be that if
you can demonstrate what measures you have taken to inform users and
tried to obtain consent, this may be weighed against the fact that you
included a staff member who didn't bother to consent.
However, I think the key now is to start looking for opportunities to
get this consent. For security reasons, last year we forced a
"re-registration" of all email users - something like this would be an
opportunity to incorporate a consent form which must be completed (yes
or no) before getting the account back. Compilation of the internal
phone directory, library registration etc. are other opportunities to
get consent.
> >2. Students as Data Controllers?
> >================================
>
> The conference people seem to have suggested that students should notify
> the Registrar's dept themselves.
>
> Ehmmmm, we are also being told to minimise the numbers of registrations
> we do (ideally down to 1) as the charges will be penalising the bigger
> organisations and those with more as opposed to fewer registrations.
> Thus this contradicts the advide the DPR's office has been giving in
> different occasions.
I think there is an important detail missed here - at the conference it
was suggested that Student's Union would need to register separatly
(they are, at Southampton at least, a separate organisation). This MIGHT
mean that SU would also be responsible for all their clubs and society
web pages (yipee!)
But students as individuals would come under the Uni reg.
>
> Then you may have (we do) students, particularly medics, who use real
> personal data as part of their studying, coursework etc. They
> definatelly do not have to register with the DPR. My view is that the
> educational institution will ultimately be responsible but I cannot
> really see a student infringing DP legislation. If there is some dispute
> there will be a sligtly different issue, eg. defamation with DP thrown in
> as a good measure.
Exemption from registration DOES NOT mean that students do not have to
comply with the act. So, for example, medical records need to be treated
according to the principles of the act. Where these to become "public"
through say, poor security, then someone is liable - whether the student
or the Uni. is another matter.
Cheers,
Colin
--
_________________________________________________
Colin K. Work
Computing Services
University of Southampton
email [log in to unmask]
tel. 01703 593090 (direct line)
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|