This is fascinating stuff.
I can quite understand permission to publish photos and other personal
details being denied, but I'm amazed that email addresses are going to be
treated as personal data - I've always regarded email addresses like
telephone numbers - they are the property of the organisation which
allocates them, not the individual to whom they are allocated. After all,
the individuals cannot take them with them when they change jobs.
Furthermore, the email addresses and telephone numbers are, as I understand
it, not allocated for personal use but for business-only use by the
individual employee. If these are regarded as personal then institutions,
starting with ours, would charge their employees for the service! As
'institutional information' it should be up to the institution whether or
not it chooses to publish such a list.
If what you're saying is true, I'm appalled.
A few years ago we asked our LIS staff to permit/deny permission in writing
for the web publication of their photos. One third, understandably, refused
permission. Can we expect this scale of refusal for publication of email
addresses and telephone numbers?
I think we shall have to consider a carefully worded re-registration as
Colin has just described.
Rob.
(LIS DPO)
Dr Robert C. Symberlist
Network Multimedia Consultant,
Library and Information Services,
University of Wales Swansea
Singleton Park Swansea SA2 8PP
Tel: 01792 295619
Fax: 01792 295851
http://www.swan.ac.uk/lis/
-----Original Message-----
From: [log in to unmask]
[mailto:[log in to unmask]]
Sent: 07 May 1999 14:13
To: [log in to unmask]
Subject: Re: Data Protection Act issues
** Reply to note from Adrian Tribe <[log in to unmask]> Fri, 07 May 1999
10:12:14 +0100
Hi,
I happen to be the DPO for the University of Dundee and also happen to be
the person who for the time being has done an "internal" email directory.
Nice to receive a detailed email!
> 1. 'Consent'
> ============
You are correct in what you say about consent. It has to be explicit.
That is, explicitly given that someone wants to be included in any such
directory.
Transfer of data inside/outside the EU does not really come into it if
you are putting data on the web, because automatically transfer is
worldwide.
> An opt OUT system should still be OK at the point at which data is
> gathered (i.e. at the point at which staff/students enter the Uni and
> e-mail or telephone accounts are set up).
Correct but then your student records should be modified to hold the
extra field(s), and ideally your directory ought to have access to the
information, and there is the danger that for ever you will be shuffling
paper.
There is a further issue with disclosing student details (sexual
harrasment comes to mind) where even if the student has opted in there is
at least some "moral liability" if the student comes to any harm.
> Phil Boyd suggested having departmental
> staff meetings and explaining the intentions of having a public
> directory etc and asking staff then to tell you if they want to opt
> OUT. That way, you know that the staff concerned got your message
> and understood it, so by choosing not to opt OUT they are indeed
> giving their consent.
Good idea. In a fair size institution though you have a constant
turnover of staff, how do you handle the new staff? Are you
likely to get Human Resources (Personnel) to put another form out to
staff asking them to opt in/out of an email directory?
The punchline is that by Oct2001 all Email addresses on the web will
have to be given an opt in by their holders :-) else we are breaking the
law.
Further since you do not mention it anywhere, some of the supplementary
guidelines for the 1984 act said [my paraphrasing] that publicly
available email addresses should have adequate protection. I take that
to mean that you should display them one at a time and in a way that a
robot could not go and extract all of them (well a specifically written
robot could but keep it in proportion).
The difficulties I find are the following:
- You will end up with a very small number of inclusions if you send out
a form. People are busy and most could not care less about an EMail
directory. You need to retain the paper (yuk) and also have it in an
electronic database. (Electronic forms could be used but then you will
get even less response).
- You are talking in terms of creating the database of EMail addresses
from scratch. In our case I extract the info from the NDS tree, process
it, and place it where it used by the search scripts. There are
alternatives for those with the right technology to access the nds tree
directly or x500 directories and so on. The problem with all these
solutions is that you need other people to do their bit in terms of
feeding in the correct data (for staff opting in/out etc). That will be
the day ;-)
In my view the key is to find a way of getting:
(a) most of your staff to opt in
(b) automatically or with little work create a list of those who are "in"
(c) ditto for students.
The rest would be a case of writting programs.
>2. Students as Data Controllers?
>================================
The conference people seem to have suggested that students should notify
the Registrar's dept themselves.
Ehmmmm, we are also being told to minimise the numbers of registrations
we do (ideally down to 1) as the charges will be penalising the bigger
organisations and those with more as opposed to fewer registrations.
Thus this contradicts the advide the DPR's office has been giving in
different occasions.
Then you may have (we do) students, particularly medics, who use real
personal data as part of their studying, coursework etc. They
definatelly do not have to register with the DPR. My view is that the
educational institution will ultimately be responsible but I cannot
really see a student infringing DP legislation. If there is some dispute
there will be a sligtly different issue, eg. defamation with DP thrown in
as a good measure.
>Apologies for the length of this e-mail!
ditto.
At least you know someone read it :-)
Regards
Charles
==============================================
Charles Christacopoulos, Secretary's Office, University of Dundee,
Dundee DD1 4HN, (Scotland) United Kingdom.
Tel: +44+(0)1382-344891. Fax: +44+(0)1382-201604.
WebDad of http://somis.ais.dundee.ac.uk/
Home of the Scottish Search Maestro http://somis2.ais.dundee.ac.uk/
Happily using OS2 Warp.
==============================================
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
