I wonder if I could pass on this real but edited request for info, partly as a check on action to be taken and partly to help others who may in future have similar situations. I just received this request from a colleague in central administration, referring to Department XX. "Dept X want me to give them addresses and info on XX students to do some marketing research for XX courses. I have told them so far that I will not do this as they are using an outside company to carry out the research. I have offered, as usual, if they send us the info we would pass it on to students but they do not want to do this. What do you think?" ====== What I think is that (since we are covered for such activity under at least one purpose of previous registration) it would be ok to use "agents" in this way, but only if a contract was drawn up which stipulated safeguards against further use or disclosure. Subject to a contract, release outside is not really different from release/disclosure within the organisation. I also assume that since this will probably count as NEW processing, all relevant provisions of the new Act will apply - and if the data includes sensitive data there will a need for appropriately worded notes and consent. The precise point I would like to check is the apparent local custom whereby hitherto we have gone "to the top" for authorisation to release any personal data to outside agents. Am I right in assuming that there is no NECESSARY reason why one should get such top-level permission. If the action is legal, it's legal. (The creation of a contract may, of course, be a reason for bringing in a senior officer, but that is a different issue). ---------------------- Dr Trevor Field Senior Assistant Secretary University of Aberdeen ++44 (0)1224 272077 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%