 |
 |
hi Are you sure about this statement below? Am I missing something? "Incidentally, the process of monitoring will also be subject to the Regulation of Investigatory Powers Bill, if that becomes law, which seems to require staff to have formal authority to perform such activities." I thought that the RIP Bill was when THIRD PARTIES can have access to such data (e.g. communications data). For example, third parties such as the Intervention Board with respect to black market milk, or the Egg Inspectorate. Staff should be able to process personal data for purposes which are consistent with the provisons of the DP Act and authorised by the Data Controller. C ---------- > From: [log in to unmask] > To: [log in to unmask]; [log in to unmask] > Subject: Re: CoP - The Internet and WWW > Date: 30 May 2000 17:16 > > <<File Attachment: ENVELOPE.TXT>> > At 16:27 30/05/00 +0100, Andrew Charlesworth wrote: > >Request for comments > > First very many thanks for this. When published it, and the other > guidelines, will be very useful to us. > > Probably the most common DPA query which comes to JANET-CERT is on the > use of log files from web and e-mail servers. In conjunction with a list > of the owners of desktop workstations (which many computer services > maintain) I can see an argument that this could become personal data. The > sorts of information which could be gained from these logs include what > web pages an individual looked at (and when), and with whom (and with > what subject) they exchanged e-mail messages. I think this information is > covered by your existing paragraphs, but it might be helpful to include > it as one of the forms of incidental disclosure. > > My response to sites has been that I could see no problem in using this > information for reasonable operational purposes (e.g. to plan network > capacity to suit the observed traffic) but that, for example, using it as > evidence in disciplinary hearings seemed to me to fall well beyond the > pale of the DPA principle of fairness. I hope that is somewhere near the > mark? > > Incidentally, the process of monitoring will also be subject to the > Regulation of Investigatory Powers Bill, if that becomes law, which seems > to require staff to have formal authority to perform such activities. > > Andrew Cormack > > >The Internet and World Wide Web > > > > Internetand Intranet Monitoring > >In the business environment, it is becoming the norm for > >companies to routinely monitor all data held on their equipment and > >to inspect all e-mail and other electronic data entering, leaving, or > >within, their networks. FE and HE institutions require the ability to > >inspect all data held on their computer equipment, and to inspect > >all e-mail and other electronic data entering, leaving, or within, the > >University network to ensure conformity with: > > > > - Institutional regulations > > - Contractual agreements with third parties > > - UK law > > > >FE and HE institutions are obliged by virtue of the agreement > >entered into with UKERNA to ensure as far as possible that their > >users do not use the SuperJANET system to transmit or transfer > >certain types of electronic data. They are obliged by law to report > >to the police the discovery of certain types of electronic data, if that > >data is found on their equipment, or transmitted across their > >networks. > >Many types of routine computer service tasks will involve members > >of FE and HE institutions' staff (such as network administrators) > >having access to various levels of staff and student held data. > >Examples include: > > > > - e-mail postmasters receiving mail failure notifications will often be > >sent the text of the failed message by the e-mail server which has > >rejected or redirected it. > > - staff making archive copies from fileservers will, as part of the > >archiving process, often be able to read the names of files held in > >staff and student accounts. > > - staff sorting output from printers prior to its dissemination to > >users will be able to view the content of that output. > > > >It is inevitable that under these routine circumstances, members of > >staff will, on occasion, and in the course of their legitimate > >organisational functions, be required to access, process and > >possibly disclose personal data held on FE and HE institutions' > >computers systems. Internal guidelines should be provided to > >ensure both those running institutional computer systems and > >those using them are aware of the circumstances under which their > >personal data may be accessed, processed and disclosed and the > >safeguards against misuse of that personal data. > > -------------------------------------------------------------- > Andrew Cormack > Head of CERT > UKERNA, Atlas Centre, Chilton, Didcot, Oxon. OX11 0QS > > Phone: 01235 822 302 E-mail: [log in to unmask] > Fax: 01235 822 398 > > ******************** E-mail confidentiality notice ******************** This message is intended for the addressee only. It is private, confidential and may be covered by legal professional privilege or other legal or attorney/client privilege. If you have received this message in error, please notify us and remove it from your system. If you require assistance, please contact our London PC Support department (telephone +44 (0) 20 7490 6949). Masons is an international law firm with offices in London, Bristol, Glasgow, Leeds, Manchester, Brussels, Dublin, Hong Kong, Guangzhou and Singapore. Further information about the firm and a list of partners is available for inspection at 30 Aylesbury Street, London EC1R OER or from our Web site at www.masons.com *********************************************************************** %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%