JISCMail - DATA-PROTECTION Archives

Comments (with ------>) on extracts from:
> 
> The Internet and World Wide Web
> 
> General Institutional Webpages
> 
...The personal data in question is usually in the form of text 
> and pictures, 
---->  "text and sometimes pictures" ?

That data is, by virtue of the background technology, available both outside 
the institution and outside the UK, including countries outside the European 
> Economic Area (EEA) ... 
----->  Might it be as well here to add or make explicit a note that the 
publication via Web actually runs counter (by definition) to DP Principle 8.  
It has always seemed to me to be an unstoppable argument to offer to those who 
pooh-pooh examples of estranged or deranged partners living elsewhere in the 
UK. Something like:  "Such data, when released on the Worldwide Web, by 
definition goes beyond the E...E...A..., and therefore contravenes the Eighth 
DP Principle unless (for example) one has the consent of the data subject.  
Even without this technicality, it is a very open form of publication, and data 
subjects should be able to exert their normal rights (as in DP Principle 6)."


> Staff personal data which is required to be supplied for the 
> purposes of the normal organisational functioning and management 
> of the institution...  
------>  this - in its various appearances - seems very good to me.

  However, data subjects whose personal data is used in this way should be 
informed of this 
> use and must still retain the right to object to the use of their data 
> where it would cause them significant damage or distress..

---->  One question here is that the Act (S.10) says that people can object if 
there is to be substantial damage or s. distress AND if said d. or d. is 
unwarranted.  Would it be wise to build in some notion that the data subject 
can't just say "Sorry, nope, it would cause me great distress.  Full stop." and 
that (s)he would need to show that the likelihood outweighed the benefit to the 
institution or the requirements of the job?  Same for Directories later.


> All other non-essential uses of personal data on an institutional 
> website, including the use of photographs of data subjects for 
> general publicity (background shots, panoramas etc.) where the 
> data subject is clearly identifiable will require the consent of the 
> relevant data subjects.  

------->  I have a slight worry about this - and website can be extended to 
propectus.  We all have some great photos of our places (street scenes, 
students sitting on lawns, let alone labs) with photos which surely make people 
identifiable.  I suppose technically this is what is meant by "identity" in the 
Act (no name is necessary).  But Student X who was snapped while cycling down 
the High Street surely need not/cannot be stopped to ask for permission, even 
if the HEI/FEI were to go to the lengths of checking back for permission of 
Student Y caught leaving the stage after graduating.  I would have thought that 
insistence on permission for this general background material would show excess 
of zeal, and would very soon bump into the "disproportionate effort" category.  
So I'd tone it down to suggest that where institution is taking photos with 
intention of later use for publicity (Web or not) every reasonable effort 
should be made to check permission of participants.

> 
> Web pages used to collect personal data

> * HE and FE institutions should ensure that at the point of 
> collection (i.e. on the relevant web page) the following information is 
> provided to the data subject:
 [...]
> >  - the period for which the data will be kept

------>  I'm not so clear why the period of rentention is needed here, more 
than in any other material - and presumably it is possible to use "no longer 
than is necessary".  For relevant Web page, would it not be very sensible for 
institutions just to have an all-purpose note on such policy matters on a 
central page - then pages which collect would link to that.  (This may seem 
obvious, and perhaps it was intended, but it does link to comments elsewhere 
about indicating things on paper forms at point of collecting data - the Web 
makes such duplication unnecessary, I think.)

-----> All points about monitoring/checking (like all those many points not 
commented) are excellent.  Thanks, Andrew 



----------------------
Dr Trevor Field
Senior Assistant Secretary
University of Aberdeen 
++44 (0)1224 272077





%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%