Comments (with ------>) on extracts from: > > The Internet and World Wide Web > > General Institutional Webpages > ...The personal data in question is usually in the form of text > and pictures, ----> "text and sometimes pictures" ? That data is, by virtue of the background technology, available both outside the institution and outside the UK, including countries outside the European > Economic Area (EEA) ... -----> Might it be as well here to add or make explicit a note that the publication via Web actually runs counter (by definition) to DP Principle 8. It has always seemed to me to be an unstoppable argument to offer to those who pooh-pooh examples of estranged or deranged partners living elsewhere in the UK. Something like: "Such data, when released on the Worldwide Web, by definition goes beyond the E...E...A..., and therefore contravenes the Eighth DP Principle unless (for example) one has the consent of the data subject. Even without this technicality, it is a very open form of publication, and data subjects should be able to exert their normal rights (as in DP Principle 6)." > Staff personal data which is required to be supplied for the > purposes of the normal organisational functioning and management > of the institution... ------> this - in its various appearances - seems very good to me. However, data subjects whose personal data is used in this way should be informed of this > use and must still retain the right to object to the use of their data > where it would cause them significant damage or distress.. ----> One question here is that the Act (S.10) says that people can object if there is to be substantial damage or s. distress AND if said d. or d. is unwarranted. Would it be wise to build in some notion that the data subject can't just say "Sorry, nope, it would cause me great distress. Full stop." and that (s)he would need to show that the likelihood outweighed the benefit to the institution or the requirements of the job? Same for Directories later. > All other non-essential uses of personal data on an institutional > website, including the use of photographs of data subjects for > general publicity (background shots, panoramas etc.) where the > data subject is clearly identifiable will require the consent of the > relevant data subjects. -------> I have a slight worry about this - and website can be extended to propectus. We all have some great photos of our places (street scenes, students sitting on lawns, let alone labs) with photos which surely make people identifiable. I suppose technically this is what is meant by "identity" in the Act (no name is necessary). But Student X who was snapped while cycling down the High Street surely need not/cannot be stopped to ask for permission, even if the HEI/FEI were to go to the lengths of checking back for permission of Student Y caught leaving the stage after graduating. I would have thought that insistence on permission for this general background material would show excess of zeal, and would very soon bump into the "disproportionate effort" category. So I'd tone it down to suggest that where institution is taking photos with intention of later use for publicity (Web or not) every reasonable effort should be made to check permission of participants. > > Web pages used to collect personal data > * HE and FE institutions should ensure that at the point of > collection (i.e. on the relevant web page) the following information is > provided to the data subject: [...] > > - the period for which the data will be kept ------> I'm not so clear why the period of rentention is needed here, more than in any other material - and presumably it is possible to use "no longer than is necessary". For relevant Web page, would it not be very sensible for institutions just to have an all-purpose note on such policy matters on a central page - then pages which collect would link to that. (This may seem obvious, and perhaps it was intended, but it does link to comments elsewhere about indicating things on paper forms at point of collecting data - the Web makes such duplication unnecessary, I think.) -----> All points about monitoring/checking (like all those many points not commented) are excellent. Thanks, Andrew ---------------------- Dr Trevor Field Senior Assistant Secretary University of Aberdeen ++44 (0)1224 272077 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%