Request for comments *Key* <T> = title <ST> = Subtitle <R> = Recommendation <T> Use of Personal Data by Employees <ST>Personaldata processed under an institutional notification Where employees at HE and FE institutions are processing personal data within their institution, as a legitimate part of their employment (e.g. research, teaching, consultancy and administration), they should be able to rely upon the notification to the DPC provided by their institution. <R>HE and FE institutions should ensure that their institutional notification adequately covers the legitimate data processing activities of their employees. <R>HE and FE institutions should: - consult the notification template for HE and FE institutions provided by the Data Protection Commissioner for guidance on best notification practice; - audit their institutional personal data processing activities on a regular basis to ensure that these match the activities that have been notified. <ST>Personaldata processed outside an institutional notification Where employees process personal data within their institution for purposes unconnected with their employment such processing may be deemed to be: - for their own personal or domestic purposes. Such processing will be exempt from notification. - for other purposes, such as commercial exploitation of personal data unrelated to the institutional notification. Such processing may require notification to the DPC. <R>HE and FE institutions are not responsible for notification of personal data processed by employees for purposes unconnected with their employment e.g for their own personal or domestic purposes. <R>HE and FE institutions should ensure that employees are provided with guidelines explaining the need for notification where their processing is likely to fall outside the institutional notification or the “personal or domestic purposes” exemption. <R>HE and FE institutions should consider: - whether employees should be permitted to process personal data using institutional resources where such processing is for purposes unconnected with their employment - the terms and conditions under which such processing should be permitted, if it is allowed. <ST>Employeeaccess to, and use of, Personal Data within HE and FE institutions Employees will often be expected to collect, hold, and process significant amounts of personal data as part of their employment duties. It is important to ensure that employees are apprised of the rights of data subjects, and respective employer and employee responsibilities with regard to access to, and use of, personal data. This is particularly so where employees may be processing sensitive personal data in the course of their employment. <R>FE and HE institutions should ensure that employees are: - aware that all personal data collected, held, and processed on institutional machinery, including via WWW tools and other Internet software are subject to the Data Protection Principles - aware that all personal data collected, held, and processed in structured manual files within institutions are subject to the Data Protection Principles - aware of the circumstances under which employees may legitimately access, process and disclose personal data held on institutional computer systems in the course of their employment. <R>FE and HE institutions should ensure that - guidelines for the proper use of personal data within an institution are available to all employees - there is a mechanism to ensure that misuse of personal data by employees within an institution can be identified and remedied - there is a mechanism for data subjects to object to the accessing, processing and disclosure of their personal data held by employees within an institution, in structured manual files or computerised form, where data subjects feel that such use may cause them significant damage or distress Andrew Charlesworth Senior Lecturer in IT law Director, Information Law and Technology Unit University of Hull Law School Hull, UK, HU6 7RX Voice: 01482 466387 Fax: 01482 466388 E-mail: [log in to unmask] %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%