Request for comments
*Key*
<T> = title
<ST> = Subtitle
<R> = Recommendation
<T> Use of Personal Data by Employees
<ST>Personaldata processed under an institutional notification
Where employees at HE and FE institutions are processing
personal data within their institution, as a legitimate part of their
employment (e.g. research, teaching, consultancy and
administration), they should be able to rely upon the notification to
the DPC provided by their institution.
<R>HE and FE institutions should ensure that their institutional
notification adequately covers the legitimate data processing
activities of their employees.
<R>HE and FE institutions should:
- consult the notification template for HE and FE institutions
provided by the Data Protection Commissioner for guidance on
best notification practice;
- audit their institutional personal data processing activities on a
regular basis to ensure that these match the activities that have
been notified.
<ST>Personaldata processed outside an institutional notification
Where employees process personal data within their institution for
purposes unconnected with their employment such processing
may be deemed to be:
- for their own personal or domestic purposes. Such processing
will be exempt from notification.
- for other purposes, such as commercial exploitation of personal
data unrelated to the institutional notification. Such processing
may require notification to the DPC.
<R>HE and FE institutions are not responsible for notification of
personal data processed by employees for purposes unconnected
with their employment e.g for their own personal or domestic
purposes.
<R>HE and FE institutions should ensure that employees are
provided with guidelines explaining the need for notification where
their processing is likely to fall outside the institutional notification
or the “personal or domestic purposes” exemption.
<R>HE and FE institutions should consider:
- whether employees should be permitted to process personal
data using institutional resources where such processing is for
purposes unconnected with their employment
- the terms and conditions under which such processing should be
permitted, if it is allowed.
<ST>Employeeaccess to, and use of, Personal Data within HE
and FE institutions
Employees will often be expected to collect, hold, and process
significant amounts of personal data as part of their employment
duties. It is important to ensure that employees are apprised of the
rights of data subjects, and respective employer and employee
responsibilities with regard to access to, and use of, personal data.
This is particularly so where employees may be processing
sensitive personal data in the course of their employment.
<R>FE and HE institutions should ensure that employees are:
- aware that all personal data collected, held, and processed on
institutional machinery, including via WWW tools and other Internet
software are subject to the Data Protection Principles
- aware that all personal data collected, held, and processed in
structured manual files within institutions are subject to the Data
Protection Principles
- aware of the circumstances under which employees may
legitimately access, process and disclose personal data held on
institutional computer systems in the course of their employment.
<R>FE and HE institutions should ensure that
- guidelines for the proper use of personal data within an
institution are available to all employees
- there is a mechanism to ensure that misuse of personal data by
employees within an institution can be identified and remedied
- there is a mechanism for data subjects to object to the
accessing, processing and disclosure of their personal data held
by employees within an institution, in structured manual files or
computerised form, where data subjects feel that such use may
cause them significant damage or distress
Andrew Charlesworth
Senior Lecturer in IT law
Director, Information Law and Technology Unit
University of Hull Law School
Hull, UK, HU6 7RX
Voice: 01482 466387 Fax: 01482 466388
E-mail: [log in to unmask]
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
