JISCMail - DATA-PROTECTION Archives

For information
This is posted on behalf of Ian Gross, HEFCE in response to e-mail from
Sally Justice on what happens to the FDS audit data after it is completed.

The audit of the FDS this year has finished, except for the presentation of
a final report to the Performance Indicators Steering Group. The data cannot
be destroyed until that group confirms it does not want any more analysis of
the data. Subject to that, the agent used by HEFCE has downloaded the data
to a back-up CD and it is not kept on their servers any more. The CD will be
destroyed by our agent when I ask them to.

In terms of participation, ALL 33 HEIs asked to participate this year
supplied the data we asked for. I have recently sent audit reports to each
of the institutions involved. In addition, we kept records of graduates
declining to participate in our telephone survey. These totalled just 27
people from 13 of the 33 HEIs, compared with over 6000 successful calls (a
rate of less than 0.5%). HESA will soon make available a generic copy of the
report letter to their listed FDS contacts.

The proposed good practice guidance we are developing jointly with HESA is
to be presented at the AGCAS sub-group on 2 Nov for their final comments and
observations, before it is published on the web.

Can I finally take this opportunity to remind HEIs that the audit of the FDS
is planned to continue for a further 4 years, until we have audited all
HEIs. This means that around 35 HEIs will be asked to participate in the
audit next Spring.

__________________________
Ian Gross
Head of Internal Audit & Projects
HEFCE Audit Service
Tel 0117 931 7169
Fax 0117 931 7396
email:  [log in to unmask]


-----Original Message-----
From: Sally Justice [mailto:[log in to unmask]]
Sent: Tuesday, October 16, 2001 1:18 PM
To: [log in to unmask]
Subject: FDS Survey for HE's


Members may rember this discussion back in April on this year.
Does anybody have an update please? Did the data get destroyed?
Where there any problems? Etc...
thanks
Sally Justice

....................................................................
[log in to unmask]
Carol Thompson 24-APR-2001 12:16:36.50

> We are being 'encouraged' to provide information to HEFCE we feel
> contravenes DP legislation. Other institutions have been put in the same
> position and I know some have declined. The following might be of some
> interest to HE institutions. Comments welcome!
>
>
Audit of the 2000 First Destination Survey (FDS)

Note on Data Protection (DP) issues

Some institutions have expressed concern about the data protection act
implications of passing personal information to HEFCE for the purpose of the
FDS audit.  This note describes HEFCE's interpretation of the issue, and
takes into account legal advice we have specifically procured in respect of
the FDS.

We accept that some of the information passed to HESA and forwarded to
HEFCE, and the information sought directly by HEFCE from institutions, is
'personal data' and that HEFCE is 'processing' it.  Consequently, HEFCE
accepts that it must comply with the DP principles.

Looking at the most relevant DP principles:

First DP principle

Personal data . . . . .shall not be processed unless at least one of the
conditions in schedule 2 is met . . . . .

One of the conditions is that the data subject (i.e. the graduate) has given
his/her consent to the processing of the data.  However, the consent of the
graduate is not necessary if one of the other conditions of schedule 2
applies.  In this case, the relevant condition is that the processing is
necessary for compliance with any legal obligation to which the data
controller (i.e. the institution) is subject.  In this case, section 79 of
the Further & Higher Education (FHE) Act 1992 places an obligation upon HEIs
to give the Council such information as it may require to carry out its
functions.  Consequently, institutions do not need the consent of their
graduates to pass on the information to the Council (or HESA acting on the
Council's behalf).  However, institutions may wish to advise prospective
students in future that personal information may be required to be provided
to HEFCE and other bodies.

Supplementary to the above condition of schedule 2, the Council can rely on
another condition (5b), which states that the processing is necessary for
the exercise of any functions conferred on any person by or under any
enactment.  In the Council's view, this information is required in
connection with our statutory functions.  Schedule 1 of FHE Act 1992 states
that the Council may do anything which appears to them to be necessary or
expedient for the purpose of or in connection with the discharge of their
functions.

The Council's rights under the FHE Act to ask for information are also
stated in the Financial Memorandum (ref 00/25; this is the funding contract
each institution has with HEFCE) and the Audit Code of Practice (ref 98/28).
Relevant extracts from these documents are available on request.

Third DP principle

Personal data shall be adequate, relevant and not excessive in relation to
the purpose or purposes for which they are processed.

In this case, HEFCE is asking for names, addresses and telephone numbers.
It could be argued that telephone numbers are not necessary for a survey,
which could be conducted by post. This might be considered less intrusive.
However, as HEIs themselves find, telephone surveys are usually necessary to
complete the FDS anyway.  Some HEIs have identified that, once they have
graduated, the graduates are private citizens.  This fact does not normally
prevent the HEI telephoning them for FDS purposes if this proves necessary.
For both HEFCE and the HEI therefore, there is a risk that the use of a
telephone call would breach the DP Act.  To prove a breach and bring a claim
for damages would require a graduate to show they had suffered distress or
damage.  Our advice is that a single (or a few) unsolicited telephone calls
is unlikely to result in compensation.  Similarly our advice is that a
telephone call is unlikely to interfere with a graduate's rights under the
Human Rights Act 1998.


Other information

HEFCE is using an agent to conduct its telephone re-survey work. Our
understanding is that this does not affect the position as the Council has a
clear right in law to contract out the performance of any of its statutory
functions so long as it retains discretion as to how the function is
exercised and it acts reasonably in doing so. Our contractual arrangements
with our agent provide for adequate confidentiality. The telephone numbers
provided will be checked against those held by the Telephone Preference
Service so that people who have indicated they do not wish to be contacted
by phone can be excluded from the re-survey. The personal data provided
(name, address and telephone number) will be destroyed at the end of the
audit process (around July 2001), in accordance with the DP requirement not
to hold data any longer than is necessary.

None of the personal data will be used in a report. We intend to use the
data only to test the original survey results. These results will be
analysed anonymously by institution. Once anonymised, they are no longer
personal data and will not be subject to the data protection act.


Summary

Institutions do not need the consent of their graduates in order to pass the
information requested to HEFCE. However, for their own assurance,
institutions may wish to:
*       Advise their existing and prospective students (and staff if this
does not already happen, e.g. for RAE purposes) that some personal data may
be transferred to HESA, HEFCE and other bodies to enable them to carry out
their statutory functions.
*       Update their own DP registration to ensure that the obligation to
provide data to such bodies is more clearly described.

Institutions are required to provide HEFCE with any information it
reasonably requires.


Further information

If further information or clarification of any of the above is required,
please contact Ian Gross, Head of Internal Audit & Projects at HEFCE on 0117
931 7169, [log in to unmask]



> --------------------------------------------
> Carol Thompson                  Tel: 0191 215 6546
> Information Officer         Fax: 0191 215 6560
> & Data Protection Supervisor
> University of Northumbria
> Coach Lane Learning Resources Centre
> Benton
> Newcastle Upon Tyne
> NE7 7XA           e-mail: [log in to unmask]
>
>

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
            All user commands can be found at : -
    www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
all commands go to [log in to unmask] not the list please!
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
            All user commands can be found at : -
    www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
all commands go to [log in to unmask] not the list please!
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
            All user commands can be found at : -
    www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
all commands go to [log in to unmask] not the list please!
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^