JISCMail - DATA-PROTECTION Archives

My rule of thumb is that the first priority with Data Protection isn't 
protecting data, but protecting people.  You can find yourself having to 
balance different people's interests, but data per se never takes precedence 
over people.  If you need to disclose data in order to protect people, Data 
Protection shouldn't stop you.  It may be the DPO's job to work out how to 
disclose and comply.

I would endorse the comments already made, and also suggest that:

a) Confidentiality does not equal secrecy.  It's about defining the 
boundaries within which information will be shared.  Sharing information on 
a need to know basis within the same institution may not be a breach of 
confidentiality.  (See the DDA where you cannot tell your tutor something 
about a disability and require them not to pass it on.  Once you've told the 
tutor, you have told the institution, which then has a legal duty to 
consider whether any action is necessary.)

b) On a practical basis I would always consider going back to the individual 
and saying 'You know that confidential conversation we had?  Well now we 
think we need to pass the information on.  Any objections?'  That may not 
always be appropriate, but you should always consider it.


Paul Ticher
0116 273 8191
22 Stoughton Drive North, Leicester LE5 5UB


----- Original Message ----- 
From: "Okey, Andrew" <[log in to unmask]>
To: <[log in to unmask]>
Sent: Tuesday, May 19, 2009 2:05 PM
Subject: confidential information and internal data re-use


Colleagues,

Your opinion would be welcome on the following scenario:

When students first register at Lancaster University they are given a
Fair Processing notice that makes clear to them that data collected by
any part of the university may be used in support of all the
typical/routine functions of the university, including the management of
academic programmes, the operation of disciplinary and welfare services
etc. It is also made clear that information will be shared amongst staff
when (but only when) there is an operational need.

Student X performs poorly in his chosen course, and asks to restart on a
new course. In considering X's restart request the admissions office
collates information on X's status, performance and personal history to
date, including formal records of disciplinary action taken against X on
one occasion.

In my role as DP office, I am then approached by X's original academic
department, who indicate they have had several conversations with the
student, which the student believed to be confidential, and which were
conducted so that the department could better understand what was
affecting X's academic performance. The information gleaned from those
conversations suggest that X could potentially be (a) involved in some
illegal activity and/or (b) that they might pose a threat to the
wellbeing of other students he may come into contact with.

Do I advise the department to pass this information to the admissions
operation? The main argument against would be that of Fair Processing -
the data (some of it possibly sensitive) was collected for one purpose,
and is now to be used for a very different one, with the student not
having been approached about this (and, because the data is probably at
least partly sensitive, that means we need consent, which I doubt will
be forthcoming).

The main argument in favour would be that we have a broader duty to
protect other students, which means we have to use this data to inform
our decision about restart. This course of action places more weight on
our duty of care than on our observance of DP law - after all, X is not
a threat to HIMSELF, so we can't  use the "vital interests" argument.

Anyone want to comment on which of the two issues we'd be better off
being sued for? Or is there a way out of this mess?

Thanks


Andrew Okey
Administrative Officer
Student Registry
Lancaster University
[log in to unmask]
01524-592138 (internal ext: 92138)




^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
     All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
     If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
All user commands can be found at 
http://www.jiscmail.ac.uk/help/commandref.htm
 Any queries about sending or receiving messages please send to the list 
owner
              [log in to unmask]
  Full help Desk - please email [log in to unmask] describing your 
needs
        To receive these emails in HTML format send the command:
         SET data-protection HTML to [log in to unmask]
   (all commands go to [log in to unmask] not the list please)
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
     All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
     If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
 Any queries about sending or receiving messages please send to the list owner
              [log in to unmask]
  Full help Desk - please email [log in to unmask] describing your needs
        To receive these emails in HTML format send the command:
         SET data-protection HTML to [log in to unmask]
   (all commands go to [log in to unmask] not the list please)
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^