All,

Like many I suppose I've spent a little time looking at the PECR amendments that relate to cookies, the EU Directives, the government guidelines and the ICO advice and working with other folk to figure out what needs to be done. So this note really is just to give a heads up on a conversation I had with the ICO helpline.

In looking at the issues, the following point came to me fairly quickly: well this is fine and dandy for all the punters/customers who log on to our websites for services and info, but how does it figure for employees working for an institution/company on their employers' "terminal equipment"? Does this mean that all our staff have to give consent for the institution to place cookies on its own machines used in its own offices by its own employees?

Well I scratched my head and spent an interesting hour or so delving into definitions (and the absence of them) in the EU directives and PECR and came up with the conclusion that - mmmmm , well yes, err, it looks like it does.

I called the ICO and they said. Well yes, we're trying to figure this one out. Perhaps you want to write in about it. The ICO thinking at the moment seems to be that there may be some mileage in implied consent by employees when they sign up to their work terms and conditions. Though this view may change. I didn't write in to the ICO since other folk seem to have already done this. But I'll be interested to see what the ICO comes up with. I haven't yet broached the issue about intranets as opposed to public communications systems. I've suggested to my folk that they concentrate on the punters at the moment and let's see which way this cookie crumbles.

Thought I'd share this one, and see if any other folk have run their heads up against this.

Ray Cooke
Information Compliance Officer
Oxford Brookes University
Computer Services
Directorate of Learning Resources
Headington Campus
Gipsy Lane
Oxford, OX3 0BP

tel: +44 (0)1865 484354
fax: +44 (0)1865 483330

www.brookes.ac.uk

All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html

Selected commands (the command has been filled in below in the body of the email if you are receiving emails in HTML format):

Leaving this list: send leave data-protection to [log in to unmask]
Suspending emails from all JISCMail lists: send SET * NOMAIL to [log in to unmask]
To receive emails from this list in text format: send SET data-protection NOHTML to [log in to unmask]
To receive emails from this list in HTML format: send SET data-protection HTML to [log in to unmask]

All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm and are sent in the body of an otherwise blank email to [log in to unmask]

Any queries about sending or receiving messages please send to the list owner [log in to unmask]

(Please send all commands to [log in to unmask] not the list or the moderators, and all requests for technical help to [log in to unmask], the general office helpline)