Dear friends, As Colin Work and I appeared to be the only 'Web people' present at the 'DPA 1998 Implications for Higher and Further Education Institutions - An Update' conference in London yesterday, I thought others might like a report on two of the Web site related points raised. 1. 'Consent' ============ Phil Boyd (Senior Compliance Manager at the Office of the Data Protection Registrar) and others were quizzed quite extensively about the issue of public on-line e-mail and phone directories and the exact meaning of 'consent'. Some interesting points emerged. If at the time at which the data is gathered from data subjects for placing in an on-line directory, sujects are asked whether they object to being included and they do not object, i.e. they choose not to opt OUT, then that seems to count as consent, both under the 1984 and 1998 Acts. If, however, you construct the directory from data you already hold and simply inform the subjects that you are going to make (or have already made!) a directory available publicly on your Web site, and give them the opportunity to opt OUT at that point, failing to get a reply from someone would probably NOT count as consent - they simple haven't replied, perhaps because they didn't get your message or didn't understand your message. In other words, you ought to have an opt IN rather than an opt OUT policy, if you are intending to create a directory from subject data you already hold. Of course, the 1998 Act restriction on transfer of data beyond the European Economic Area can only be overcome if you have the data subject's consent anyway, so if the directory is already in place, you really need a positive opt IN from the subjects to be able to rely on the consent exemption. Administratively, this is more cumbersome than having an opt OUT policy, but seems to be the safest way of ensuring compliance with the Acts. This way of thinking stems from a decision made by the Data Protection Tribunal against "Innovations", in which the company acquired contact data from subjects for sending their catalogues etc, then later informed the subjects that their details were on a list that was rented out to others, and that if the subject objected they could have their details removed by writing to the company and requesting to do so (i.e. an opt OUT policy). The company relied on a failure to opt out as amounting to consent to use their details in this way. The Tribunal found otherwise. An opt OUT system should still be OK at the point at which data is gathered (i.e. at the point at which staff/students enter the Uni and e-mail or telephone accounts are set up). If you fear that this will result in a fairly incomplete and useless directory, there may be ways round this. You don't have to use a form to obtain consent. Phil Boyd suggested having departmental staff meetings and explaining the intentions of having a public directory etc and asking staff then to tell you if they want to opt OUT. That way, you know that the staff concerned got your message and understood it, so by choosing not to opt OUT they are indeed giving their consent. Alternatively you could send out forms with the existing data on it, asking subjects to check its accuracy and return it, having an 'I opt OUT of the public directory' tick box as well. Of course, the complacent will feel that this is a lot of fuss over nothing and will probably do nothing about it! 2. Students as Data Controllers? ================================ It was suggested that we should assume that students are Data Controllers as far as any personal data held on their disc space on the university server(s) is concerned, and that the Uni itself is then just a Data Processor. This tactic places the duty on the student, not the Uni, to notify the DP Commissioner re their use of personal data, in theory absolving the Uni from responsibilities under the Act for this data. Personally I think this is an assumption fraught with danger, and I certainly wouldn't want to rely on it!! What do others think? Apologies for the length of this e-mail! Best wishes, Adrian Adrian Tribe <[log in to unmask]> Web Editor, CCS, Birkbeck College, Malet Street, London WC1E 7HX Tel: 0171 631 6291; Mobile: 0403 288192; Fax: 0171 631 6556 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%