This is fascinating stuff. I can quite understand permission to publish photos and other personal details being denied, but I'm amazed that email addresses are going to be treated as personal data - I've always regarded email addresses like telephone numbers - they are the property of the organisation which allocates them, not the individual to whom they are allocated. After all, the individuals cannot take them with them when they change jobs. Furthermore, the email addresses and telephone numbers are, as I understand it, not allocated for personal use but for business-only use by the individual employee. If these are regarded as personal then institutions, starting with ours, would charge their employees for the service! As 'institutional information' it should be up to the institution whether or not it chooses to publish such a list. If what you're saying is true, I'm appalled. A few years ago we asked our LIS staff to permit/deny permission in writing for the web publication of their photos. One third, understandably, refused permission. Can we expect this scale of refusal for publication of email addresses and telephone numbers? I think we shall have to consider a carefully worded re-registration as Colin has just described. Rob. (LIS DPO) Dr Robert C. Symberlist Network Multimedia Consultant, Library and Information Services, University of Wales Swansea Singleton Park Swansea SA2 8PP Tel: 01792 295619 Fax: 01792 295851 http://www.swan.ac.uk/lis/ -----Original Message----- From: [log in to unmask] [mailto:[log in to unmask]] Sent: 07 May 1999 14:13 To: [log in to unmask] Subject: Re: Data Protection Act issues ** Reply to note from Adrian Tribe <[log in to unmask]> Fri, 07 May 1999 10:12:14 +0100 Hi, I happen to be the DPO for the University of Dundee and also happen to be the person who for the time being has done an "internal" email directory. Nice to receive a detailed email! > 1. 'Consent' > ============ You are correct in what you say about consent. It has to be explicit. That is, explicitly given that someone wants to be included in any such directory. Transfer of data inside/outside the EU does not really come into it if you are putting data on the web, because automatically transfer is worldwide. > An opt OUT system should still be OK at the point at which data is > gathered (i.e. at the point at which staff/students enter the Uni and > e-mail or telephone accounts are set up). Correct but then your student records should be modified to hold the extra field(s), and ideally your directory ought to have access to the information, and there is the danger that for ever you will be shuffling paper. There is a further issue with disclosing student details (sexual harrasment comes to mind) where even if the student has opted in there is at least some "moral liability" if the student comes to any harm. > Phil Boyd suggested having departmental > staff meetings and explaining the intentions of having a public > directory etc and asking staff then to tell you if they want to opt > OUT. That way, you know that the staff concerned got your message > and understood it, so by choosing not to opt OUT they are indeed > giving their consent. Good idea. In a fair size institution though you have a constant turnover of staff, how do you handle the new staff? Are you likely to get Human Resources (Personnel) to put another form out to staff asking them to opt in/out of an email directory? The punchline is that by Oct2001 all Email addresses on the web will have to be given an opt in by their holders :-) else we are breaking the law. Further since you do not mention it anywhere, some of the supplementary guidelines for the 1984 act said [my paraphrasing] that publicly available email addresses should have adequate protection. I take that to mean that you should display them one at a time and in a way that a robot could not go and extract all of them (well a specifically written robot could but keep it in proportion). The difficulties I find are the following: - You will end up with a very small number of inclusions if you send out a form. People are busy and most could not care less about an EMail directory. You need to retain the paper (yuk) and also have it in an electronic database. (Electronic forms could be used but then you will get even less response). - You are talking in terms of creating the database of EMail addresses from scratch. In our case I extract the info from the NDS tree, process it, and place it where it used by the search scripts. There are alternatives for those with the right technology to access the nds tree directly or x500 directories and so on. The problem with all these solutions is that you need other people to do their bit in terms of feeding in the correct data (for staff opting in/out etc). That will be the day ;-) In my view the key is to find a way of getting: (a) most of your staff to opt in (b) automatically or with little work create a list of those who are "in" (c) ditto for students. The rest would be a case of writting programs. >2. Students as Data Controllers? >================================ The conference people seem to have suggested that students should notify the Registrar's dept themselves. Ehmmmm, we are also being told to minimise the numbers of registrations we do (ideally down to 1) as the charges will be penalising the bigger organisations and those with more as opposed to fewer registrations. Thus this contradicts the advide the DPR's office has been giving in different occasions. Then you may have (we do) students, particularly medics, who use real personal data as part of their studying, coursework etc. They definatelly do not have to register with the DPR. My view is that the educational institution will ultimately be responsible but I cannot really see a student infringing DP legislation. If there is some dispute there will be a sligtly different issue, eg. defamation with DP thrown in as a good measure. >Apologies for the length of this e-mail! ditto. At least you know someone read it :-) Regards Charles ============================================== Charles Christacopoulos, Secretary's Office, University of Dundee, Dundee DD1 4HN, (Scotland) United Kingdom. Tel: +44+(0)1382-344891. Fax: +44+(0)1382-201604. WebDad of http://somis.ais.dundee.ac.uk/ Home of the Scottish Search Maestro http://somis2.ais.dundee.ac.uk/ Happily using OS2 Warp. ============================================== %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%