Dear friends,

As Colin Work and I appeared to be the only 'Web people' present 
at the 'DPA 1998 Implications for Higher and Further Education
Institutions - An Update' conference in London yesterday, I 
thought others might like a report on two of the Web site 
related points raised.

1. 'Consent'
============

Phil Boyd (Senior Compliance Manager at the Office of the 
Data Protection Registrar) and others were quizzed quite 
extensively about the issue of public on-line e-mail and phone 
directories and the exact meaning of 'consent'.  Some interesting
points emerged.  

If at the time at which the data is gathered from data subjects 
for placing in an on-line directory, sujects are asked whether 
they object to being included and they do not object, i.e. they 
choose not to opt OUT, then that seems to count as consent, both 
under the 1984 and 1998 Acts.  If, however, you construct the 
directory from data you already hold and simply inform the subjects
that you are going to make (or have already made!) a directory 
available publicly on your Web site, and give them the opportunity 
to opt OUT at that point, failing to get a reply from someone would 
probably NOT count as consent - they simple haven't replied, perhaps 
because they didn't get your message or didn't understand your 
message.  In other words, you ought to have an opt IN rather than an 
opt OUT policy, if you are intending to create a directory from 
subject data you already hold.

Of course, the 1998 Act restriction on transfer of data beyond the 
European Economic Area can only be overcome if you have the data 
subject's consent anyway, so if the directory is already in place, 
you really need a positive opt IN from the subjects to be able to 
rely on the consent exemption.   Administratively, this is more 
cumbersome than having an opt OUT policy, but seems to be the safest 
way of ensuring compliance with the Acts.

This way of thinking stems from a decision made by the Data Protection
Tribunal against "Innovations", in which the company acquired contact 
data from subjects for sending their catalogues etc, then later informed
the subjects that their details were on a list that was rented out to 
others, and that if the subject objected they could have their details 
removed by writing to the company and requesting to do so (i.e. an 
opt OUT policy).  The company relied on a failure to opt out as 
amounting to consent to use their details in this way.  The Tribunal 
found otherwise.

An opt OUT system should still be OK at the point at which data is 
gathered (i.e. at the point at which staff/students enter the Uni and 
e-mail or telephone accounts are set up).  

If you fear that this will result in a fairly incomplete and useless 
directory, there may be ways round this.  You don't have to use a 
form to obtain consent.  Phil Boyd suggested having departmental 
staff meetings and explaining the intentions of having a public 
directory etc and asking staff then to tell you if they want to opt 
OUT.  That way, you know that the staff concerned got your message 
and understood it, so by choosing not to opt OUT they are indeed 
giving their consent.  Alternatively you could send out forms with 
the existing data on it, asking subjects to check its accuracy and 
return it, having an 'I opt OUT of the public directory' tick box as 
well.

Of course, the complacent will feel that this is a lot of fuss over 
nothing and will probably do nothing about it!

2. Students as Data Controllers?
================================

It was suggested that we should assume that students are Data 
Controllers as far as any personal data held on their disc space 
on the university server(s) is concerned, and that the Uni itself 
is then just a Data Processor.  This tactic places the duty on the 
student, not the Uni, to notify the DP Commissioner re their use of 
personal data, in theory absolving the Uni from responsibilities
under the Act for this data.

Personally I think this is an assumption fraught with danger, and I 
certainly wouldn't want to rely on it!!  What do others think?

Apologies for the length of this e-mail!

Best wishes,
Adrian

Adrian Tribe <[log in to unmask]>
Web Editor, CCS, Birkbeck College, Malet Street, London WC1E 7HX
Tel: 0171 631 6291;  Mobile: 0403 288192;  Fax: 0171 631 6556 


%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%