Dear Charles (and list members),

Thanks for your reply.

You're certainly right to raise the issue of new processing post- 
October 1998, but I was looking particularly into existing 
uses and registrations, which can stand, as you say, until 
October 2001.

A survey of 131 UK university Web sites that I have just carried 
out shows that 124 of them reveal "personal data" of one form 
or another to visitors from anywhere in the world on their Web 
sites, either via searchable directories or on staff information
pages.  Of these, 76 are either not registered to do so according 
to the register entries available at http://www.dpr.gov.uk/, or 
are only partly covered.  In other words, 61% are disclosing 
personal data that they are not registered to disclose. 

Of the 48 that are correctly registered, 28 of these use the 
model registration proforma found at the ftp site mentioned by 
Andy Powell, either "as is" or with minor variations.  

On Colin Work's point about the 1998 Act's restriction on the export
of personal data to countries outside the EEA which do not have 
an "adequate" level of protection for data subjects (the 8th Data 
Protection Principle), Schedule 4 of the 1998 Act allows for 
exemption from the 8th principle if the Data Subject has given 
consent for the transfer.  As processing of personal data will 
require a data subject's consent even if there is no transfer of 
data outside the EEA anyway, getting explicit permission from data 
subjects for the inclusion of their details in any on-line 
directories or staff pages etc is going to be essential under the 
new regime.

Best wishes,
Adrian

Adrian Tribe <[log in to unmask]>
College Web Editor


%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%