“Firstly, staff are not customers but employees”
I’m not sure this makes any difference although it would help if the ICO referred to them as data subjects rather than customers. I believe the section I highlighted still applies i.e. to release data to a third party you need the consent of the data subject.
“entry in the ICO's Data Protection Public Registrar will cover the data sets, how they are used and who else will make use of them”
Yes this is the problem. If the sign in system was already in place and the third party was listed in the schools entry with the public registrar when the data subject signed their contract / became a customer there would not be an issue and the OP would not need to ask if it was ok to release the information. But he wants to release information to a NEW third party that the data subjects have yet to approve and that is not listed in the schools entry with the public registrar.
“it makes no difference whether you release it to them prior to coming on site or not”
I see where you are coming from with this so really the third party should show the school how to import the user data and they shouldn’t actually be given the data at all.
“ensuring that information is protected in transit” – encrypt it
“that it is held securely” – How can you do this without auditing the third party?
“that it is only accessed by those authorised to do so” The data subjects have not authorised the third party and how can the school ensure the third party does not release the data to others?
“that it will only be used for the specified purpose for which it was collected” – The data was not collected for the signing in system, the signing in system is being installed after the data was collected.
Our bursar who is the one that has had data protection training said names were ok but I see your point. If say a website listed the names of its customers then I would say that was a breach so there is a very fine line and its best to err on the side of caution.
You must be dizzy from all those circles and probably need to lie down – lol
At the next staff meeting why don’t you turn up with a list of staff names and ask them to sign it if they are ok with you sending the data? Any people that don’t can then get added once the system is installed.
EDIT - Oh and just to be pedantic if the names included their title i.e. Miss, Ms or Mrs you would be releasing two bits of information i.e. their marital status as well as their name...
Last edited by ToyHeartsFan; 18th May 2012 at 10:58 AM.
There is a difference between customers and employees, and this will be reflected in your Public Register entry. The use of data sets specified within the data classes is not reliant on specifying named companies in that document, but on the general information on how it will be processed and the fact that it will be shared with 3rd parties / partners / agencies for those processes / reasons.
An example would be to say that personal information will be used to create, control and allow access to systems under the control of the school and agreed partners. You then specify who those partners are in the Privacy Notice for parents and children, or within the contract of employment or other school policy documents for staff. The privacy notice is an information dissemination route as are the policies. You may consult whilst making decisions about appropriate choice of partners and review the entries in the Public Register (consultation is frequently done by the Governing Body to ensure it fits in with policies and the policies fit in with the entry) but it is not about consent.
If you wanted to use the data for a purpose other than one already specified in both the Public Register and the school policies then yes, consult and gain consent where needed. This is why you will see many entries in the Public Register that seem rather vague and open ended ... you will see inclusion of use of personal data for marketing, research and so on ...
Yes, the difficult thing is ensuring that the 3rd party is following your own stringent rules about managing and handling data. Some of this does not have to be done via an audit but by the contract of works between yourself and the 3rd party. If they state in the contract that they will do X to allow them to comply with the laws of the land and your polices and they fail to do it, then you can be said to have taken reasonable action to ensure the DPA (and its 8 principles) have been followed. You can look at this as a way of then taking legal action against the 3rd party to cover any liabilities you have incurred as a result of any breach ... and so on.
This is why a long period to time (and a fair chunk of money) is spent on frameworks ... to cover areas like this off so that when schools sign into them (since a number of LAs don't do it on their behalf anymore, of course) then the responsibility of dealing with this is shared with not just the 3rd party but also with the framework creator (e.g. a regional group, DfE, etc).
My apologies if I wasn't clear enough about those aspects in my original reply. As always, if a school is concerned about their responsibilities then they should gain formal legal advice (i.e. all my advice is given with no acceptance of liability!)
I have to say I am heartened that the DPA talk I gave at last year's conference has been remembered!! I m alined up for the same opening slot this year as well. After that I'll be opening for Bon Jovi (in my dreams).
This is one of those lovely grey areas that solicitors will take lots of money off people to argue both ways!!
First things first, your duty of care to the information. If this were me, and I was unsure, I would treat the information as sensitive, until proved otherwise. So, firstly, I would ensure that the target organisation is registered with the ICO (easy enough to do online).
If they're not, don't send the info, just tell them to get registered (as it's a legal requirement if they hold personal data, and are a business).
If they are registered, I would consider this data use pertinent to the individuals job role, and so be happy to send it. I would encrypt in transmission though. I would also ask (nicely) about the target companies data protection training, and access to the data.
Data comes under the DPA if a living individual can be identified. I would think that knowing someone is a teacher as school 'X' and their name would be enough. In transit though, if it's only a list of names, it may not fall under the act. I would still treat the data as if it is though.
Short answer - yes the data maybe covered, and treat it as though it is, but this sounds like a proper use for the data, so you would be OK using it for this purpose.
I hope to see a lot of you at the conference - come over and say 'Hi'.