+ Post New Thread
Page 2 of 2 FirstFirst 12
Results 16 to 24 of 24
General Chat Thread, Data protection question in General; ...
  1. #16

    Join Date
    Sep 2010
    Posts
    228
    Thank Post
    3
    Thanked 36 Times in 33 Posts
    Rep Power
    16
    @GrumbleDook
    “Firstly, staff are not customers but employees”
    I’m not sure this makes any difference although it would help if the ICO referred to them as data subjects rather than customers. I believe the section I highlighted still applies i.e. to release data to a third party you need the consent of the data subject.

    “entry in the ICO's Data Protection Public Registrar will cover the data sets, how they are used and who else will make use of them”

    Yes this is the problem. If the sign in system was already in place and the third party was listed in the schools entry with the public registrar when the data subject signed their contract / became a customer there would not be an issue and the OP would not need to ask if it was ok to release the information. But he wants to release information to a NEW third party that the data subjects have yet to approve and that is not listed in the schools entry with the public registrar.


    “it makes no difference whether you release it to them prior to coming on site or not”
    I see where you are coming from with this so really the third party should show the school how to import the user data and they shouldn’t actually be given the data at all.

    “ensuring that information is protected in transit” – encrypt it

    “that it is held securely” – How can you do this without auditing the third party?

    “that it is only accessed by those authorised to do so” The data subjects have not authorised the third party and how can the school ensure the third party does not release the data to others?

    “that it will only be used for the specified purpose for which it was collected” – The data was not collected for the signing in system, the signing in system is being installed after the data was collected.



    @pcstru
    Our bursar who is the one that has had data protection training said names were ok but I see your point. If say a website listed the names of its customers then I would say that was a breach so there is a very fine line and its best to err on the side of caution.



    @sparkeh
    You must be dizzy from all those circles and probably need to lie down – lol
    At the next staff meeting why don’t you turn up with a list of staff names and ask them to sign it if they are ok with you sending the data? Any people that don’t can then get added once the system is installed.




    EDIT - Oh and just to be pedantic if the names included their title i.e. Miss, Ms or Mrs you would be releasing two bits of information i.e. their marital status as well as their name...
    Last edited by ToyHeartsFan; 18th May 2012 at 10:58 AM.

  2. #17

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    9,939
    Thank Post
    1,343
    Thanked 1,787 Times in 1,110 Posts
    Blog Entries
    19
    Rep Power
    595
    @ToyHeartsFan

    There is a difference between customers and employees, and this will be reflected in your Public Register entry. The use of data sets specified within the data classes is not reliant on specifying named companies in that document, but on the general information on how it will be processed and the fact that it will be shared with 3rd parties / partners / agencies for those processes / reasons.

    An example would be to say that personal information will be used to create, control and allow access to systems under the control of the school and agreed partners. You then specify who those partners are in the Privacy Notice for parents and children, or within the contract of employment or other school policy documents for staff. The privacy notice is an information dissemination route as are the policies. You may consult whilst making decisions about appropriate choice of partners and review the entries in the Public Register (consultation is frequently done by the Governing Body to ensure it fits in with policies and the policies fit in with the entry) but it is not about consent.

    If you wanted to use the data for a purpose other than one already specified in both the Public Register and the school policies then yes, consult and gain consent where needed. This is why you will see many entries in the Public Register that seem rather vague and open ended ... you will see inclusion of use of personal data for marketing, research and so on ...

    Yes, the difficult thing is ensuring that the 3rd party is following your own stringent rules about managing and handling data. Some of this does not have to be done via an audit but by the contract of works between yourself and the 3rd party. If they state in the contract that they will do X to allow them to comply with the laws of the land and your polices and they fail to do it, then you can be said to have taken reasonable action to ensure the DPA (and its 8 principles) have been followed. You can look at this as a way of then taking legal action against the 3rd party to cover any liabilities you have incurred as a result of any breach ... and so on.

    This is why a long period to time (and a fair chunk of money) is spent on frameworks ... to cover areas like this off so that when schools sign into them (since a number of LAs don't do it on their behalf anymore, of course) then the responsibility of dealing with this is shared with not just the 3rd party but also with the framework creator (e.g. a regional group, DfE, etc).

    My apologies if I wasn't clear enough about those aspects in my original reply. As always, if a school is concerned about their responsibilities then they should gain formal legal advice (i.e. all my advice is given with no acceptance of liability!)

  3. #18

    witch's Avatar
    Join Date
    Nov 2005
    Location
    Dorset
    Posts
    11,345
    Thank Post
    1,390
    Thanked 2,403 Times in 1,691 Posts
    Rep Power
    707
    Quote Originally Posted by ToyHeartsFan View Post
    Oh and just to be pedantic if the names included their title i.e. Miss, Ms or Mrs you would be releasing two bits of information i.e. their marital status as well as their name...
    Not pedantic enough! Ms does NOT convey marital status - that is the whole point of it...
    Ms Witch..

  4. #19

    Join Date
    Sep 2010
    Posts
    228
    Thank Post
    3
    Thanked 36 Times in 33 Posts
    Rep Power
    16
    Quote Originally Posted by witch View Post
    Not pedantic enough! Ms does NOT convey marital status - that is the whole point of it...
    Ms Witch..
    "Ms. derived from the female English title for all women, Mistress"

    Does that mean its Mistress Witch?

  5. #20

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    9,939
    Thank Post
    1,343
    Thanked 1,787 Times in 1,110 Posts
    Blog Entries
    19
    Rep Power
    595
    Quote Originally Posted by ToyHeartsFan View Post
    "Ms. derived from the female English title for all women, Mistress"

    Does that mean its Mistress Witch?
    And not forgetting those staff who choose to remain with their pre-marital name for professional reasons also keeping 'Miss' too.

  6. #21
    Drummer_Boy's Avatar
    Join Date
    Mar 2006
    Location
    Near Dos_Box
    Posts
    183
    Thank Post
    1
    Thanked 17 Times in 13 Posts
    Rep Power
    35
    I have to say I am heartened that the DPA talk I gave at last year's conference has been remembered!! I m alined up for the same opening slot this year as well. After that I'll be opening for Bon Jovi (in my dreams).

    This is one of those lovely grey areas that solicitors will take lots of money off people to argue both ways!!

    First things first, your duty of care to the information. If this were me, and I was unsure, I would treat the information as sensitive, until proved otherwise. So, firstly, I would ensure that the target organisation is registered with the ICO (easy enough to do online).

    If they're not, don't send the info, just tell them to get registered (as it's a legal requirement if they hold personal data, and are a business).

    If they are registered, I would consider this data use pertinent to the individuals job role, and so be happy to send it. I would encrypt in transmission though. I would also ask (nicely) about the target companies data protection training, and access to the data.

    Data comes under the DPA if a living individual can be identified. I would think that knowing someone is a teacher as school 'X' and their name would be enough. In transit though, if it's only a list of names, it may not fall under the act. I would still treat the data as if it is though.

    Short answer - yes the data maybe covered, and treat it as though it is, but this sounds like a proper use for the data, so you would be OK using it for this purpose.

    I hope to see a lot of you at the conference - come over and say 'Hi'.

  7. #22

    sparkeh's Avatar
    Join Date
    May 2007
    Posts
    6,793
    Thank Post
    1,290
    Thanked 1,656 Times in 1,110 Posts
    Blog Entries
    22
    Rep Power
    507
    Thanks for everyone's input.
    I checked the companies ICO registration, quizzed them on their DP procedures, encrypted the document and sent it.

    *deep sigh of relief*

  8. #23


    Join Date
    May 2009
    Posts
    3,118
    Thank Post
    273
    Thanked 836 Times in 628 Posts
    Rep Power
    332
    Quote Originally Posted by Drummer_Boy View Post
    Data comes under the DPA if a living individual can be identified. I would think that knowing someone is a teacher as school 'X' and their name would be enough.
    Some people can be (uniquely) identified JUST by their name.

  9. #24

    sparkeh's Avatar
    Join Date
    May 2007
    Posts
    6,793
    Thank Post
    1,290
    Thanked 1,656 Times in 1,110 Posts
    Blog Entries
    22
    Rep Power
    507
    Quote Originally Posted by pcstru View Post
    Some people can be (uniquely) identified JUST by their name.
    Luckily Cher, Shakira or Madonna don't work for us

SHARE:
+ Post New Thread
Page 2 of 2 FirstFirst 12

Similar Threads

  1. Data Protection Question
    By Wildebeaste in forum How do you do....it?
    Replies: 10
    Last Post: 10th February 2009, 08:31 AM
  2. Backups - Data Protection Manager
    By fooby in forum How do you do....it?
    Replies: 4
    Last Post: 14th December 2006, 10:45 AM
  3. Data Protection Act And Root/Administrators Passwords.
    By tickmike in forum General Chat
    Replies: 4
    Last Post: 11th September 2006, 03:35 PM
  4. Data Protection Act - re: Remote Access
    By mark in forum School ICT Policies
    Replies: 18
    Last Post: 26th September 2005, 07:19 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •