+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 24
General Chat Thread, Data protection question in General; Ok I am going round in circles on this. Basically a company who is installing our electronic signing in system ...
  1. #1

    sparkeh's Avatar
    Join Date
    May 2007
    Posts
    7,036
    Thank Post
    1,374
    Thanked 1,780 Times in 1,200 Posts
    Blog Entries
    22
    Rep Power
    531

    Data protection question

    Ok I am going round in circles on this.

    Basically a company who is installing our electronic signing in system has requested a list of staff to add to the system before they bring it.
    Is that ok to send?

  2. #2

    powdarrmonkey's Avatar
    Join Date
    Feb 2008
    Location
    Alcester, Warwickshire
    Posts
    4,866
    Thank Post
    412
    Thanked 777 Times in 650 Posts
    Rep Power
    182
    Yes.



    .

  3. Thanks to powdarrmonkey from:

    sparkeh (18th May 2012)

  4. #3

    Join Date
    Sep 2010
    Posts
    228
    Thank Post
    3
    Thanked 36 Times in 33 Posts
    Rep Power
    16
    I was once told by our bursar (she had data protection training) that names were not covered by the data protection act. However I have not checked this or had it confirmed by anyone else.

    If the system stores any other information i.e. DOB, addresses, phone numbes - then no you can't release it without the individuals consent and they will have to wait until the system is on site.

  5. Thanks to ToyHeartsFan from:

    sparkeh (18th May 2012)

  6. #4

    powdarrmonkey's Avatar
    Join Date
    Feb 2008
    Location
    Alcester, Warwickshire
    Posts
    4,866
    Thank Post
    412
    Thanked 777 Times in 650 Posts
    Rep Power
    182
    Quote Originally Posted by ToyHeartsFan View Post
    If the system stores any other information i.e. DOB, addresses, phone numbes - then no you can't release it without the individuals consent and they will have to wait until the system is on site.
    This is incorrect.

  7. #5

    Join Date
    Sep 2010
    Posts
    228
    Thank Post
    3
    Thanked 36 Times in 33 Posts
    Rep Power
    16
    Quote Originally Posted by powdarrmonkey View Post
    This is incorrect.
    The ICO disagree with you

    Data Protection FAQs

    : Can I use personal data for a new purpose or disclose it to a third party?
    It depends. You should explain why you want to use an individual’s personal data at the outset, based on your intentions at the time you collect it. If over time you devise new ways of using that information, perhaps because of changes in technology, you will be able to use their personal data for the new purpose if it is fair to do so.
    As you develop the goods and services you offer, you should think about whether your customers are likely to reasonably expect you to use their personal data to offer them these products. If you are unsure about this, you should explain your intentions and, at the very least, give your existing customers an easy way to opt out. If you intend to make a significant change to what you do with personal data, you will usually need to get your customers’ consent.
    Individuals should generally be able to choose whether or not their personal data is disclosed to another organisation, unless one of the Act’s specific exemptions applies. If you did not make your intention to disclose information to a third party absolutely clear at the outset, at a time when the individual could choose not to proceed, then you will usually need to get the individual’s consent before making such disclosures

  8. #6

    witch's Avatar
    Join Date
    Nov 2005
    Location
    Dorset
    Posts
    11,251
    Thank Post
    1,464
    Thanked 2,526 Times in 1,758 Posts
    Rep Power
    757
    Names are OK as long as they are not attached to any other data such as a photo, or an address etc

  9. Thanks to witch from:

    sparkeh (18th May 2012)

  10. #7

    elsiegee40's Avatar
    Join Date
    Jan 2007
    Location
    Kent
    Posts
    10,049
    Thank Post
    1,861
    Thanked 2,320 Times in 1,711 Posts
    Rep Power
    824
    Quote Originally Posted by witch View Post
    Names are OK as long as they are not attached to any other data such as a photo, or an address etc
    I agree

  11. Thanks to elsiegee40 from:

    sparkeh (18th May 2012)

  12. #8

    glennda's Avatar
    Join Date
    Jun 2009
    Location
    Sussex
    Posts
    7,821
    Thank Post
    272
    Thanked 1,140 Times in 1,036 Posts
    Rep Power
    350
    I think from the conference last year the DPA applies to any two bits of information which could be used to identify somebody. I.e having a full name does not count - as there could be multiple joe bloggs. But having the name Joe Bloggs and the DOB 12/06/2010 means you could pretty much certify its that person. Whereas just having the DOB you couldn't.

  13. #9


    Join Date
    May 2009
    Posts
    3,298
    Thank Post
    291
    Thanked 887 Times in 665 Posts
    Rep Power
    341
    Quote Originally Posted by glennda View Post
    I think from the conference last year the DPA applies to any two bits of information which could be used to identify somebody. I.e having a full name does not count - as there could be multiple joe bloggs. But having the name Joe Bloggs and the DOB 12/06/2010 means you could pretty much certify its that person. Whereas just having the DOB you couldn't.
    This is IMO, wrong. For two reasons. The DPA simply says information that can be used to identify a living individual. If your school sends me a list of names, I already have some information that you might not specifically have sent me, but that you should (must) assume I have. So we are not talking about any Joe Bloggs on planet earth, it is Joe Bloggs who works at X - and that will be enough to identify the majority of people at any school. However, even when dealing with much larger numbers (say many millions) where the vast majority of names might not be unique, there are names out there which are unique (and therefore identify etc). Personally, I wouldn't treat a list of names any different from a list of names + DOB + shoe size.

  14. #10

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    10,001
    Thank Post
    1,360
    Thanked 1,840 Times in 1,141 Posts
    Blog Entries
    19
    Rep Power
    605
    @ToyHeartsFan and @powdarrmonkey
    You are both a little right and wrong.

    Firstly, staff are not customers but employees. As part of their contract of work, you (or your nominated and authorised partners) will process their data on a regular basis and the school's entry in the ICO's Data Protection Public Registrar will cover the data sets, how they are used and who else will make use of them (though specific company names are likely to be held in an annex of your Data Protection policies as well as the Privacy Notice issued to children and parents (formerly called the Fair Processing Notice or FPN).

    If the information is going to be used by the contracted company it makes no difference whether you release it to them prior to coming on site or not as long as you both adhere to the 8 principles ... that means ensuring that information is protected in transit, that it is held securely, that it is only accessed by those authorised to do so and that it will only be used for the specified purpose for which it was collected.

    If they are purely asking for names of the staff (to set up user accounts?) then this is a reasonably amount of IL0 data (i.e. it will have no impact if released to the public domain) and should not be an issue ... partly because it will already be mainly on the public domain in a variety of forms. If other data is included (e.g. staff identifiers which are uniquely used by the school) then you have to make an assessment about whether there is additional impact but the uniqueness of user details could better be resolved over a phone call.

    If you assess that the risk of *any* data being released incorrectly and misused is increased by the data being held in an off-site location. which you do not trust or cannot adequately assess, then yes, insist that the work is completed whilst the kit is on-site. As part of the contract of works to be completed with the company they should also be agreeing to abide by both your Data Protection policies and you understand theirs.

    Also remember that when you share data you are not devolving responsibility for it ... you are *sharing* responsibility for it.
    Last edited by GrumbleDook; 18th May 2012 at 12:44 AM.

  15. Thanks to GrumbleDook from:

    sparkeh (18th May 2012)

  16. #11

    Join Date
    Dec 2006
    Location
    Hertfordshire
    Posts
    81
    Thank Post
    0
    Thanked 5 Times in 4 Posts
    Rep Power
    16
    Do you have a staff list on your website?

    If so just point the installer to your website and then they are obtaining information available in the public domain.

    As most schools and businesses have a staff list/directory available online this would assume that providing a list of names only is acceptable.

  17. #12

    glennda's Avatar
    Join Date
    Jun 2009
    Location
    Sussex
    Posts
    7,821
    Thank Post
    272
    Thanked 1,140 Times in 1,036 Posts
    Rep Power
    350
    Quote Originally Posted by pcstru View Post
    This is IMO, wrong. For two reasons. The DPA simply says information that can be used to identify a living individual. If your school sends me a list of names, I already have some information that you might not specifically have sent me, but that you should (must) assume I have. So we are not talking about any Joe Bloggs on planet earth, it is Joe Bloggs who works at X - and that will be enough to identify the majority of people at any school. However, even when dealing with much larger numbers (say many millions) where the vast majority of names might not be unique, there are names out there which are unique (and therefore identify etc). Personally, I wouldn't treat a list of names any different from a list of names + DOB + shoe size.
    I didn't think about the school name, but what I mean is if somebody left a print out of a spreadsheet with a list of names on (and no other information such as school name etc) then it would not be covered under the DPA, as the majority of that information is available in the big wide world.

  18. #13


    Join Date
    May 2009
    Posts
    3,298
    Thank Post
    291
    Thanked 887 Times in 665 Posts
    Rep Power
    341
    Quote Originally Posted by glennda View Post
    I didn't think about the school name, but what I mean is if somebody left a print out of a spreadsheet with a list of names on (and no other information such as school name etc) then it would not be covered under the DPA, as the majority of that information is available in the big wide world.
    I don't believe 'Majority' would cut it. We have a duty to data subjects as individuals and pleading that most of the information was OK won't protect you from the single line of information that is not. I'm not even sure you can argue that your duty is absolved if the 'information' is 'public domain'. First, "the information" consists of the entire list - which if it is the names of people working at your establishment in alphabetical order of surname, is likely to be entirely unique to your establishment (so unless you have previous breaches is unlikely to be public domain). Second, even if information is already in the 'public domain', you do not know if that is because it was intentionally put there by the individual or it was put there perhaps by another data breach. And none of that will affect your registration (the stated reasons why you hold data on a subject), nor is there a get out clause in treatment of an individuals data "well, hey, everyone knew that" - at least not that I am aware of.

    Just to (try to!) be clear, I'm not saying that the data cannot be sent, just that a list of names without any other information is not a special case and should be treated as you would treat any request for personal data. You might share it with suppliers because your registration allows you to do that as part of conducting the business of the organisation, but you should not assume that a list of names is somehow exempt from DP.

  19. #14

    glennda's Avatar
    Join Date
    Jun 2009
    Location
    Sussex
    Posts
    7,821
    Thank Post
    272
    Thanked 1,140 Times in 1,036 Posts
    Rep Power
    350
    Everybody's name is in the public domain if they are born in the UK, all i have to do is walk into a public records office and look, the bit that then makes it unique is if you have a second piece of information such as DOB is there as you can then find the exact record needed.

    Yes an entire list of names is probably unique to your establisment but if there is nothing to bring it back to your company/school, for example if that list was lost in scotland and the school was in cornwall your not going to be able to trace the list back easily.

  20. #15

    sparkeh's Avatar
    Join Date
    May 2007
    Posts
    7,036
    Thank Post
    1,374
    Thanked 1,780 Times in 1,200 Posts
    Blog Entries
    22
    Rep Power
    531
    Cool thanks everyone for pitching in; not straight forward this DP lark :S



SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Data Protection Question
    By Wildebeaste in forum How do you do....it?
    Replies: 10
    Last Post: 10th February 2009, 09:31 AM
  2. Backups - Data Protection Manager
    By fooby in forum How do you do....it?
    Replies: 4
    Last Post: 14th December 2006, 11:45 AM
  3. Data Protection Act And Root/Administrators Passwords.
    By tickmike in forum General Chat
    Replies: 4
    Last Post: 11th September 2006, 04:35 PM
  4. Data Protection Act - re: Remote Access
    By mark in forum School ICT Policies
    Replies: 18
    Last Post: 26th September 2005, 08:19 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •