Ok I am going round in circles on this.
Basically a company who is installing our electronic signing in system has requested a list of staff to add to the system before they bring it.
Is that ok to send?
I was once told by our bursar (she had data protection training) that names were not covered by the data protection act. However I have not checked this or had it confirmed by anyone else.
If the system stores any other information i.e. DOB, addresses, phone numbes - then no you can't release it without the individuals consent and they will have to wait until the system is on site.
Data Protection FAQs
: Can I use personal data for a new purpose or disclose it to a third party?
It depends. You should explain why you want to use an individual’s personal data at the outset, based on your intentions at the time you collect it. If over time you devise new ways of using that information, perhaps because of changes in technology, you will be able to use their personal data for the new purpose if it is fair to do so.
As you develop the goods and services you offer, you should think about whether your customers are likely to reasonably expect you to use their personal data to offer them these products. If you are unsure about this, you should explain your intentions and, at the very least, give your existing customers an easy way to opt out. If you intend to make a significant change to what you do with personal data, you will usually need to get your customers’ consent.
Individuals should generally be able to choose whether or not their personal data is disclosed to another organisation, unless one of the Act’s specific exemptions applies. If you did not make your intention to disclose information to a third party absolutely clear at the outset, at a time when the individual could choose not to proceed, then you will usually need to get the individual’s consent before making such disclosures
Names are OK as long as they are not attached to any other data such as a photo, or an address etc
I think from the conference last year the DPA applies to any two bits of information which could be used to identify somebody. I.e having a full name does not count - as there could be multiple joe bloggs. But having the name Joe Bloggs and the DOB 12/06/2010 means you could pretty much certify its that person. Whereas just having the DOB you couldn't.
@ToyHeartsFan and @powdarrmonkey
You are both a little right and wrong.
Firstly, staff are not customers but employees. As part of their contract of work, you (or your nominated and authorised partners) will process their data on a regular basis and the school's entry in the ICO's Data Protection Public Registrar will cover the data sets, how they are used and who else will make use of them (though specific company names are likely to be held in an annex of your Data Protection policies as well as the Privacy Notice issued to children and parents (formerly called the Fair Processing Notice or FPN).
If the information is going to be used by the contracted company it makes no difference whether you release it to them prior to coming on site or not as long as you both adhere to the 8 principles ... that means ensuring that information is protected in transit, that it is held securely, that it is only accessed by those authorised to do so and that it will only be used for the specified purpose for which it was collected.
If they are purely asking for names of the staff (to set up user accounts?) then this is a reasonably amount of IL0 data (i.e. it will have no impact if released to the public domain) and should not be an issue ... partly because it will already be mainly on the public domain in a variety of forms. If other data is included (e.g. staff identifiers which are uniquely used by the school) then you have to make an assessment about whether there is additional impact but the uniqueness of user details could better be resolved over a phone call.
If you assess that the risk of *any* data being released incorrectly and misused is increased by the data being held in an off-site location. which you do not trust or cannot adequately assess, then yes, insist that the work is completed whilst the kit is on-site. As part of the contract of works to be completed with the company they should also be agreeing to abide by both your Data Protection policies and you understand theirs.
Also remember that when you share data you are not devolving responsibility for it ... you are *sharing* responsibility for it.
Last edited by GrumbleDook; 17th May 2012 at 11:44 PM.
Do you have a staff list on your website?
If so just point the installer to your website and then they are obtaining information available in the public domain.
As most schools and businesses have a staff list/directory available online this would assume that providing a list of names only is acceptable.
Just to (try to!) be clear, I'm not saying that the data cannot be sent, just that a list of names without any other information is not a special case and should be treated as you would treat any request for personal data. You might share it with suppliers because your registration allows you to do that as part of conducting the business of the organisation, but you should not assume that a list of names is somehow exempt from DP.
Everybody's name is in the public domain if they are born in the UK, all i have to do is walk into a public records office and look, the bit that then makes it unique is if you have a second piece of information such as DOB is there as you can then find the exact record needed.
Yes an entire list of names is probably unique to your establisment but if there is nothing to bring it back to your company/school, for example if that list was lost in scotland and the school was in cornwall your not going to be able to trace the list back easily.
Cool thanks everyone for pitching in; not straight forward this DP lark :S
There are currently 1 users browsing this thread. (0 members and 1 guests)