Академический Документы
Профессиональный Документы
Культура Документы
Tony Brett
Head of IT Support Staff Services
Computing Services
University of Oxford
England
tony.brett@oucs.ox.ac.uk
Disclaimer
I am not a lawyer!
Views I give do not constitute formal legal
advice
Views expressed are my own and not
necessarily those of the University of
Oxford
The University of Oxford
Oldest University in the
English-speaking world
9 centuries of history
39 self-governing Colleges
Student population over 18,000 with more
than 130 nationalities represented
10,500 Staff (3,500 in colleges)
Part of the Russell Group (like the Ivy
League)
Steeped in tradition and quirk!
The University of Oxford
Federal University!
Colleges are separate legal entities
Separate Governance and Finance
Serious implications for both DPA and FOI
Colleges and University have a symbiotic
relationship
Colleges admit undergraduates
University admits graduates
But they need a college!
Colleges provide 1-1 or 1-2 tutorials
University provides lectures, practicals etc.
University awards degrees
Me!
In Oxford since 1989
Chemistry Degree and then IT!
Institute of Molecular Medicine
Corpus Christi College
Computing Services
Serve on Oxford City Council as licensing
chair and local councillor
Particular interest in data privacy since
time at Corpus Christi as Data Protection
officer
Overview 1
General overview of the DPA 1998
Definitions
Changes since 1984 Act
Sensitive Personal Data & Consent
The eight principles
Transitional Relief
Implications for Colleges and Departments
Things to keep in mind
Freedom of Information Act 2000 (FOI)
Who it affects
Public Rights: open records
Publication Schemes
Exemptions
Key Points
Overview 2
Regulation of Investigatory Powers (RIPA)
Interception of Communications in the UK
Human Rights Act 1998
Definitions
Implications
My view
Resources
Questions
What is the Data Protection Act?
Intended to balance interests of data
subjects with data controllers
Freedom to process data vs. privacy of
individuals
1984 act was repealed by the 1998 Act
24 October 1998
1 March 2000
Definitions
Personal Data
Expression of opinion, or fact, E-mail address,
photos, video footage etc. etc.
Some types are sensitive (a special new
category).
Processing
Reviewing, holding, sorting, deleting
Data Controller
all of us! Users of data
Relevant Filing System
Readily accessible information about living
individuals
Information Commissioner
New name for Data Protection Registrar
Changes Since the 1984 Act
Much broader than the old Act
More rights for data subjects
Covers relevant manual filing systems
No more practical obscurity
New category of data sensitive data.
Transitional relief 23 October 2001, for
existing automated data and 23 October 2007
for manual records
Processing must have been in effect before 24
October 1998
Rules about export of data to non-EEA
countries
Some effects on Colleges and
Departments
Data subjects are students, staff, alumni,
suppliers (sole traders or partnerships),
tenants, legal advisers, fellows etc
Not people acting in a capacity
Anyone can be a data controller
Dead people have no rights
Overseas transfers of data notably to U.S.
Requirement to ensure data is secure,
accurate, sufficient but not excessive
Cant hold data longer than is reasonable
Principles of the Act 1
Non-sensitive personal data must be
processed fairly and lawfully and shall not be
processed unless one of the below is met
(schedule 2).
Consent the most important
Contract
Legal obligation
Vital interests of subject (life or death!)
Public functions
Balance of interest
Sensitive personal data 1
Racial or ethnic origin
Political opinions
Religious/similar beliefs (note food!)
Trade Union membership
Health
Sexual life
Offences, Cautions, Convictions
Sensitive personal data 2
May only be held if one of the below is
met:
Explicit and informed consent
Employment Law
Vital Interests of Subject
Legal Proceedings
Medical Purposes (by medical professionals)
Equal opportunities monitoring
Consent
Freely given specific and informed
indication of wishes by which the data
subject signifies agreement to personal
data relating to him/her being processed.
Cant use implied consent must get
forms back
Cant use blanket consent as condition of
entry
Fair processing
Must not intentionally or otherwise deceive or
mislead subject as to purpose of data
use/collection
Must identify to subject data
controller/nominated representative
Must identify to subject purpose of processing
data
Exceptions are disproportionate effort (direct
marketing not allowed) or legal obligation
Principles of the Act 2
Data must be obtained only for one or
more specified lawful purposes
Must not use data for a new incompatible
purpose without subjects consent
Have a data protection statement explaining
what data will be held and why and get
consent from new students/staff as they arrive
Old members data is a grey area for Colleges
Principles of the Act 3 & 4
Personal data must be adequate, relevant
and not excessive
Must not stock up on data without a reason
that can be justified consent!
Personal data shall be accurate and up-to-
date
This is an ongoing requirement and means
data needs to be kept under constant review.
Principles of the Act 5
Contact
data.protection@admin.ox.ac.uk for
* Check that the information does not contain any reference to advice
individuals, other than that which is already publicly available
FOI & DPA - Key Points
Dont panic!
Need to be seen to be aware of both FOI and
DPA and working within them but the
Information Comissioner will always try to help
before getting heavy
Have a publication scheme and publish it!
Little case law many grey areas, but we dont
want to be the test case!
Dont write down anything you wouldnt say to
someones face
Avoid holding sensitive personal data if you can
Colleges need to act additionally to Central
University
Regulation of Investigatory Powers
Exists to ensure that surveillance activities
are in line with the Human Rights act 1998
Includes:
monitoring, observing or listening to persons,
their movements, conversations, activities or
communications
recording anything monitored, observed or
listened to in the course of surveillance
surveillance by or with the assistance of a
surveillance device
RIPA
Updates UK law on the interception of
communications in line with technological
change including huge Internet growth
Puts other intrusive investigative techniques on
a statutory footing
Provides new powers to help combat the threat
posed by rising criminal use of strong encryption
Ensures that there is independent judicial
oversight of the powers in the Act
RIPA - Definitions
Directed Surveillance
Covert but not intrusive
Intrusive Surveillance
Using a person or a device (bug) at a
premises or in a private vehicle
Generally unlawful to use intrusive
surveillance without a warrant
RIPA covers all forms of communication
and their interception
RIPA - Implications
Interception warrants
Government can make your ISP snoop on you
and can insist it does not tell you
Mass surveillance is possible if the
Secretary of State deems it necessary
ISPs can be forced to install interception
technology on their systems
Government has the power to demand
encryption keys
This compromises all encrypted data you
might hold or have sent/received
RIPA My view
At face value the Act appears to improve
personal privacy
BUT the large number of situations in
which interception IS allowed actually
make it a reduction of privacy
Much controversy in the UK
But good has been done the Police used
evidence gathered under RIPA powers to
convict Ian Huntley (Soham murders)
Resources
http://www.ox.ac.uk/
http://www.ox.ac.uk/oucs/
http://users.ox.ac.uk/~tony/dpa-foi-ripa.ppt
http://www.admin.ox.ac.uk/foi/
http://www.russellgroup.ac.uk
http://www.opsi.gov.uk/acts/acts2000/20000023.htm
http://www.opsi.gov.uk/acts/acts2000/20000036.htm
http://www.opsi.gov.uk/acts/acts1998/19980029.htm
http://www.ico.gov.uk/
http://www.export.gov/safeHarbor/
tony.brett@oucs.ox.ac.uk
Thanks to University of Oxford Central Administration for permission to use
diagram about answering queries