UK Academic Community Directory Group Extracts from meeting minutes concerning Data Protection Act Paul Barker Organisation: UCL Document Location: UCL ABSTRACT This document contains extracts from the minutes of the UK Academic Community Directory Group meetings relating to discusions and presentations on the Data Protection Act. November 30, 1989 UK Academic Community Directory Group Extracts from meeting minutes concerning Data Protection Act Paul Barker Organisation: UCL Document Location: UCL 1. Implications of the Data Protection Act This section is taken from the minutes of the meeting on January 31, 1989. The Data Protection Act sets out to control the quantity and quality of data held about individuals by establishing a number of principles covering electronically accessible data. It also provides a mechanism for people to examine data held on them, subject to some restrictions. It is worth noting before trying to understand the Act that it is in fact a Data Registration Act and not a Data Protec- tion Act. There are 8 main principles: 1) Information held must be acquired and held legally in the broader sense. 2) The purposes for holding data must be specified. 3) The data must be used in accordance with the registered purpose. 4) The data held should be adequate and not excessive 5) The data must be accurate and up-to-date. 6) Data must not be held longer than necessary. 7) A data subject is entitled to be informed that there is data held about them and there should be a means to allow a data subject to inspect that data. - 2 - 8) There should be security against unauthorised access or destruction of the data. 1.1. Registration There did not appear to be any prima facie problems caused by trying to register the Directory Service under the Act. As the information which would appear in the directory was almost certainly already held electronically by the various institutions, holding the information was not a problem. There are however a number of issues which depend on the form of an institution's existing registration. 1.1.1. Single or multiple registration Some institutions have several registrations for more specific categories of data. This allows an institution to reduce the amount of data that is revealed if a data subject wishes to inspect the data held on them. As a corollary, it makes it very expensive for a data subject to establish whether the data held on them is accurate or justly held, since a fee must be paid per registration. A sample of 18 institutions revealed that 13 had a single registration and 5 had multiple registrations. However, complying with the Act with respect to Directory Services appears to be neither facilitated nor made more awkward by this aspect of registration. The important detail appears to be details of information disclosure. 1.1.2. Disclosure of information. Specifying who information may be disclosed to is analagous to Directory Service access control. The Act's mechanism is as follows. Each registration consists of one or more Purposes. Exam- ples of purposes might be "Personnel and Academic staff records" or "student academic records". Each Purpose comprises the following categories: - Who the data subjects are; - What data is to be held; - The source of the data; - Who the data may be disclosed to. It is the last of these categories that poses the problem for institutions running Directory Services to stay within the scope of the Act. Since access is intended to be - 3 - worldwide (at least for less sensitive information such as name, phone number and work address), each site will need to register a purpose with category T999 (worldwide access) disclosure. It is likely that most sites will have to regis- ter an additional "Directory Services" purpose to stay within the bounds of the Act. 1.2. Results of survey on what/how information is held 18 sites replied to a a brief questionnaire regarding, inter alia, what data was currently held, how it was stored and how it could be accessed. yes no Telephone directory: held on-line 18 0 host on LAN 7 11 Staff records: held on-line 15 3 easily accessible 0 18 Contact between admin and computer centre: good relationship 17 1 electronic contact 5 13 2. Data Protection Act This section is taken from the minutes of the meeting on Wednesday 19 April, 1989. The meeting was addressed by John Woulds, the Assistant Data Protection Registrar. The following points were made either in the presentation or during the questions and answers ses- sion which followed. He first corrected some apparent misunderstandings. He com- mented on an assertion in the minutes that the Data Protec- tion Act (DPA) was better thought of as a Data Registration Act. This was erroneous inasmuch as there was more to the DPA than merely registering. Compliance was expected as well!! He also noted that principle 1 of the DPA requires that data is held fairly as well as legally. In addition he indicated that a data subject did not always have to pay a fee to inspect data held on him or her. The prime intention of the DPA was not one of imposing res- trictions but rather one of making the holding of data more open. The Act concerned the rights of individuals. The principles of the DPA are couched as absolutes. However - 4 - in practice the Registrar will be more interested to see that the intention of the DPA is being adhered to. The notion of damage done by an inadvertent failure to update the directory to reflect a change of room was slight. However while the Registrar had not tended to use his powers very much in the early life of the Act, there was now a greater willingness to do so if the Act was not complied with. There did not appear to be any inherent problems in regis- tering the holding of the Directory Service data within the terms of the DPA. The following points were made: - It would be useful for the UK Academic Community to produce a model registration. This could then be dis- cussed with the Registrar. - It seems preferable for each institution to have a separate registration for the Directory Service. - Registering for world-wide access should not pose a problem. - The EEC may introduce new rulings which will require amendments to the details of registration. The following aspects of managing the data seem particularly important with respect to the DPA: - Who manages each item of data? If a person is allowed to update certain aspects of their own directory entry, responsibilities must be clearly delineated. - What mechanisms are there for ensuring that the data is kept up-to-date? While failure to maintain the quality of data is a problem in itself, incorrect data also means that the DPA has been breached. The rights of an individual in an organisation to go ex- directory were limited. An individual may surrender some rights to privacy by becoming an employee of an organisa- tion. A suggestion was made that DPA registrations should be stored in the Directory. Yes! - the Registrar's holding of the DPA registrations are registered under the Act. 3. Data Protection Act Model Registration This section is extracted from the minutes of the meeting on 12th July, 1989 - 5 - The model registration (see APPENDIX A) was inadequate as it stood with regard to the section on data disclosure. The registration referred only to "staff and students in educa- tional or research establishments" whereas the registration had to allow disclosure to all. It was suggested that refer- ence to British Telecom's registration for the telephone directory might reveal an acceptable form of wording. It was noted that sites might wish to tailor this registra- tion to suit their own needs. Reading's desire to store "which software a user was entitled to have access to" required data class categories not on the model registra- tion. This section is extracted from the minutes of the meeting on 12th July, 1989 The model registration form presented at the previous meet- ing was felt to be inadequate as it stood with regard to the section on data disclosure. The wording for the sections on both U.K. and worldwide disclosure had been amended, and these amendments had been accepted by John Woulds, the Assistant Data Protection Registrar. It was agreed that it would be useful to circulate a copy of John Would's letter with the proforma registration form. Such a letter would help convince universities' data protec- tion officers of the acceptability of the proforma registra- tion form. The text of the accepted proforma registration form is reproduced in Appendix A. - 6 - APPENDIX A 1. The model registration This was produced by J.M. Hill of Heriot-Watt in consulta- tion with the DPR's office. It is intended as a proforma which may be used by institutions to register for X.500 Directory Services. 1.1. Text of the registration B.1 Purpose: The provision of User Directory Services based on the CCITT X.500 / ISO 9594 standard. Typical activities are: provision and maintenance of national and international directories for the purpose of communication between individuals, both electronically and otherwise; analysis for management purposes and statutory returns. B.2 Data Subjects: S001 Employees, trainees, voluntary workers S013 Advisors, consultants, professional and other experts S030 Students B.2 Data Classes: C001 Personal identifiers [Note: In the future, institutions may wish to include at this point: C052 Qualifications and skills C053 Membership of professional bodies C054 Professional expertise C055 Membership of committees C056 Publications] B.3 Sources and Disclosures: D101 The Data Subjects themselves (source & dis- closure) - 7 - D104 Employers - past, current, prospective (source & disclosure) D106 Colleagues, business associates (disclosure) D206 Suppliers, providers of goods or services (disclosure) D382 Other, see below (disclosure) Disclosure D382: further details: Directory information is publicly accessible throughout the U.K. by means of the Joint Academic Network (JANET) and other networks. B.4 Overseas transfers: T999 worldwide: Directory information is accessible through international networks worldwide.