Document Sample
Intranets Powered By Docstoc
					Recent Legislation and the Intranet

An intranet, according to our own definition, is
       'a private network that allows an organisation to share information internally. Information on an
       intranet should be managed, navigable, authoritative, up-to-date and coherent and available to
       those who need it when they need it'.
Four recent Acts of Parliament have implications for the way in which a University handles the information it
maintains, and how it may distribute it via an intranet:
      The Data Protection Act
      The Human Rights Act
      The Regulation of Investigatory Powers Act
      The Freedom of Information Act

For a variety reasons, the Data Protection Act of 1984 did not make a great deal of impact on HEIs. For one
thing, it only covered 'automatically processed information', and most university records in those days were of
the manual variety. Since that date, however, the amount of information gathered and stored about any one
individual has grown enormously – people are nowadays documented from the cradle to the grave by way of
medical, tax, education, employment, financial etc records. This paper, however, is not concerned with the
nature of the data a university may hold, but with how that data should be managed.

The DP Act 1998 sets out the requirements for the handling of personal data, the primary requirement being that
data must be treated fairly as well as legally.    There is no right to privacy spelled out in the Act, but it is clear
that the Information Commissioner and, to some extent the Courts, are of the view that privacy is an important
issue. Therefore, if we are to gather and disseminate data about individuals, that data must be treated with due
care, bearing in mind that the Act is not about protecting the data per se, but about providing protection for the
individual about whom the data is held.

The Act makes it clear that any information gathered should be gathered for a specific purpose, that that purpose
should be made clear to the data subjects, and that the data may not be used for any other purpose. The third
and fourth Data Protection principles say, moreover, that the data must be 'adequate, relevant and not excessive'
as well as being accurate. In other words, the simple fact that electronic information is readily available does not
mean that it can therefore be treated casually or sloppily. Nor can it be gathered and held because it might be
useful some day, or simply because the software allows it.

The Act requires that personal data should not be kept longer than is necessary. This means that a policy
should be in place for the disposal of the data once it has reached the end of its life – there can be no hanging on
to data simply because it is easier to do so than to throw it away. The data must also be treated with regard to
the data subject's rights, such as the right to have inaccurate data amended. A data subject has the right to

request access to any data held about him within the University systems – consequently, the University must
make provision to ensure that that data is retrievable from its systems.

Principle 7 deals with security of the data. In February/March of 2000 research 1 carried out by the [then]
Office of the Data Protection Commissioner revealed that:
         24% of businesses allow all staff to access all stored personal data.
         The definition of proper security when holding records is not clear (98% of companies thought that a
          password on computers was adequate security).
The Act states that
        'Appropriate technical and organisational measures shall be taken against unauthorised or unlawful
        processing of personal data and against accidental loss or destruction of, or damage to, personal
A data subject may apply to the Courts for compensation if he has suffered damage from such a loss. The Act
puts HE institutions under an obligation to have in place policies, procedures and technologies to maintain the
security of all personal data from collection to destruction. This covers not only the storage, but also the
transmission, of personal data. Among other things, institutions will have to consider whether email is an
appropriate method for the transfer of data – the JISC Data Protection Code of Practice recommends that
sensitive personal data2 should be encrypted before transmission. Institutions may also have to consider
whether sensitive personal data ought to be stored in encrypted form, be it on a desktop PC or in central
systems. There must be proper access policies and controls to ensure that data is not open to unauthorised
access. Backup systems for personal data must also be in place and data should be archived in an appropriate
form so that any migration to new systems does not make the data inaccessible to data subject access requests.

Cross-border data flow [Principle 8] has caused a certain amount of agonising in the HE community, since it
proscribes sending data to countries outwith the EEA [European Economic Area] which do not have what the
EU defines as 'adequate' data protection provision. [The USA is currently included in this category.] By its
nature, publishing on the Web sends data beyond the EEA. An institution could argue that employee data such
as a contact email address could be published on the Web [since this could be defined as 'necessary for the
purposes of legitimate interests pursued by the Data Controller' (ie the institution) which is permissible use of
personal data]. Publishing students' email addresses on the web, however, would not be a necessity for the

  Available under Annual Reports/2000 - Documents mentioned within the report/ at
  The Act distinguishes between 'personal data' and 'sensitive personal data'. Sensitive data is any data which
consists of information as to:-
a) the racial or ethnic origin of the data subject,
b) their political opinions,
c) their religious beliefs or other beliefs of a similar nature,
d) whether they are a member of a trade union,
e) their physical or mental health or condition,
f) their sexual life,
g) the commission or alleged commission by them of any offence, or
h) any proceedings for any offence committed or alleged to have been committed by them, the disposal of such
proceedings or the sentence of any court in such proceedings.

normal functioning and management of the institution, and that sort of information ought to be confined to the

I have said above that the Information Commissioner sees privacy as an important issue. In order to comply
with various other pieces of UK legislation, however, universities require the ability to monitor the data held on
computers within the institution as well as any data entering, leaving or being circulated. For instance, the
Telecommunications Act (1984) makes it illegal to communicate any information of an indecent, obscene or
menacing character by a public telecommunications system. A university must, there fore ensure that
institutional voice and data systems, i.e. telephones and networks, are operated in accordance with the
provisions of this act.    The Regulation of Investigatory Powers Act 2000 & Lawful Business Practice
Regulations permit an employer and/or organisation to intercept communications on their internal networks
without consent for purposes such as recording evidence of transactions, monitoring received communications
to determine whether they are business or personal communications, ensuring regulatory compliance, detecting
crime or unauthorised use, and ensuring the operation of their telecoms systems. The RIP Act says that an
institution does not need to gain consent before intercepting for these purposes, although it does need to inform
staff and students that such interceptions may take place.

The Information Commissioner would prefer that monitoring should take place in a more restricted manner. In
the Draft Code of Practice [October 2000] she states:
            There is no Data Protection provision that requires an employer to allow employees to use the
            employer’s telephone system, e-mail system or internet access for personal communications.
            Data Protection issues arise in relation to the monitoring that might be used to enforce any
            rules. It would be wrong to suppose that these issues arise only in relation to personal
            communications. Monitoring of business communications might also intrude on an
            employee’s privacy or autonomy to the extent that personal data are processed unfairly. For
            example, employees might well want to impart personal information by telephone or e-mail
            for business reasons which they only want to be revealed to the intended recipients, such as,
            personal reasons for asking for a meeting to be postponed. They may also have legitimate
            concerns about constraints on their autonomy at work. The extent to which these are justified
            may depend on the nature of the work but routine monitoring of the content of all
            communications sent and received at work is in many cases likely to go too far.
The Information Commissioner has promised to clarify contradictions between regulations on e-mail monitoring
and the draft Code of Practice in the final version, but has also said that, although she will simplify the Code,
she will not dilute the guidance. The final version of the Code will be out at the end of the year.

The Commissioner's view is reinforced by the Human Rights Act, put in place to 'give further effect to rights
and freedoms guaranteed under the European Convention on Human Rights'. Article 8 of the Convention states
        Everyone has the right to respect for his private and family life, his home and his correspondence.

Furthermore, the requirements of the Human Rights Act and the European Convention on Human Rights take
precedence over other legislation.
       The Act requires that all legislation, so far as it is possible to do so, be read and given effect in a
       way which is compatible with the Convention rights. . . . . Where there are two possible
       interpretations of a provision - one which is compatible with the Convention rights and one which
       is not - the one which is compatible is the interpretation to be adopted. A court or tribunal must
       strive to find a compatible meaning. The fact that a court may have interpreted an Act or a
       statutory instrument in a certain way before does not mean that after the coming into force of the
       Human Rights Act, it will interpret the provision in that same way.

Whilst on the one hand the RIP Act and the Lawful Business Practice Regulations describe the conditions under
which monitoring may take place legally, the DP Act, on the other, demands fairness as well as legality -
moreover, the right to privacy is protected by the Human Rights Act. In short, an institution may be acting in
conformity with one Act and at the same time be in breach of another.

In the meanwhile, the Office of the Information Commissioner has also taken on responsibility for the operation
of the Freedom of Information Act. While it may seem that the two concepts – Data Protection and Freedom of
Information – may overlap, there is potential for conflict where the data requested under FoI relates to someone
other than the enquirer. In that case, the institution will have to strike a balance between the enquirer's right to
know, and the data subject's right to privacy.

The FoI act gives a general right of access to recorded information held across the public sector [the proposed
Scottish FoI Bill specifically includes HE institutions] subject to certain conditions and exemptions.
Universities will have to be in a position to provide that information. As the Lord Chancellor's Code of
Practice points out:
         Any freedom of information bill is only as good as the quality of the records to which it
         provides access. Such rights are of little use if reliable records are not created in the first
         place, if they cannot be found when needed or if the arrangements for their eventual archiving
         or destruction are inadequate.

In short, consideration of all of the above pieces of legislation must lead to the conclusion that HEIs must think
carefully about how information is dealt with in their institutions. The requirements for security, access
controls, accuracy, availability and coherency require not only technical solutions but, just as importantly,
policy decisions. It is no longer sufficient to permit information to flow [or not] as circumstances allow, or to
let it sit unattended in a file system somewhere – there is a pressing need for universities to begin to actively
manage the information they keep.

Alison Aiton
Scottish Middleware Project, July 2001

  Guidance - The Human Rights Act 1998, Guidance for Departments [Home Office publication, available at]

Auditing, Communication and the Law
Codes of Practice under the Freedom of Information Act
Data Protection Act 1998
European Convention on Human Rights
Freedom of Information Act
Home Office Human Rights Unit
Human Rights Act
Human Rights guidelines
JISC Data Protection Code of Practice for the HE and FE sectors, Version 2.0
Lancaster University Data Protection Project
Regulation of Investigatory Powers Act
Response of the Data Protection Commissioner to the Government's Regulations of Investigatory Powers Bill
RIP Lawful Business Practice Regulations
Scottish Executive Freedom of Information pages


Shared By: