UK Data Protection

Norman Gray norman at astro.gla.ac.uk
Thu Nov 6 08:46:53 PST 2003 

Greetings,

At the registry plenary in Strasbourg, there was a question of whether,
and to what extent, the personal information in the registry would be
constrained by data protection legislation.  Prompted by Nic's visit
here to give a seminar, I had a chat with a colleague in the archives
department who's fairly authoritative on these matters.  Here is a
summary (I wondered if I ought to put this in the Registry part of the
IVOA wiki, but couldn't find an obvious place).




The information here concerns the UK Data Protection Act (DPA), but it
seems that other european legislation will be consistent with this, since
the DPA is merely the UK's implementation of an EC Directive of 1995.
The underlying goal is apparently to frustrate commercial sharing of
personal information, now that personal information has significant
commercial value.  This means that a network like the VO is not the
sort of data holder that the Act is aiming to regulate.

The good news is that there probably isn't a big problem.  The
regulations are extremely bureaucratic in detail, but simple in
outline, and basically common-sense.  There are eight principles
outlined, and if you follow these, it seems you can't really get into
trouble.

The Act is concerned with _personal_ data only, connected only with
living individuals.  It distinguishes sensitive data from other data,
and this seems to be anything (ethnic origin, sexuality, criminal
convictions, income) which would result in a loss of privacy if made
public.  My impression is that nothing the IVOA wants to store comes
under that heading.  Sensitive data has more regulations controlling it.

There is a Data Protection Registrar, with whom data holders must
register, giving a basic statement of what data holdings they have,
and what they intend to use them for.  Alternatively, the data holders
can simply make a declaration to their own institution's nominated
Data Protection Officer.  This seems to be essentially a formality,
since there's apparently little need for this to be aggressively audited.

The `principles' are, again, common sense.  Data should only be stored
if the data subject has given consent or if the data storage is in
`legitimate interests pursued by the data controller' (whatever that
means); you mustn't process data for other than the declared reasons
(no creep); the storage should be relevant, accurate, individuals can
correct it, and it should be stored securely.

The eighth principle might be a theoretical problem: `Personal data
shall not be transferred to a country or territory outside the European
Economic Area unless that country or territory ensures an adequate
level of protection'.  In particular, this excludes the US.  I get the
impression that this wouldn't prohibit responding to a registry query from
the US to a registry server in the EEA, but it possibly would prohibit
a mirroring of a database from the EEA to the US.  Not that anyone would
care in this case -- I cannot believe it would ever be an issue.

I have some more details available if anyone wants (or can stand) them.




All the best,

Norman


-- 
---------------------------------------------------------------------------
Norman Gray                        http://www.astro.gla.ac.uk/users/norman/
Physics and Astronomy, University of Glasgow, UK     norman at astro.gla.ac.uk

More information about the registry mailing list