UK Data Protection

Tony Linde ael at star.le.ac.uk
Fri Nov 7 01:06:33 PST 2003


This is certainly interesting - thanks for the post, Norman. Applies more
to AstroGrid as we'll be setting up a community registry with personal
details. We'll have opt-in/out facility but will need to make sure we
comply with all the rules.

Cheers,
Tony.

On Thu, 6 Nov 2003 16:46:53 +0000 (GMT), "Norman Gray"
<norman at astro.gla.ac.uk> said:
> 
> Greetings,
> 
> At the registry plenary in Strasbourg, there was a question of whether,
> and to what extent, the personal information in the registry would be
> constrained by data protection legislation.  Prompted by Nic's visit
> here to give a seminar, I had a chat with a colleague in the archives
> department who's fairly authoritative on these matters.  Here is a
> summary (I wondered if I ought to put this in the Registry part of the
> IVOA wiki, but couldn't find an obvious place).
> 
> 
> 
> 
> The information here concerns the UK Data Protection Act (DPA), but it
> seems that other european legislation will be consistent with this, since
> the DPA is merely the UK's implementation of an EC Directive of 1995.
> The underlying goal is apparently to frustrate commercial sharing of
> personal information, now that personal information has significant
> commercial value.  This means that a network like the VO is not the
> sort of data holder that the Act is aiming to regulate.
> 
> The good news is that there probably isn't a big problem.  The
> regulations are extremely bureaucratic in detail, but simple in
> outline, and basically common-sense.  There are eight principles
> outlined, and if you follow these, it seems you can't really get into
> trouble.
> 
> The Act is concerned with _personal_ data only, connected only with
> living individuals.  It distinguishes sensitive data from other data,
> and this seems to be anything (ethnic origin, sexuality, criminal
> convictions, income) which would result in a loss of privacy if made
> public.  My impression is that nothing the IVOA wants to store comes
> under that heading.  Sensitive data has more regulations controlling it.
> 
> There is a Data Protection Registrar, with whom data holders must
> register, giving a basic statement of what data holdings they have,
> and what they intend to use them for.  Alternatively, the data holders
> can simply make a declaration to their own institution's nominated
> Data Protection Officer.  This seems to be essentially a formality,
> since there's apparently little need for this to be aggressively audited.
> 
> The `principles' are, again, common sense.  Data should only be stored
> if the data subject has given consent or if the data storage is in
> `legitimate interests pursued by the data controller' (whatever that
> means); you mustn't process data for other than the declared reasons
> (no creep); the storage should be relevant, accurate, individuals can
> correct it, and it should be stored securely.
> 
> The eighth principle might be a theoretical problem: `Personal data
> shall not be transferred to a country or territory outside the European
> Economic Area unless that country or territory ensures an adequate
> level of protection'.  In particular, this excludes the US.  I get the
> impression that this wouldn't prohibit responding to a registry query
> from
> the US to a registry server in the EEA, but it possibly would prohibit
> a mirroring of a database from the EEA to the US.  Not that anyone would
> care in this case -- I cannot believe it would ever be an issue.
> 
> I have some more details available if anyone wants (or can stand) them.
> 
> 
> 
> 
> All the best,
> 
> Norman
> 
> 
> -- 
> ---------------------------------------------------------------------------
> Norman Gray                       
> http://www.astro.gla.ac.uk/users/norman/
> Physics and Astronomy, University of Glasgow, UK    
> norman at astro.gla.ac.uk
> 
> 
__
Tony Linde                       Phone:  +44 (0)116 223 1292
AstroGrid Project Manager        Fax:    +44 (0)116 252 3311
Dept of Physics & Astronomy      Mobile: +44 (0)7753 603356
University of Leicester          Email:  ael at star.le.ac.uk
Leicester, UK   LE1 7RH          Web:    http://www.astrogrid.org



More information about the registry mailing list