DPA scenarios, and (possible) resolutions
This is a collection of scenarios which illustrate various puzzles in my/our interpretation of our obligations to the DPA, within Physics and Astronomy. The scenarios here are collected and adapted from various sources, including the academic staff meeting of 2016 June 17.
The scenarios are (currently) in no particular order.
The interpretations under each scenario are phrased by Norman, but have been discussed with the University’s DP office, to get guidance on correct interpretation, and to assemble a repository of such cases.
See also the general data protection notes.
Further suggestions are welcome.
Norman, 2016 June 20–2016 July 26
The scenarios below are quite specific, for the sake of concreteness, but are intended to be broadly representative
DPA1: demonstrator email §
An undergraduate student emails a postgraduate lab demonstrator explaining that their lab report is late because they'd recently come out as gay to their very religious parents, and that they are as a result being medically treated for stress.
This email would be classed as ‘sensitive personal information’ under at least three headings simultaneously. The PG is permitted to hold this data (because the UG sent it to them). The PG is permitted to forward the email to the class head.
If part of the email, not containing sensitive information, had to be (internally) forwarded separately, it would at the very least be good practice (and indeed good manners) to edit down the email when forwarding. But I think it would not be a breach to fail to do so.
However (a) it would better for the demonstrator to advise the UG to log this information using MyCampus where, presumably, they will give explicit permission for the information to be used (DPA Sch. 3 para. 1); and (b) the demonstrator and class head should be fully aware that this information must be handled carefully.
If the demonstrator (or indeed the class head) loses a laptop with a cache of email, or loses a printed copy of the email, that would count as a data breach.
It is irrelevant whether the laptop belongs to the PG or to the University. The definitions in the DPA (s. 1) say nothing about the ownership of the ‘equipment’, and are concerned almost exclusively with its control, and the identity of the data controller (the University, in this case, and by extension the demonstrator, to the extent that they are an employee of the University). The University would still be the responsible ‘data controller’, even though that email message was sitting on the PG's personal laptop at home, or in a US hotel room.
If for some reason the UG wants the demonstrator to have more specific details than they’re comfortable putting on MyCampus, then (notwithstanding the Sch. 3 para. 4 note above) it would be at least civil if the demonstrator were to ask explicit permission before anything was passed on to the class head.
Note that the information that a student is gay, for example, is protected, not just the data that has that statement written down. Thus the demonstrator can’t, for example, pass this on verbally, even though there’s no data being transferred in that case. Presumably a summary of the situation, which omits, but alludes to, the specifics, would be acceptable in an email to the Class Head.
It does appear that if a student tells a staff member by email that they were ill – for example on an exam day – then the DPA permits that to be passed on by the Sch. 3 para. 4 exception above. Everyone involved should, however, be aware that this information is in principle as ‘sensitive’ as the student’s sexual orientation.
University Email is not the only possible medium – a student might communicate with the demonstrator using a private email address, or through Facebook or another similar social media service. As far as I can tell, this is still a rather unusual route – the PG demonstrators I have talked to suggested that they would not make available their private email addresses, or accept Facebook ‘like’ requests – and this would surely be deemed to be a private communication, with no link to the University. As a private communication, and notwithstanding the fact that the Facebook message is sitting on the same ‘equipment’ as the PG’s university email, the University cannot determine how this information is processed, and therefore is not the data controller; thus the DPA has nothing to say about how this information is managed. The fact that this is a private message means, of course, that the PG would be unable to pass the information on to the class head or anyone else, but it is not the DPA that prohibits that.
In any case, unless the information is to remain entirely private between the two individuals, something will have to be recorded in a University system, and that is sensitive personal data, however it was communicated.
There is a ‘non-profit’ exemption mentioned in DPA Sch. 3 para. 4, which would seem to apply to the University; but I understand that this is probably intended to apply to parish councils or allotment committees, and other very small-scale organisations, and shouldn’t be interpreted as giving the University (as a charity) any extra leeway.
DPA2. email signature §
A student corresponds with a member of staff, who notices that they announce themself in their email signature as president of the university LGBT society.
That the student is gay (a reasonable but not necessary implication) is still sensitive personal data, but the email may be freely processed by everyone, on the grounds that the data subject has deliberately made the information public (DPA Sch. 3 para. 5).
However...
Query: is it a reasonable assumption that this makes the information public, even though it’s not guaranteed that that signature would be present on every email that the student sends, or might be present only on email sent within the University? If this information is included in a Moodle post, and thus restricted to members of the University, does that count as ‘public’ for this question? Similarly, one can naturally suppose, independently of this email, that the the identity of the officers of the LGBT society is public knowledge, but is that enough to satisfy this paragraph?
Answer: maybe. But the fine details don’t matter: unless the information is clearly public, one’s intuition should be to recognise this as sensitive personal data, and probably therefore at least avoid forwarding this part of the email if that is not notably inconvenient.
DPA3: external examiner §
An external examiner has a spreadsheet of student identifiers and marks, along with associated documentation of medical circumstances (the category of sensitive personal data most likely to be handled here).
The external would presumably count as an ‘individual who [has] regular contact with [the university]’, rather than a third party (DPA Sch. 3 para. 4). It may be necessary to remind the external that this is ‘sensitive personal data’ and perhaps point them towards suitable guidance.
The external may be located outside the EEA. But that’s OK, since their activities are necessary for the university’s contract with the students, and in their interests (DPA Sch. 4 para. 3).
If the external loses a laptop with this information, then Glasgow University, which is still the Data Controller, should report the data breach.
DPA4: external email §
A staff member uses an email provider other than glasgow.ac.uk (for one of a number of possible reasons – the obvious example is google, but various staff route some of their email through their own domains). The email is hosted in the US, which is outside of the EEA.
I (Norman) don’t know whether this is permitted or not. I suspect it’s not permitted, but it probably depends on just what ‘transfer’ means, and whether storing email on a google server (which has to be presumed to be outside Europe) counts as ‘transferring’ it there.
There is such a thing as ‘safe harbor’, under which certain US companies were able to self-certify that their protection of personal data was compatible with EU requirements, but this was overturned in October 2015, and so at the time of writing this particular issue is unclear.
Note that this email store would be covered by Freedom of Information (FoI) legislation (that is, if a student, for example, were to request all university correspondence concerning them, then this externally managed email would still be covered by that. Managing email in this way makes data-protection people wince, but I don’t believe they’d go as far as to forbid it.
DPA5: writing references §
A staff member is asked to write a reference for a student, and send it to an organisation outside the EEA. Such a reference would necessarily include personal data.
This is allowed.
Such a reference would implicitly be at the request of the student (who thus implicitly gives permission for the transfer to be made).
By the way, the student does not have a subsequent right of access to the content of the reference, because the DPA (Sch. 7 para. 1) explicitly excludes references from being requested by data subjects.
Since sensitive personal data can be transferred only with the explicit permission of the student, that could not be included in the reference; but it is hard to see what sort of reference could possibly include such data, so the point is moot.
DPA6: author lists §
A staff member has a draft paper on their laptop when it is stolen. This of course includes the names, affiliations and email addresses of their co-authors (which are personal data). Is this a data breach?
The answer is no, most immediately on the general grounds that that would be insane.
But more specifically, and scampering through the DPA Principles (Sch. 1): the data is being processed (the paper written) fairly and lawfully (principle 1); it was ‘gathered’ for a particular purpose (namely the paper) (2); the names and addresses are relevant (3) and hopefully accurate (4); it is necessary that it be associated with the paper permanently (5); since the data will shortly (or at least eventually) become public, the data subjects will be able to see it (6) and no effort need be made (once the paper is published) to avoid ‘losing’ it (7); and (presuming they know about their authorship!) the co-authors will have implicitly consented to their data being processed by their colleague in the usual way, so that that any transfer outside the EEA will fall under the Sch. 4 exemptions to Principle 8.
So yes, this is probably OK.
The case where a possibly heavily embargoed draft paper is lost is professionally embarrassing, but not the concern of the DPA.
DPA7: sharing spreadsheets §
The exams convener is organising staff cover for the invigilation of students who are in separate rooms for exams, most typically due to a disability of some type. As part of this they distribute a spreadsheet to an ‘all school academic staff’ email list, asking individuals to check their entry, or confirm absence of an entry, on this list. The spreadsheet contains details of some students’ disabilities. Is this reasonable? If not, what is a reasonable alternative action?
The issue is, of course, that students’ disability information, as an aspect of their physical health, is ‘sensitive personal data’.
The best thing to do, in this sort of situation, is probably to prepare a temporary copy of the data with the sensitive information deleted, and share that. In the case of a spreadsheet, this might consist of deleting a column or sheet; in the case of a database report, for example from MyCampus, this would consist of either choosing a different report, or if none is available obliging the MyCampus administrators to provide one without sensitive data.
In this particular case, it would be enough to delete only the column detailing the students’ disabilities.
It might occur to you that the fact that a student is included in such a spreadsheet indirectly discloses that they have a disability of some type. While true, deleting the names completely would hamper the smooth running of the exams – it is useful in practice for a relatively broad range of people to be able to check what non-standard room an examinee is supposed to be in.
If it were feasible, at the time when a student requests some special exam arrangements, to note with them that the fact that they have done so would be shared with selected staff, than that would tick every box in sight.
If redaction is impractical in some particular case, or if an element of over-sharing is somehow unavoidable, then the convener should aim to make the information available in some location less likely than an email to leak. For example, local IT staff might help setting up a shared but authorised-only area on Sharepoint or in ownCloud.
DPA8: BYOD (very variously) §
Many staff organise information on their own devices, whether these be phones, personal backup disks, or cloud services. This is unavoidable because (a) as academics they are very used to autonomy in their own working arrangements, and (b) as physicists they are (with greater or lesser warrant, I may say) confident in their ability to manage a range of personal or university-provided IT devices.
An adviser of studies makes a diary entry on their work desktop, ‘Jo Bloggs, 10:00, re depression recurrence’. This diary entry is synced to their phone via Google Calendar. The directory where this is cached on their desktop is included in a routine backup on a portable hard-disk drive which the staff-member carries back and forth to work, where it is synced with a home desktop (where the staff member sometimes works). Has this data been ‘transferred’ to Google Calendar? If the home desktop is stolen during a burglary, is that a data breach?
A possible distinction from the email examples above is that diary entries are generally ‘opaque’ information, in the sense that they are cached by applications or the OS without the direct awareness of the user, as opposed to the more managed data in spreadsheets and emails. Finding this information on a Google cache, or on a backup, would require active trawling on the part of an adversary, as opposed to mere nosiness. Is this distinction relevant to the DPA? Answer: no, probably not.
The question here (it seems to me) is about Principle 7 (Sch. 1) ‘Appropriate technical and organisational measures shall be taken against ... accidental loss [of] personal data.’ Where is the threshold of ‘appropriate’ – does it require avoiding the conveniences and efficiencies of the online calendar service?
It would be prudent in any case for the portable hard disk, and the phone, to be encrypted, and that might be easy enough to do that it would be appropriate to require it, or at least strongly advise the staff member to do this, even though it’s their personal equipment. However if this sort of action isn’t ‘easy’ on a particular platform, then it is probably rather hard for the School IT support to manage.
The key thing is that it is incumbent on everyone involved to be able to show that they have made an effort to secure devices, disks, and calendars, to an extent which is proportional to the risk (in both probability and consequence terms) of disclosure. This comes down to intuition, again: the adviser would automatically think twice about including ‘re depression’ in the diary entry; a staff member who handles materials for disciplinary hearings would automatically worry about the equipment being lost, and get advice on securing it.
The loss of the home desktop would constitute a data breach. The seriousness of the breach would depend on what data was stored, but in either case it should probably be reported to the University DP office.