Data Protection Use Cases

Data Protection Use Cases

Data Protection Research Exemptions

Note that some exemptions are granted for the use of personal data for research purposes. However, and importantly, the majority of the Data Protection Principles still need to be adhered to when processing data. Those responsible for the research project should carry out an ethical review of the project prior to commencement to ensure that all obligations in relation to Data Protection are and will be complied with. Data Protection practices and processes should also be monitored regularly during the currency of the project to ensure that all requirements are being adhered to. Those responsible for the project should ensure that clear procedures are available for those who believe that their personal data might have been compromised and/or processing of their personal data has caused them significant damage or distress.

1. The operators of a social networking space established to research and study interactions between users of the site with a view to developing the optimum environment for learning, want to keep records of the users of the site. Howver they are unsure as to what constitutes personal data within the meaning of the Data Protection Act.

Personal data within the meaning of the Data Protection Act is data from which a living individual can be identified. Even if an individual is not immediately recognisable from a piece of datum, he/she may become identifiable by combining data in the possession of the data controller or which may come into the possession of the data controller. The key is as to whether the individual can be identified. Examples whether singly or collectively might include pictures, email addresses, telephone numbers, place of work.

1. The operators of the social networking space also want to take photographs of the subjects using the site. Can they do this?

For the Data Protection Act whether the operators could process the photographs would depend on whether the data (the photograph) was personal data within the meaning of the Data Protection Act – see 1 above. Note also that by combining data the individual may well become identifiable even if he/she was not from the photograph. Note that a ruling of the European Court of Human Rights in January 2009 held that the taking of a photograph without consent – whether or not it is subsequently published – is a violation of the right to privacy guaranteed by Article 8 of the European Convention on Human Rights. So in all cases permission should be sought to take photographs whether or not they will subsequently be published on the site.

1. The owners of the social networking site have asked a local firm help them store and sort through the data collected on the site. They have heard the terms ‘data controller’ and ‘data processor’ but are unsure how these relates to their project and what obligations there might be under the act for the processor and controller of data.

Under the Data Protection Act the Data Controller is the person ‘who (either alone or jointly or in common with other persons) determines the purposes for which, and the manner in which, any personal data are, or are to be, processed’. The Data Processor is the person who processes the data on behalf of the Data Controller. So here the Data Processor will be the owners of the social networking site (or their employers – for instance the HEI) as they will be the ones who determine the processing of the data. The Act places the legal obligations regarding processing (that it be in accordance with the processing principles) on the Data Controller. So it would be essential for the owners of the site (or their employers) to have a contract with the Data Controller detailing the manner in which the processing should be carried out.

1. The data gathered by the owners of the social networking site are likely to contain information on the participants’ religious beliefs. Are there any special provisions that need to be taken into account under the Data Protection Act?

The Data Protection Act classes information about an individual’s religious beliefs as Sensitive Personal Data. (Sensitive personal data also encompasses personal data relating to racial or ethnic origin, political opinions, membership of trade union organisations, physical or mental health, sexual life, offences or alleged offences). If sensitive personal data is to be processed additional obligations are placed on the Data Controller. The subject needs to give explicit consent to the processing of the information meaning that some kind of affirmative action may be required, such as written consent or clicking on an ‘I agree’ button on a webpage. Then the data have to be processed in line with the obligations in Schedule 2 and 3 of the Act requiring additional care to be taken of the data.

For general information on Data Protection in further education see generally and for more detail

For information on personal data see ICO, Data Protection Technical Guidance: Determining what is personal data (21/08/07) -

1

6 March 2009

© HEFCE, 2009. Version 1.0

The contents of this paper are for information purposes and guidance only. They do not constitute legal advice