This report is also available as an Acrobat file.

Contents
LEGAL ISSUES RELATING TO THE DEVELOPMENT AND USE OF WORLD WIDE WEB TECHNOLOGY AT EDUCATIONAL SITES

Data Protection

One of the most attractive aspects of the WWW is the relative ease with which even users with limited on-line experience can access and download data. The challenge of providing them with information which is actually worth browsing and downloading has been taken up enthusiastically in many quarters, not least by academic institutions, who increasingly see having an official webserver containing information about their courses, staff, and other attractions, as an important part of their public relations package. At the other end of the scale, the more proficient webpage providers are developing ever more sophisticated methods of collecting data from individuals browsing their output. At the simplest level this data collection may simply involve asking people accessing a page or set of pages to "sign the visitors' book" by leaving their name, institution, and possibly an e-mail address. More complex operations, using web servers that support more secure encryption methods may go further, offering goods for sale, and accepting names, addresses and credit card numbers via the "forms" mechanism offered by some browsers(102).

Praiseworthy as all these efforts are, there is a danger that in the enthusiasm to place information on the WWW, or to run viable business operations via webservers, the law relating to data protection is either pushed to the back of people's priorities, or entirely overlooked. In modern society, the collection of data about individuals has become of increasing importance, as our ability to sort it into meaningful patterns with the aid of computers has developed. The ability to profile individuals via records such as electoral rolls, credit records, use of store loyalty cards, magazine subscriptions, and the like has become a lucrative industry. More often than not we do not know who holds information on us, to whom they may have passed it, and the purposes to which it is being used(103). The data protection laws go some way towards redressing that balance by creating a set of rules by which data processors should operate, and which give individuals some limited powers to ensure that at the very least the information that others hold on them in electronic form is accurate. It is widely acknowledged that the existing UK Data Protection Act 1984 (hereafter the DPA 1984) is a less than perfect solution to the problems that exist, and it will be interesting to see if the recent adoption of a somewhat more rigorous regime by the European Community in its Directive on Data Protection(104) will have any greater effect when finally implemented into UK law.

A brief overview of the Data Protection Act 1984

What is personal data ?

The DPA 1984 first defines data as "information recorded in a form in which it can be processed by equipment which operates automatically, in response to instructions given for that purpose.(105)" Data therefore includes information processed by a computer, or information processed by mechanical means. Thus the Act applies to automatically processed information, but not to manually held information, which is contained in files or other paper records.

The Act then proceeds to define personal data as being data which consists of information which relates to a living individual (the data subject (106) ), who can be identified from that information by itself, or when it is coupled with other information held by the person holding that data(107) (the data user(108) ). Such data would include any expression of opinion about the individual. This definition clearly excludes both individuals who are deceased, and legal entities such as companies, universities and charities.

Some kinds of data which would appear to fall within the above definition are specifically exempted from the regime prescribed by the Act. Such data does not need to be registered, and the individual concerned will not have any right of access to the information.

Table 4:Data which is exempt from the provisions of the Data Protection Act 1984

Information required for the purpose of safeguarding national security (Article 27)
Information held for payroll, pensions, and accounts purposes, under certain circumstances. (Article 32)
Personal data held only for domestic or recreational purposes (Article 33)
Information relating to unincorporated members clubs, which relates only to members of the club who have been asked whether they object to the personal data being held for such a purpose and have not objected (Article 33)
Mailing lists consisting only of names, addresses, and other details required for distribution, where the data subjects have been asked whether they object to the personal data being held for such a purpose and have not objected. (Article 33)
Information that the law requires to be made public. (Article 34)

What obligations does the Act impose ?

Individuals who hold personal data, defined as 'data users' in the Act, are obliged to register with the Data Protection Registrar(109) , and to use the data that they hold in accordance with what are known as the Data Protection Principles(110). Failure to register as a data user when holding personal data is an offence(111). Once a person has an entry on the register, it is also an offence for a person to:

hold personal data of any description other than that specified in their entry.
hold any data, or use any data held, for a purpose other than the purposes described in their entry.
obtain data, or information to be contained in the data to be held, from any source which is not described in their entry
disclose the data held to any person who is not described in their entry
directly or indirectly transfer data held to any country or territory outside the UK other than those named or described in their entry(112).

However, at present, the take-up rate for registration is estimated to be less than 50% of those required to do so, and given the current under-resourcing of the Data Protection Registrar's office, the likelihood of an action for minor non-compliance with the Act remains limited.

Table 5: The Eight Data Protection Principles

The information to be contained in personal data shall be obtained, and personal data shall be processed, fairly and lawfully.
Personal data shall be held only for one or more specified and lawful purposes
Personal data held for any purpose shall not be used or disclosed in a manner which is incompatible with that purpose or those purposes.
Personal data held for any purpose or purposes must be adequate, relevant and not excessive in relation to that purpose or purposes.
Personal data shall be accurate and, where necessary, kept up to date.
Personal data held for any purpose must not be kept for longer than is necessary for that purpose or those purposes.
An individual shall be entitled, at reasonable intervals, and without undue delay or expense, to be informed by any data user whether he holds personal data of which that individual is the subject, and; the individual is also entitled to have access to any such data held by a data user and; where appropriate, to have such data corrected or erased.
Appropriate security measures shall be taken against unauthorised access to, or alteration, disclosure or destruction of, personal data and against accidental loss or destruction of personal data.

What rights does the Act give to individuals

The Act provides that individuals have the right to find out whether a data user has personal data recorded on computer which relates to them, and that they have the right to be provided with a copy of that information in a form which is intelligible to them(113). These rights are subject to a number of provisos including that:

the request must be in writing, and the data user may charge a limited fee for the service(114).
the data user must be provided with sufficient information for him to be satisfied as to the identity of the person making the request(115).
if the information requested results in the disclosure of information relating to another individual who can be identified from that information, the data users must be satisfied that that other individual consents to its disclosure. However, the data user cannot withhold all the information if such a third party disclosure can be avoided simply by the removal of names or other identifying particulars(116),

The data subject also has the right to challenge the accuracy of the information and, if necessary, obtain a court order for:

the rectification or erasure of inaccurate data, and any other data or expressions of opinion which appear to the court to be based on the inaccurate data(117).
the right to enter onto the record a supplemental statement of the true facts relating to the matters dealt with by the data(118).

In limited circumstances, a data subject may claim compensation for damage suffered as a result of inaccuracies in the data, loss or destruction of the data, or its unauthorised disclosure(119).

Personal Data on Webservers

With regard to the current situation, if an institution has webpages which:

contain personal data which is linked to specific and identifiable individuals, or
contain data which cannot by itself be used to identify an individual, but when allied with other information held by the institution, does permit such identification

it would be wise for the person responsible for those webpages, or the webserver, to check the provisions of the DPA 1984 with regard to whether or not it is necessary to be registered with the Data Protection Registrar. It is unclear from the wording of the DPA 1984 as to whether the additional information which may be used to link an individual to otherwise anonymous data on a computer must itself be held in a form in which it can be processed automatically e.g. on another computer. The important thing to ascertain is not just that an institution is registered to hold certain types of personal data, but also that the particular personal data which is to be placed on the webpage is permitted to be used in that manner under the terms of the registration.

A particular question with regard to the WWW lies in the obligations on registered data users not to "disclose the data held to any person who is not described in their entry" or "directly or indirectly transfer data held to any country or territory outside the UK other than those named or described in their entry."

With regard to the latter issue, the DPA 1984 does not define what is meant by 'transfer', but it would seem entirely possible to argue that the process by which data is passed on demand from a webserver, to the RAM or harddisk cache of a machine being used to browse that webserver, goes further than mere 'disclosure'. If it is accepted that this is 'transfer', it would seem to follow that if personal data is held on an open access webserver, i.e. a webserver that is not in some way domain restricted, there would appear to be no way for the owner of that webserver to avoid the transfer of that personal data to any individual with full Internet access in any number of countries outside the UK.

Thus, when one looks at both those obligations, it is difficult to see how a open access webpage containing personal data could successfully stay within the letter of the law, unless it were possible to have entries in the register of "all other web users", and "the world" respectively. Such a solution would, however, seem to be so wide-ranging as to render the DPA 1984 meaningless. It is therefore interesting to speculate for example whether educational institutions that have placed details (such as name, work address, telephone number, e-mail address, academic interests and publications) of all their members on-line, either on the X500 database or the WWW, are actually adhering strictly to the letter of their registration.

As far as those UK sites which actively collect personal data are concerned, they would seem to fall into a grey area of the law, with the significant factor being what is done with the personal data collected. If an individual has a personal webpage with an embedded form being used as a 'visitors' book', their intention being to simply collect names, e-mail addresses, occupations and comments of visitors to the webpage for their own personal edification, it would seem that while they are obviously holding personal data, this would appear to fall under the recreation exemption. On the other hand if an institution collects the same personal data, it appears that the holding of that personal data would require registration, and at the time that it was obtained, the data subject would have to be informed both that it is being collected, and any purpose to which it might be put. This would be particularly relevant if the institution intended to use the personal data in a study(120), or to sell it on to an interested third party.

A final thought concerns the use of search engines, webcrawlers and the like on the WWW and data retrieval mechanisms in other on-line resources. Given the ability to carry out searches on the names of individuals i.e. John Major, it may be possible for a person to download and then process information from one or more on-line sources which would qualify as personal data for the purposes of the DPA 1984. At that point that person would become a data user, and should register as such - however, as the volume of accessible electronic data increases, it remains to be seen just how feasible the requirement of registration becomes in such circumstances, given the present difficulty of getting larger data users to register correctly, or indeed at all.

102 e.g. Hot Hot Hot which specialises in hot sauces.

103 See for various examples, Branscomb, A.W. Who Owns Information ? From Privacy to Public Access (Harper Collins/Basic Books 1994).

104 OJ 1992 C311/04 (adopted 24 July 1995). This should result in new UK legislation around 1998.

105 S1(2).

106 S1(4)

107 S1(3).

108 S1(5)

109 S5 (1).

110 See Schedule 1, DPA 1988

111 S5 (5).

112 S5 (2)(a) - (e), S5 (5)

113 S21 (1).

114 S21 (2)

115 S21 (4).

116 Ibid.

117 S24 (1).

118 S24 (2)

119 S23 (1). There are also criminal sanctions for procuring disclosure of, and selling, computer-held personal information - s161 Criminal Justice and Public Order Act 1994.

120 Subject to certain exemptions in Schedule 1, Art. 7, DPA 1984

Contents

Graphics Multimedia Virtual Environments Visualisation Contents