UK Data Protection
ael at star.le.ac.uk
Fri Nov 7 01:06:33 PST 2003
This is certainly interesting - thanks for the post, Norman. Applies more
to AstroGrid as we'll be setting up a community registry with personal
details. We'll have opt-in/out facility but will need to make sure we
comply with all the rules.
On Thu, 6 Nov 2003 16:46:53 +0000 (GMT), "Norman Gray"
<norman at astro.gla.ac.uk> said:
> At the registry plenary in Strasbourg, there was a question of whether,
> and to what extent, the personal information in the registry would be
> constrained by data protection legislation. Prompted by Nic's visit
> here to give a seminar, I had a chat with a colleague in the archives
> department who's fairly authoritative on these matters. Here is a
> summary (I wondered if I ought to put this in the Registry part of the
> IVOA wiki, but couldn't find an obvious place).
> The information here concerns the UK Data Protection Act (DPA), but it
> seems that other european legislation will be consistent with this, since
> the DPA is merely the UK's implementation of an EC Directive of 1995.
> The underlying goal is apparently to frustrate commercial sharing of
> personal information, now that personal information has significant
> commercial value. This means that a network like the VO is not the
> sort of data holder that the Act is aiming to regulate.
> The good news is that there probably isn't a big problem. The
> regulations are extremely bureaucratic in detail, but simple in
> outline, and basically common-sense. There are eight principles
> outlined, and if you follow these, it seems you can't really get into
> The Act is concerned with _personal_ data only, connected only with
> living individuals. It distinguishes sensitive data from other data,
> and this seems to be anything (ethnic origin, sexuality, criminal
> convictions, income) which would result in a loss of privacy if made
> public. My impression is that nothing the IVOA wants to store comes
> under that heading. Sensitive data has more regulations controlling it.
> There is a Data Protection Registrar, with whom data holders must
> register, giving a basic statement of what data holdings they have,
> and what they intend to use them for. Alternatively, the data holders
> can simply make a declaration to their own institution's nominated
> Data Protection Officer. This seems to be essentially a formality,
> since there's apparently little need for this to be aggressively audited.
> The `principles' are, again, common sense. Data should only be stored
> if the data subject has given consent or if the data storage is in
> `legitimate interests pursued by the data controller' (whatever that
> means); you mustn't process data for other than the declared reasons
> (no creep); the storage should be relevant, accurate, individuals can
> correct it, and it should be stored securely.
> The eighth principle might be a theoretical problem: `Personal data
> shall not be transferred to a country or territory outside the European
> Economic Area unless that country or territory ensures an adequate
> level of protection'. In particular, this excludes the US. I get the
> impression that this wouldn't prohibit responding to a registry query
> the US to a registry server in the EEA, but it possibly would prohibit
> a mirroring of a database from the EEA to the US. Not that anyone would
> care in this case -- I cannot believe it would ever be an issue.
> I have some more details available if anyone wants (or can stand) them.
> All the best,
> Norman Gray
> Physics and Astronomy, University of Glasgow, UK
> norman at astro.gla.ac.uk
Tony Linde Phone: +44 (0)116 223 1292
AstroGrid Project Manager Fax: +44 (0)116 252 3311
Dept of Physics & Astronomy Mobile: +44 (0)7753 603356
University of Leicester Email: ael at star.le.ac.uk
Leicester, UK LE1 7RH Web: http://www.astrogrid.org
More information about the registry