A happy new year to you all, and welcome to the January 2012 JISC Legal Monthly Newsletter (No 78). This month's news includes items on Facebook, and reviews of the FOI laws as well as early warning of a forthcoming change to EU laws on data protection.
Law Watch items this month include items on the cost to public authorities of FOI, as well as further information on the forthcoming legislative changes on cookies.
Cookies and Google Analytics
The countdown clock creeps closer to May 2012, when the ‘lead in’ period for the cookies regulations will end, and the Information Commissioner may start taking enforcement action against those not in compliance. This poses questions for those using tracking cookies, such as those placed by Google Analytics. The ICO’s guidance currently states that it is highly unlikely to prioritise first party cookies used only for analytical purposes in any consideration of regulatory action, and this is likely to include Google Analytics cookies. Instead,
enforcement will focus on ensuring the compliance of those who are using cookies to track a user across multiple sites and/or recognise a user when they return to a website. Currently this leaves some ambiguity, with the use of Google Analytics without prior explicit consent likely to be non-compliant, but not the focus of enforcement. At the least, you should ensure that information about the use of website cookies at your college or university is clear and prominent. Further details are available from the JISC Legal FAQ: What Does the New "Cookie" Legislation Require us to do?
JISC Legal continues to offer great value expert in-house training on FOI, copyright, data protection and e-safety to colleges and universities. If your institution is looking for relevant sector specific expertise in these significant areas then our on-site staff development packages are for you. Find out the details of JISC Legal Plus at - http://www.jisclegal.ac.uk/training/jisc-legal-plus.aspx.
Irish Data Commissioner Publishes Facebook Report
The Office of the Irish Data Protection Commissioner this week published its report of an audit of Facebook Ireland Ltd. The audit, commissioned to investigate how Facebook Ireland implements the basic principles of Irish and EU data protection laws, made recommendations for improvements in how data is handled by the social network. Facebook users outside of the US and Canada, including staff and students at UK colleges and universities using Facebook as a teaching and learning tool, have a contractual relationship with Facebook Ireland, which acts as data controller in respect of their personal data. Fuller details of the recommendations can be found by reading the full news item. For more information on the legal implications of using social networks in education, see the JISC Legal publication Facing up to Facebook: A Guide for FE and HE
Is FOI Working? Evidence Required
The House of Commons Justice Select Committee has called for written evidence to help in its scrutiny of the Freedom of Information Act 2000. This provides colleges and universities with the opportunity to provide evidence of their own experiences with the legislation. The deadline for submission is 3 February 2012 and details on submission requirements are available from the website of the UK Parliament Commons Select Committee
Is FOI Too Costly for Public Authorities?
The UK Government has put its view of how the Freedom of Information Act 2000 is working to the UK Parliament Justice Select Committee who will assess whether further scrutiny of the law is needed. One area of interest to Colleges and Universities and highlighted in the report conclusions is the cost of compliance and the limits placed on how this is calculated, in particular in relation to significant costs in dealing with a small number of complex requests. However it is also recognised this is a balancing act between transparency and the regulatory burden it places on public authorities. The full report is available on the Ministry of Justice website at http://www.justice.gov.uk/publications/policy/moj/post-legislative-scrutiny-foi.htm
Clarification of Law on Information Held in Private Emails
The Information Commissioner’s Office (ICO) has today published new guidance making it clear that information concerning official business held in private email accounts is subject to the Freedom of Information Act. The new guidance has two key aims – first, to give public authorities an authoritative steer on the factors that should be considered before deciding whether a search of private email accounts is necessary when responding to a request under the Act. Second, to set out the procedures that should generally be in place to respond to requests. The document can be accessed on the ICO website.
Digital Marketing Complaints On the Increase
The Advertising Standards Authority (ASA) recently reported a marked increase in complaints about digital marketing communications, following a change to their remit in this regard earlier this year. In the seven months between March and September 2011, they received 5,531 complaints, covering online marketing on non-paid for space such as social media as well as material on organisations' own websites. Particularly with the new fees regime in England, colleges and universities must be careful to ensure that all their online material is clear, accurate and coordinated to avoid complaints about incorrect or misleading information. Further information on this story is available on the ASA website.
Changes to UK's Copyright Laws Proposed
A consultation has been announced on proposals to change copyright law removing unnecessary barriers to growth. The UK Government seeks views on its proposals to widen copyright exceptions with a view to modernising and opening them up to the maximum degree (within European Union (EU) law). This includes allowing limited private copying, widening the exception for non-commercial research, widening the exception for library archiving and introducing an exception for parody and pastiche. Views are sought from copyright owners, those who may be affected by changes to specific exceptions, such as educational establishments, research institutions, libraries and archives, and people with disabilities. The consultation will close on 21 March 2012. Further details of the consultation are available on the IPO website.
Updated Guidance by the ICO on Cookies
New guidance has been issued by the ICO on how the rules apply for those operating websites and using cookies. The 27 page guidance indicates that implementing the regulations is likely to require considerable work in the short term but compliance will get significantly easier with time. The guidance also states that it would be highly unlikely that priority for any formal action would be given to focusing on uses of cookies where there is a low level of intrusiveness and risk of harm to individuals. The more directly the setting of a cookie relates to the user’s personal information, the more care has to exercised in getting consent. It includes practical advice for those trying to comply and deals with tricky issues including employees choices with regard to cookies. A series of questions are answered as part of the guidance. The document can be accessed on the ICO website. JISC Legal has prepared an FAQ on the new cookies law. The FAQ is entitled - “What Does the New "Cookie" Legislation Require us to do? - How will new changes to the law affect Internet Cookies and how do we comply with such change?”
Explicit Consent to be a Requirement in New Data Protection Law.
A draft version of the new EU General Data Protection Regulation is apparently already in circulation ahead of the expected publication date of the end of January 2012. Of interest to colleges and universities is the report that this currently includes a new definition of consent to processing which involves the requirement for consent to be explicit. It is currently proposed that the new legislation will be a Regulation, which means it will be directly applicable in UK law unlike the current Data Protection Directive which is implemented in EU states by further national legislation (The Data Protection Act 1998 in the case of the UK). JISC Legal will provide further information once the official draft regulation is available, meantime further details of the leaked draft are available from the Bird & Bird website.
Record Fine for Child Protection Breach
A council has been fined £130,000 for sending details of a child protection case to the wrong recipient. This is the highest fine yet imposed by the ICO and reflects the seriousness of the breach as well as the fact that previous recommendations had not been complied with following a similar incident in June 2010. The ICO enforcement notice served refers to mandatory training of all staff dealing with personal data and is a legal requirement. Institutions are reminded to comply with undertakings in all aspects, and to ensure relevant staff receive adequate and appropriate data protection training. More information on the incident and the enforcement notice can be found on the ICO website.
Phishing for Student Bank Details
Hundreds of students on government loans have been sent phishing emails requesting personal banking details. Withdrawls of between £1,000 and £5,000 were taken from accounts that were deceived into supplying the information. The e-crime unit of the Metropolitan Police investigated incidents alongside the banking industry, the Student Loans Company and internet service providers. Individuals have now been arrested on suspicion of conspiracy to defraud, the Computer Misuse Act and money laundering services. Staff in FE and HE may find this news story useful to raise awareness and remind students to be particularly vigilant when supplying personal information or financial details over the internet.
Personal Opinions Online Subject to the DPA
The Information Commissioner is required to consider what is acceptable for one individual to say about another because the First Data Protection Principle requires that data should be processed lawfully. This is the view expressed in the High Court decision of - The Law Society & Ors v Kordowski  EWHC 3185 (QB) (07 December 2011). Strictly even where private individuals are expressing their own views the "domestic purposes" exemption in the Data Protection Act (DPA) (s.36) will not always apply and the First Data Protection Principle can require that the data is processed lawfully something which should attract the regulation of the Information Commissioner. This has implications for those hosting and publishing blogs and other online forums because previously such processing of personal data was considered by the Information Commissioner to be exempt. The full text of the judgment is available on the BAILII website.
BIS Publishes Innovation and Research Strategy for Growth
The Department for Business, Innovation & Skills today published its Innovation and Research Strategy for Growth. The report recognises the importance of universities, research councils and businesses to the UK's future competitiveness and outlines how government will support research and innovation through increased collaboration and investment. Further information about the Strategy and the economic analysis behind it can be viewed on the BIS website. For further information on External Engagement refer to JISC Legal's guidance.
Is Your College Data Protection Notification Up to Date?
An organisation has recently been prosecuted for failing to notify the ICO that it processed personal data. Failure to notify is a criminal offence under the Data Protection Act 1998 and the successful prosecution in this case led to a conditional discharge and £614 to be paid towards the prosecutor’s costs. Although it is unlikely that colleges and universities have failed to notify the ICO, it may be worth checking that your notification is up to date and reflects the activities taking place. The news story is available on the ICO website together with links to the register of data controllers. JISC Legal also provides free guidance for colleges and universities on Data Protection.
Actual Knowledge and Defamation
The High Court has ruled that search giant Google does not have to pay damages for defamation suffered to a UK intelligence adviser via a blogging platform which Google owns. The court held that there was no evidence to suggest that Google knew that the comments posted were unlawful. It was argued that Google was in fact liable for defamation because it did not delete the comments, however, whilst the court said that it was 'arguable' that Google was a publisher of the defamatory statements, there was no evidence to show that it definitely knew that the material was unlawful. This case highlights to colleges and universities that actual knowledge of the comments posted on their websites will be considered where an action for defamation arises. Further, the significance of a notice and take down procedure should also be realised. More details on this news story and access to the ruling can be accessed from the Out-Law website. More detail on Defamation is available from the JISC Legal website.
New Guidance for Using Medical Recordings in Teaching
New advice and guidance on making and using clinical healthcare recordings funded by the Strategic Content Alliance for learning and teaching launches today. Clinical images, videos and other recordings are a vital tool in teaching and learning within the health care professions. Furthermore, these resources can often originate outside the institution that wishes to use them. This raises a number of legal, ethical and other issues relating to their re-use. Some of the legal issues that occur for HE and FE institutions seeking to re-use such resources may include copyright and data protection. You can explore the issues that professionals face when using recordings and how the new guidance can help at: http://www.jisc.ac.uk/news/stories/2011/12/podcast129debrahiom.aspx Further, you can read the advice and guidance at: http://jiscdigitalmedia.ac.uk/clinical-recordings
Finally for more information on the Use of Child Images and OERs then please visit the JISC Legal website.
Further Detail on Open Data Measures Published
The Cabinet Office recently published this resource in order to encourage effective use of public sector data. There are various provisions within the document including measures to provide on-line access to personal data for NHS patients and to encourage data linking services to support enterprise and innovation which is particularly relevant for institutions involved in research and innovation. Further, in education Government will encourage greater value, choice, competition and innovation in the data and learning platform markets by publishing a new procurement arrangement for schools. The report can be accessed from the Cabinet Office website.
Data Breach Charges for Facebook Contact
A cleaner at Edinburgh Royal Infirmary who allegedly contacted a female patient on Facebook has been charged with breach of data protection. Following an investigation NHS Lothian said that the patient's medical records were not accessed and that the patient's name was obtained from an electronic floor plan at the hospital. The incident reinforces the importance of ensuring that staff and students, in particular medical students who may have access to sensitive personal data during work placements within hospitals, are aware of their data protection obligations. For further information on when a data protection breach can be a criminal offence refer to the ICO's FAQ. For more information on data protection please refer to JISC Legal's guidance.