Welcome to the March 2012 JISC Legal Monthly Newsletter (No 80). This month's news includes items on Facebook, Equality Challenge Unit survey results and mobile apps privacy protection.
Law Watch: Proposed New Rules on Data Protection Unveiled. The new proposals aim to update and harmonise the current EU data protection regime including strengthening individuals’ rights.
JISC Legal Plus continues to offer great value expert in-house training on FOI, copyright, data protection and e-safety to colleges and universities. If your institution is looking for relevant sector-specific expertise in these significant areas then our on-site staff development packages are for you. Find out the details of JISC Legal Plus at http://jiscleg.al/JISCLegalPlus
Final EHRC Guidance on Equality Duty Now Available
The Equality and Human Rights Commission have now published their latest guidance in the series of guidance documents relating to the Public Sector Equality Duty. These are The Essential Guide to the Public Sector Equality Duty and Meeting the Equality Duty in Policy and Decision Making and are now available from the EHRC website. There are a total of five guides to help colleges and universities in England meet their obligations with regard to both the general and specific equality duties and guidance is also available for Wales. The final guidance for Scotland is not yet available as the revised draft regulations relating to the specific duties have not yet been put to the Scottish Parliament following the consultation in 2011.
Equality Challenge Unit Inclusivity Survey
The Equality Challenge Unit would like to hear from disability practitioners, equality and diversity practitioners or indeed HR staff about the steps that their institutions take in order to overcome disabling barriers staff and students may encounter when required to access and make use of services. The survey closes on the 21 March, 2012. The results of the survey will enable the ECU to develop materials to support and encourage staff to make positive changes for disabled people. If you would like to take part then please visit the ECU website. If you would like more details on Accessibility and the Law then please refer to our website: http://jiscleg.al/AccessibilityLaw
JISC infoNet Publishes IL&M Survey Results
The latest Information Legislation and Management survey results published by JISC infoNet highlight the impact that the Data Protection Act, Freedom of Information Act and Environmental Information Regulations have had on the sector. Further, the use of specialist statistical software to capture, analyse and present the data make it easier than before to view the data results. The results of the survey will be of particular interest to compliance staff working within the FE or HE sector. For access to the survey, please refer to the JISC infoNet website at: http://www.jiscinfonet.ac.uk/foi-survey/2011.
If you would like information on DP or FOI in general then please refer to the JISC Legal website.
Agreed Support not Provided for Student with Dyslexia
A former student of Lancaster University claims that, despite reassurance that transcripts would be provided of his exam submissions, his papers were not transcribed and, as a result, were not awarded the appropriate grade. Poor handwriting meant that his papers were difficult to read so Mr Vidler asked that transcriptions be made. The university consented but not all staff were made aware of the agreement. Indeed, one member of staff disputed any need for transcription and attributed his request to 'anxiety about his exam performance'. The university apologised but argues that its failure to transcribe made no difference to the degree awarded and did not disadvantage the former student. The Times Higher Education article will be of interest to all FE and HE institutions in meeting their legal obligations under the Equality Act 2010.
Image Guide for Facebook
An alleged report containing rules for Facebook staff on when to remove flagged photos has been leaked. The decision to remove certain images has not always been accepted as reasonable by users and there has been confusion as to what is acceptable on the site. The leaked 'guide' has specific details on images that should be removed, once flagged by users. Facebook claim that all serious reports will continue to be dealt with in-house, although third party contractors may moderate content in order to manage the millions of reports FB receives on a daily basis. The BBC article reminds institutions of the potential issues of using FB where robust policies on acceptable use of social networking for staff and learners are not in place. Any suspect content will still have to be flagged to FB in order to have it removed.
Mobile Apps to Have Increased Privacy Protection
Mobile apps will have to disclose how a user’s personal data will be used before users download them according to new rules agreed by six of the world’s top technology companies including Apple, Google and Microsoft. A commitment to improved privacy measures applicable to developers creating apps for download on the leading platforms can only be good news for users. Where colleges and universities are involved in engaging third parties to develop mobile apps for their institution or requiring staff or learners to use external mobile apps for education how these providers handle the user’s personal data will be one factor to consider in assessing whether use of a particular mobile app will comply with the institution’s obligations under data protection law. The story is available on the guardian website.
The privacy issues involved in the use of mobile devices including mobile apps in colleges and universities will be addressed in JISC Legal’s Mobile Technologies and the Law Webcast on 14 March 2012, 2pm - 4pm.
Research Data FOI Exemption Rejected
UUK claimed that to disclose research data prior to publication would discourage data from being collected. This argument was rejected by the government because ‘adequate protection already exists’ according to Home Office minister, Lord Henley. Currently, FOI legislation already exempts from release information intended for future publication and information that would be likely to prejudice commercial interests. The proposed exemption was not necessary but rather offered an alternative protection, according to Lord Henley. This article highlights challenges being faced within institutional research departments on the disclosure of raw research data following previous ICO decisions against the University of East Anglia and University of Belfast. For more information on FOI, please refer to the guidance on JISC Legal’s website -http://jiscleg.al/FOI.
Publishers Hit Back at Copyright Reform
Currently the Government is considering changes to copyright through consultation, following the recommendations made in the Hargreaves report. The chief executive of the Publishers Association, Richard Mollet, claims that the ‘digital copyright exchange’, as recommended by Hargreaves, facilitates licensing, respects IP and drives economic growth. Rights holders feel that widening copyright, including the exceptions, will only weaken copyright protection. The Government is in favour of such a new licensing database and the proposed DCE is being assessed presently. The Out-Law article illustrates the differing views on copyright reform and will be of interest to FE and HE staff working in this area.
General Filtering Not Required for Social Networks
The EU Court of Justice this week held in Case C-360/10 Belgische Vereniging van Auteurs, Componisten en Uitgevers CVBA (SABAM) v Netlog BV that the owner of an online social network cannot be obliged to install a general filtering system, covering all its users, in order to prevent the unlawful use of musical and audio-visual work. The judgement clarifies for institutions the extent of any obligation to monitor. For further information JISC Legal has guidance on Interception and Monitoring of Communications at http://jiscleg.al/InterceptionandMonitoring
The ECJ’s press release can be found here and full text of the judgement is available here.
Email Disclosure Results in Data Breach Fine
The ICO imposed an £80,000 fine on a council in England for failing to take appropriate measures to ensure the security and appropriateness of disclosure when emailing personal information. The data breach occurred when a council employee used her personal email account instead of the council’s secure system to notify the local voluntary sector co-ordinator of a police force’s concerns about an individual working in the area. The email, which did not contain any clear advice on how it was to be treated, was subsequently sent to 180 unintended recipients. The ICO also found that the council had failed to provide the employee involved with adequate data protection training. This incident highlights the importance to FE and HE institutions of having in place robust systems to ensure that information is appropriately managed and carefully disclosed and of making certain that all data protection guidance is actively communicated to staff and attendance of relevant mandatory training is effectively monitored. For the full story view the ICO website.
ICO Strikes Again
Highly sensitive information relating to the care of a child sex abuse victim was stolen from a bag in a pub and information on the welfare of a child was disclosed to the wrong recipient. As a result, two councils had to pay fines amounting to £180,000 taking the total amount imposed by the ICO to over one million pounds for serious breaches of the DPA. The Head of Enforcement, Stephen Eckersley, concluded that appropriate security measures and training had not been in place to safeguard this particularly sensitive information. Even where guidance was in place, this was not communicated to staff and subsequent data protection training and monitoring had not been carried out. The ICO article also found that a peer-checking process should have been in place ‘to ensure that sensitive information was being sent to the correct recipient.’ These incidents reinforce the importance to FE and HE institutions of making certain that all data protection guidance is actively communicated to staff and that attendance of relevant mandatory training is effectively monitored.
US Guidance on Cloud Security and Privacy Published
The US National Institute of Standards and Technology (NIST) has recently published its Guidelines on Security and Privacy in Public Cloud Computing, which although from the US perspective, provides some useful recommendations as to the practical steps to take in evaluating a potential cloud solution. Although the guidelines do not deal with the legislative requirements of data protection we are required to tackle here in the UK, the Summary of Recommendations at p.51 does provide a useful practical checklist of questions-to-ask and issues-to-consider when looking to adopt a cloud computing provider. The report can be found on the NIST website.
Essential Law Book - New Edition
The 3rd edition of Paul Pedley's Essential Law for Information Professionals is now available from Facet Publishing. A useful desktop reference for those involved in libraries, learning support centres and related information management areas. You'll need to decide for yourself whether it is worth the £50 price tag (£40 to CILIP members). Details can be found on Facet's website.
Data Protection Call for Evidence
The Ministry of Justice has put out a call for evidence to data controllers and other interested groups on the likely impact of the proposed EU Data Protection Regulation and Directive. This information gathering exercise, which closes on 06 March 2012, aims to inform the UK government’s stance in the upcoming negotiations with other EU member states. The call for evidence and the questionnaire is available at The Ministry of Justice website.
JISC Legal has more detail on the EU proposals and links to the draft Regulation and Directive in our Law Watch item at http://jiscleg.al/DPProposedNewRules
Teacher in Facebook Meltdown
A teacher has faced a disciplinary hearing because of her posts on the social media website Facebook. It is reported that the comments included references to favourite pupils, alcohol use and sexual preferences. The story illustrates how easily a presence in social media which starts out in good intentions can quickly spiral out of control. It highlights once again to those working in colleges and universities the need to regularly check privacy settings and to be aware of the ramifications of ill-considered postings and contacts. The story is available on the BBC website.
For a summary of the key legal considerations when using Facebook see the JISC Legal guidance Facing up to Facebook: A Guide for FE and HE available at http://jiscleg.al/FacinguptoFacebook
Beatbullying Publishes Cyberbullying Report
A new report published by Beatbullying entitled Virtual Violence II: Progress and Challenges in the Fight against Cyberbullying, considers the state of cyberbullying amongst children, young people and teachers in the UK. The report reveals that cyberbullying is a 'weapon of choice' amongst the youth of today and is showing no signs of dissipating. FE and HE institutions are reminded of the importance of having in place adequate safeguarding measures to encourage appropriate use of their computing systems, whilst educating staff and students of the risks associated with inappropriate use of the internet. For more details you can access the Beatbullying report.
Further information on cyberbullying is available from our website: http://jiscleg.al/ComputerMisuse and http://jiscleg.al/e-Safety
Ignorance No Defence to Copyright Infringement
Belief that copyright permission has been granted is no defence to infringement of copyright if no valid permission was, in fact, given. This was the finding in the Patents County Court case Hoffman v Drug Abuse Resistance Education (UK) Ltd (DARE) (Neutral Citation Number:  EWPCC 2). The case concerned photographs copied from a Government sponsored website and used without permission. This means that colleges and universities which employ web designers must ensure permission has been granted for use of images on their websites. It is also provides insight as to how damages are likely to be calculated in such cases (£10,000 in this case).
Further details of this story are featured in our Law Watch item.
Loss Threat to Locked-in Data
The recent demise of a file sharing service highlights the risks for colleges and universities in considering a move to the cloud or other external service providers. Megaupload was closed down and its assets frozen in mid January by the US authorities investigating the sharing of copyright infringing materials. It outsourced storage of users uploads to third party providers who are currently not being paid for provision of the storage service and have therefore threatened to delete the data. In addition at least one of the storage providers has stated that it has no access to the content stored for Megaupload and no means of returning the content direct to Megaupload’s users. This has resulted in the prospect of the content of the servers being deleted due to non payment and the resulting loss of data to those users who have uploaded legitimate data including data such as family photographs. Similar issues also have to be addressed when a college or university is considering using cloud computing services. It reinforces the need for colleges and universities to carry out due diligence checks on their proposed cloud and other service providers to ascertain as far as possible the status and robustness of the provider prior to entering into a contract in order to minimise the risk of restricted access to the data or at worse a total loss of data. The news story is available from the BBC website at http://www.bbc.co.uk/news/technology-16787486
JISC Legal’s Cloud Computing Toolkit is available as an aid in making informed decisions about implementing cloud computing solutions- http://jiscleg.al/CloudComputingToolkit
MSPs to Approve Appointment of Rosemary Agnew as the new Scottish Information Commissioner
The Scottish Parliament is to approve the appointment of Rosemary Agnew, currently head of the Scottish Legal Complaints Commission, as the new Scottish Information Commissioner responsible for enforcing and promoting Scotland’s freedom of information legislation. For further details on this story: http://www.bbc.co.uk/news/uk-scotland-scotland-politics-16830531
New FOI Guidance
The new ICO guidance is a plain English guide aimed at public authorities and provides a basic overview of the law. It covers general compliance issues including routine publication of information, responding to requests, the fees charging regime, and complaints. Simple examples of requests to illustrate areas of the law as well as references to decisions are included. It will be a useful starting point for new staff members in colleges and universities whose role includes some involvement in FOI. Although running to fifty six pages, it may also prove useful as a training tool on general FOI awareness for all staff.
The Guide to Freedom of Information is available at http://www.ico.gov.uk/
Visit the JISC legal website for further resources on FOI including our latest FAQ’s at http://www.jisclegal.ac.uk/