Procedures, the DPA 1998 and a Code of Practice

This Code of Practice for Computing Service staff, which takes into account recent changes in the law, has been agreed by the Information Technology Syndicate.

Recent legislation:

The legislation concerned is

Intercept mail to a Cambridge account on request of Institution:

Problem:

A secretary or similar who uses his/her personal mailbox for departmental mail goes on holiday, leaves without notice, or simply disappears, without leaving a password to the account or without setting up a .forward file. The department wants access to continue with the departmental work.

The previous practice of allowing an Institution access to a staff member's files and particularly to their e-mail infringes the rights of the individual under the Human Rights Act.

Application forms have been modified to alert new users to the possibility that their account may be looked at by systems staff if such access is in the interests of the Institution.

The Guidelines on the Acceptable Use of Computer Facilities, E-mail and the Internet soon to be published by the Personnel Division also describe the circumstances in which e-mail may be intercepted.

Suggested practice

  • handing over the account to another party is not acceptable, nor is forwarding mail from an account because there is a risk of handing information to a third party.
  • the best that CS staff can do is to login to the user account, forward relevant mail and close the account or install a vacation message on written request from the Institution
  • in many cases, a role account is more suitable for secretaries, librarians etc

A Reporter notice making our position clear will be issued following IT Syndicate approval.

Forwarding mail to another account for a user

Problem:

Computing Service staff are often asked to forward mail to another (non Cambridge) account. It is particularly difficult to be sure that the target account does belong to the real user if a request is received from a non Cambridge account or from a third party.

Suggested practice:

  • the user is told how to set up their own forwarding
  • the user gives us written permission to forward mail from a Cambridge account to another account
  • we accept instructions from a Cambridge account to forward mail
  • forwarding mail by phone request or e-mail from a non Cambridge account is not acceptable

Providing e-mail addresses in response to enquiries

Problem:

Postmaster, webmaster and others all get regular requests for e-mail addresses of staff and students in the University. In the past these requests were answered, but since the implications of the DPA 1998 have been clear, we have not done this, instead, we have forwarded the request to the person whose address has been requested and told the remote user that we have done this. Where we cannot identify the person being asked about, we have said so.

It was pointed out recently, that the practice described above is, in fact, providing information to the remote enquirer. If we say that we have passed on the mail, we are confirming that the person is at Cambridge. In extreme cases, this could jeopardise the security of the individual. The Assistant Data Protection Officer agrees that we should not confirm or deny the presence of an individual. At the same time, we recognise that the majority of the requests for information are genuine and are for academic purposes.

The e-mail search is available world-wide and currently contains those who have not specifically removed themselves from the directory. From October 2001, it will c ontain only those who have specifically included themselves.

Suggested practice:

When a request for an e-mail address for an individual is received:

  • the enquirer should be referred to the e-mail search in the first instance
  • if the person cannot be identified using the search, then we return an answer of the form:

    "The person that you are looking for is not in the world readable e-mail directory and under the Data Protection Act 1998, we cannot provide any further information. If we are able to contact the person we will forward a message for you if you wish us to do so."

If we receive a request for an e-mail contact for an Institution, a personal e-mail address may be returned only if it is the published contact, e.g. on a web page.

Providing information from web logs

Problem:

The owner of a web site on CUS wishes to know how many people are accessing the web site and where they are coming from.

Free access to the logs cannot be permitted because the logs contain personal data (the IP address of those contacting the site). System staff could provide information to the web site owner if we depersonalise the logs or just return a count of the accesses, but this would create extra work.

The above applies to web sites where only the Computing Service can see the logs, however the basic guidance applies to all web sites:

Suggested practice:

For CUS:

  • We don't provide logging information because of the work involved

In general:

  • analysing web logs to see who is accessing the site is not permitted unless the web site gives notice of this (i.e. the data is 'fairly obtained')
  • logs may be used to gather statistics

Providing account information to Colleges and Department (new accounts)

Problem:

At the beginning of the academic year, we receive requests for assistance at course practical sessions. The usual problem is that a student does not bring the requisite information with them and cannot do the practical session without having their password changed. The quickest and easiest way to deal with this is to provide the course organiser with a list of passwords. We sometimes also provide Computing Service staff to assist at the first few practical sessions.

Suggested practice:

The University Data Protection Officer is happy with this procedure because we are providing the information for the legitimate business of the University. Course organisers and CS staff should advise students to change their initial passwords at the earliest opportunity so that their accounts are secure.

Providing a password to an Institutional Computer Officer for a user

Problem:

This might be for a senior person who has saved a password in a dial-up or e-mail configuration and then forgotten the password or for a member of staff or a student who is in to a remote part of the world and who has been caught up in a password reset. We are advised that we should only supply the password to the user and leave them to pass the information to the Computer Officer or whoever is helping them. This still leaves us with the problem of a secretary wanting a password for a Head of Institution or group.

Suggested practice:

  • a password is only given to a third party if the owner of the account has provided written permission.
  • we advise senior staff and those who are leaving the country to leave a signed authority behind which will allow us to provide a third party with access to their account. Further information is available.

Providing passwords over the phone

Problem:

There are numerous occasions when it is not possible for the user who has forgotten their password to call into Reception with proof of identity.

Suggested practice:

  • Reception staff do not give out passwords over the phone
  • if there is a difficulty, a password can be (snail) mailed out to the user to their registered address (Reception do this but try to limit this to those who really cannot get in).
  • if necessary, we will ring people at the phone number published in the University directory
  • if the user really cannot go to the Reception office, usually because they are not in Cambridge, then they may be asked to phone to a member of the User Administration staff who will be able to verify their identity

Deceased users

Although the Data Protection Act applies only to living individuals, there are other matters to consider.

  • the intellectual property rights of any files in the user's accounts are the property of the estate. The executor or next of kin should be given access to the files or the files should be handed over to the appropriate person.
  • if there is any possibility of a police investigation, the accounts should not be released until the position is clear.