Complaint Case Notes

編號: 0007/2010/IP

標題: University A posted in bulletin board a payment "notice" with the student's name and student number

立案原因: Complaints


    A Notice was posted on a bulletin board in College B of University A about payment of tuition fees, containing the student's name and student number. Student C thought that, students had been notified on this matter by mails, the categories of personal data in this "Notice" should be sufficient to include student numbers, without names of students.
  C believed that University A excessively disclosed the personal data of students, which may be a violation of the "Personal Data Protection Law", and therefore complaint to the office.


    According to Article 4, Paragraph 1, Sub-paragraph (1) and Article 3, Paragraph 1 of the "Personal Data Protection Act," the data processing in this case is regulated by this Act.
  University A explained that, there were always some students not notified about tuition fee payment because of the lost mails, delay payment was subject to a fine, and some students in College B were newly transferred from the main campus, In addition, College B in that stage have their student names only, because their student numbers might be generated by the Computing Division later. To avoid misunderstanding in communication, A "Notice" with the students’ names and student numbers is necessary.
  The office believes that, students of University A must pay tuition for the teaching services of University A, so there is a contractual relationship between the students and the University. The personal data processing is necessary for University A for the performance of the contract. In addition, in Article 29 of "Charter of University A" approved by Executive Order No. 20/2000, it provides: "In its property and within is financial autonomy, the resources of University A include tuition and payment paid by students, in addition to other resources permitted by law". Thus, the personal data processing related to tuition fee collection is in legitimate interest of University A, while C's interest for rights, freedoms and guarantees does not override. Therefore, University A has the legitimacy provided in Article 6 of the "Personal Data Protection Act".      Regarding the proportionality in processing C’s data by University A, according to "Student Handbook" of College B available online, which states, "Students must regularly check notices posted on campus bulletin boards, on the University website or in e-mails box provided to students by the University, in order to obtain the latest campus news." This office believes that, University A provide reminders to students by the "Notice" is with a good faith for the interest of the students, and its proportionate and reasonable to disclose names and student numbers in this Notice, which is in line Article 5, Paragraph 1, Sub-paragraph (3) of the "Personal data Protection Act".      
  According to Articles 10 and 11 of the "Personal Data Protection Act", the data subject has the "right to information" and "right of access", etc. According to the information provided by University A, there is not any "Personal Data Collection Statement." According to information provided by C, C had asked the university about matters related to the Notice but University did not provide C a clear answer. This office believes that University A should improve in this matter and provide clear information to students.
  In summary, University A did not violate Articles 5 and 6 of the "Personal Data Protection Act" by disclosing names and student numbers in the Notice on campus bulletin board, while it should improve in ensuring the exercise of "right to information" and "right of access" by students.


    This Office decided to archive the case, and wrote to University A, recommended an improvement in compliance with regulations about "right to information" and "right of access" in the "Personal Data Protection Act", with a "Personal Data Collection Statement" and clearer information in replying students’ enquiries.

Please refer to "Personal Data Protection Act", articles 3,4,5,6,10,11 .