Subscribe to our free fortnightly newsletter and stay ahead with the latest news in HE

GDPR - the impact on university business

Universities that are not already preparing to introduce their staff to new requirements have just eight months to do so

Posted by Rianna Newman | September 28, 2017 | Finance, legal, HR

There are many aspects of the new regime that have caught the attention of the media, such as the ‘right to be forgotten’, direct liability for processors and the extended definition of personal information to include biometric, genetic and pseudonymised information. 

However, the most far-reaching impact will be the move away from the current use of consent as the default basis for processing personal data. In future, data subjects will be able to withdraw their consent at any time, making it impractical as the basis for long-term processing, as with student records, employees and alumni. In addition, consent will have to be on the basis of much more granular information about the specific processing operations and any sharing with third parties. It will not be possible to obtain a ‘general consent’ to use someone’s personal data, nor to operate by use of ‘opt-out’ requirements.

In general, universities will be able to use a different lawful basis for processing and will not need to rely on consent. This will be much more straightforward in relation to processing of new information. It will, however, require consideration of the position in relation to existing information, in particular where past consents are not likely to meet the required standard for GDPR compliance.

This article sets out the considerations relating to establishing other lawful bases of processing personal data as they affect universities.

Territorial scope – overseas students and campuses

The GDPR has a wider territorial scope than the old DPA regime. It covers all processing that:

takes place in an EU Member State, whether or not the data subjects are EU nationals – this will cover overseas students from any country where the data are processed on the university’s IT system; is carried out by a controller established in an EU Member State even if the processing takes place outside the EU and/or does not concern the personal data of EU nationals. It is not entirely clear what constitutes ‘establishment’ in a member state but UK universities will certainly be covered. The term is likely to be wide enough to cover university trading and technology transfer companies as well as overseas campuses. Universities should include such entities in their data lifecycle audits and compliance programmes; is carried out by a controller or processor not established in an EU Member State: where goods or services are offered to data subjects who are in the EU – even if they are not EU nationals; and is for the purpose of monitoring the behaviour within the EU of data subjects – whether or not they are EU nationals.

This provision may also catch overseas campuses, even if they are not ‘established’ in the UK, if they offer remote access to their courses to students in the EU or use e-learning tools to monitor the progress of EU students at those campuses. It is also potentially wide enough to catch recruitment activities by them which are directed at EU students.

Other lawful bases of processing

The GDPR provides five other ways of processing that may be more appropriate than consent. It is likely that universities will use different bases for different purposes. 

Article 6(1) sets out the possible lawful bases of processing for ordinary personal data:

(a) Consent of the data subject – as explained above, this may not be a practical arrangement for most university purposes and should be considered only where there is no other more appropriate basis;

(b) Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract – this condition will cover, for example, employees, consultants including external examiners and visiting or honorary academic post-holders, suppliers and students in relation to their contract with the university;

(c) Processing is necessary for compliance with a legal obligation – this will be appropriate for such tasks as deducting tax, pensions and social security requirements;

(d) Processing is necessary to protect the vital interests of a data subject or another person – this allows information to be shared in life-threatening situations; 

(e) Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller – this is only available to public authorities carrying out their public tasks. At present it is not clear whether – or to what extent – a university is a public authority. Clarification is expected from the UK government but it seems likely that at least in relation to some functions, such as undergraduate teaching, universities may be public authorities. To the extent that they are, this will provide an additional basis for processing data that is not covered by sub-paragraph (b); and

(f) Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject. Note that this condition is not available to processing carried out by public authorities in the performance of their tasks so may not apply to all university functions. However, it will be a helpful basis where functions (perhaps such as providing optional online learning tools) fall outside any public authority remit. This is likely to include any technology transfer and commercialisation activities.

The GDPR allows member states to introduce more specific provisions in relation to Articles 6(1)(c) and (e). These provisions are particularly relevant to the university sector and we expect government to include such provisions in the Data Protection Bill.

Article 9(2) sets out the lawful bases of processing for special categories of personal data: these are broadly the same as ‘sensitive’ data under the current regime but have been broadened to include genetic or biometric data used to identify an individual:

(a) Explicit consent of the data subject, unless reliance on consent is prohibited by EU or Member State law. Again, using consent will require the provision of much more detailed information than at present and can always be withdrawn so alternative bases should be considered where possible;

(b) Processing is necessary for carrying out obligations under employment, social security or social protection law, or a collective agreement; or

(c) Processing is necessary to protect the vital interests of a data subject or another individual where the data subject is physically or legally incapable of giving consent.

This is likely to bring security and access systems within the additional requirements for special categories of data and may require explicit consent (which can be withdrawn).  

Whatever bases are used for the various personal data processing activities, universities will need to document the relevant decisions to be able to demonstrate to the ICO which lawful basis is used. Data protection impact assessments can help with the task of understanding how to meet conditions for processing and requirement for universities to demonstrate accountability under the GDPR. 

 

Subscribe to our free fortnightly newsletter and stay ahead with the latest news in HE

Related stories

Demanding digital

Cash out?

Differentiating differently

Going for gold

CUBO gears up professional development in 2017-18

Student accommodation in Ireland, a changing landscape

Model behaviour

Creating a security culture

Connectivity: the new frontier of student experience

Myth busting: Candidate referencing

Market place - view all

Britcab

Need a portable cabin or modular building?

We sell and hire ...

Led hut

LED lights for home & business. SAVE money with energy efficie...

Southstreet

We offer a great student experience - plus a great investment oppor...

YourGuarantor

YourGuarantor provides UK Universities with an end to end facility ...

Godfrey Syrett

Godfrey Syrett specialise in the design...

Exterity

Exterity is a market-leading provider of IP video and digital signage ...