GDPR one year on

Higher education is not immune from the far-reaching powers of the EU’s GDPR legislation and there are plenty of potential risks for the sector, says Serena Tierney

As you may recall, around this time last year, everyone was in a General Data Protection Regulation (GDPR) frenzy. We were all urgently reviewing privacy statements, searching for data protection officers and getting to grips with the new requirements for controllers and processors. But the journey didn’t end on 25 May 2018 – there have been many developments since then. At VWV we have supported many university clients through the last year as they have implemented their GDPR compliance programmes.

In this article, we review some of the trends that we are seeing both in practice and in ICO regulatory activity.

What trends are we seeing?

It will come as no surprise that there has been a spike in the number of requests by data subjects to access their data. This was pretty much inevitable following the extensive publicity around the implementation of the GDPR, which significantly raised public awareness. We are also seeing a small but noticeable flow of requests for personal data records to be rectified.

Can a university ask students about criminal convictions?

A question that has exercised many university data protection officers and admissions departments this year is whether they can ask potential students about their criminal records. The issue arose when UCAS removed the question from its all-applicants form so individual universities had to consider how to proceed.

It’s an uncomfortable dilemma: on the one hand, it is privacy-intrusive for the potential student; on the other, no university wants to fail in in its duty of care or safeguarding obligations to all its students.

Although there remain differences of approach, many universities have been able to ensure that they can lawfully ask about criminal convictions:

1. at the time of making an offer of a place for a) a regulator-approved course where the regulator requires the university to check the candidate’s suitability for admission to the relevant occupation or b) a course of which a compulsory part is a work placement for which an enhanced Disclosing and Barring Service (DBS) check is required;
2. at the time of offering accommodation where the university has carried out a data privacy impact assessment and recorded its reasons for requiring that information and has put in place adequate safeguards for handling it.

It seems likely that fines will in future be higher and that the ICO will try to enforce widespread compliance 

Statements of public tasks

One of the key debates when GDPR was introduced was the extent to which a university could rely on the ‘public task’ lawful basis for processing personal data.

Initially, since the GDPR does not define ‘public body’, there was some question about whether a university was one. Once the government clarified (and later enacted in the Data Protection Act 2018) that it would have the same meaning as in the Freedom of Information Act, universities, their wholly owned subsidiaries and joint ventures with other universities all became ‘public bodies’ for data protection purposes.

Since a public body must use the ‘public task’ basis when carrying out its public functions but may not use ‘public task’ otherwise, the distinction is important for both compliance and practical reasons.

A growing number of universities are tackling the uncertainties over the scope of their public functions by publishing a ‘statement of tasks in the public interest’. This sets out the nature of the public tasks it carries out either under legal obligations or in the exercise of legal powers bestowed on it. The sources of these may be found in the university’s governing documents, its obligations under its registration with OfS and its current strategy document.

The advantage of this approach is that it allows the university to set out clearly the basis for identifying tasks (such as provision of accommodation and other facilities) that might otherwise be argued not to be within its core public task of education as part of that task. An appropriately drawn statement can greatly simplify the university’s data protection compliance requirements.

What can we expect by way of fines?

A concern for many is the level of fines that will be levied under the new regime. It is still early days to give much guidance as many cases are still being considered under the old law, but there are some straws in the wind.

In October 2018, the ICO levied the maximum DPA 1998 fine of £500,000 on Facebook for serious breaches between 2007–14. Information commissioner Elizabeth Denham said: “We considered these contraventions to be so serious we imposed the maximum penalty under the previous legislation. The fine would inevitably have been significantly higher under the GDPR. One of our main motivations for taking enforcement action is to drive meaningful change in how organisations handle people’s personal data.”

The highest GDPR fine so far is €50m imposed by the French regulator on Google. 

In the UK, the ICO has targeted controllers for failing to pay the registration fee. It has levied fines of £400 to £4,000 on the basis that they should have had systems in place to ensure compliance with their new obligations. Seven education providers are among the 103 organisations fined in 2018. 

One of those fined, Farrow and Ball, appealed its fine of £4,000: its appeal has been dismissed by the first-tier tribunal.

It seems likely that fines will in future be higher and that the ICO will be apt to use its new powers to enforce widespread compliance with basic obligations.

What areas will the ICO focus on?

It is clear that the ICO is now turning its attention to compliance with the basic requirements of GDPR. These include having a proper compliance system in place. The non-registration fines are one example; the £120,000 fine on Heathrow Airport for failure to encrypt material on a memory stick which included a very small amount of personal data is another.

Another area is the keeping of proper accountability records. A recent Europe-wide survey showed that 43% of data controllers currently fail to do so. Universities are vulnerable here in relation to research activities that are not reported to the data protection officer (DPO).

Where else can we expect to see developments over the coming year?

The ICO has several current workflows with salience for universities. It is creating an AI auditing framework; consulting on its draft code of practice for children’s online services which covers education websites, apps and streaming services used by under-18s; and looking at a code for use of biometric data.

It is also focusing on fairness and transparency in practice, as exemplified by: the recent fine on a TV production company for unfairly and unlawfully filming in a maternity clinic; the (old law) fine of £400,000 on Bounty for unlawfully sharing personal data about new parents and their children; and requiring the Home Office to delete voice data that it had collected without making it clear that its provision was entirely optional. These issues are especially likely to affect some kinds of university research as well as its relations with students.

So the overall message at this point is that it is worth checking that by now your GDPR compliance measures are all in place and working and keep an eye on developments in the areas we have identified.


Serena Tierney is a partner at leading education law firm VWV. Serena can be contacted by calling: 020 7665 0817 or emailing: stierney@vwv.co.uk

To be kept up to date on legal, regulatory and governance issues, please register for VWV’s dedicated HE portal OnStream by visiting: vwv.co.uk/he-onstream