There are many aspects of the new regime that have caught the attention of the media, such as the ‘right to be forgotten’, direct liability for processors and the extended definition of personal information to include biometric, genetic and pseudonymised information.
However, the most far-reaching impact will be the move away from the current use of consent as the default basis for processing personal data. In future, data subjects will be able to withdraw their consent at any time, making it impractical as the basis for long-term processing, as with student records, employees and alumni. In addition, consent will have to be on the basis of much more granular information about the specific processing operations and any sharing with third parties. It will not be possible to obtain a ‘general consent’ to use someone’s personal data, nor to operate by use of ‘opt-out’ requirements.
In general, universities will be able to use a different lawful basis for processing and will not need to rely on consent. This will be much more straightforward in relation to processing of new information. It will, however, require consideration of the position in relation to existing information, in particular where past consents are not likely to meet the required standard for GDPR compliance.
This article sets out the considerations relating to establishing other lawful bases of processing personal data as they affect universities.
Territorial scope – overseas students and campuses
The GDPR has a wider territorial scope than the old DPA regime. It covers all processing that:
takes place in an EU Member State, whether or not the data subjects are EU nationals – this will cover overseas students from any country where the data are processed on the university’s IT system; is carried out by a controller established in an EU Member State even if the processing takes place outside the EU and/or does not concern the personal data of EU nationals. It is not entirely clear what constitutes ‘establishment’ in a member state but UK universities will certainly be covered. The term is likely to be wide enough to cover university trading and technology transfer companies as well as overseas campuses. Universities should include such entities in their data lifecycle audits and compliance programmes; is carried out by a controller or processor not established in an EU Member State: where goods or services are offered to data subjects who are in the EU – even if they are not EU nationals; and is for the purpose of monitoring the behaviour within the EU of data subjects – whether or not they are EU nationals.
This provision may also catch overseas campuses, even if they are not ‘established’ in the UK, if they offer remote access to their courses to students in the EU or use e-learning tools to monitor the progress of EU students at those campuses. It is also potentially wide enough to catch recruitment activities by them which are directed at EU students.
Other lawful bases of processing
The GDPR provides five other ways of processing that may be more appropriate than consent. It is likely that universities will use different bases for different purposes.
Article 6(1) sets out the possible lawful bases of processing for ordinary personal data:
(a) Consent of the data subject – as explained above, this may not be a practical arrangement for most university purposes and should be considered only where there is no other more appropriate basis;
(b) Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract – this condition will cover, for example, employees, consultants including external examiners and visiting or honorary academic post-holders, suppliers and students in relation to their contract with the university;
(c) Processing is necessary for compliance with a legal obligation – this will be appropriate for such tasks as deducting tax, pensions and social security requirements;
(d) Processing is necessary to protect the vital interests of a data subject or another person – this allows information to be shared in life-threatening situations;
(e) Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller – this is only available to public authorities carrying out their public tasks. At present it is not clear whether – or to what extent – a university is a public authority. Clarification is expected from the UK government but it seems likely that at least in relation to some functions, such as undergraduate teaching, universities may be public authorities. To the extent that they are, this will provide an additional basis for processing data that is not covered by sub-paragraph (b); and
(f) Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject. Note that this condition is not available to processing carried out by public authorities in the performance of their tasks so may not apply to all university functions. However, it will be a helpful basis where functions (perhaps such as providing optional online learning tools) fall outside any public authority remit. This is likely to include any technology transfer and commercialisation activities.
The GDPR allows member states to introduce more specific provisions in relation to Articles 6(1)(c) and (e). These provisions are particularly relevant to the university sector and we expect government to include such provisions in the Data Protection Bill.
Article 9(2) sets out the lawful bases of processing for special categories of personal data: these are broadly the same as ‘sensitive’ data under the current regime but have been broadened to include genetic or biometric data used to identify an individual:
(a) Explicit consent of the data subject, unless reliance on consent is prohibited by EU or Member State law. Again, using consent will require the provision of much more detailed information than at present and can always be withdrawn so alternative bases should be considered where possible;
(b) Processing is necessary for carrying out obligations under employment, social security or social protection law, or a collective agreement; or
(c) Processing is necessary to protect the vital interests of a data subject or another individual where the data subject is physically or legally incapable of giving consent.
This is likely to bring security and access systems within the additional requirements for special categories of data and may require explicit consent (which can be withdrawn).
Whatever bases are used for the various personal data processing activities, universities will need to document the relevant decisions to be able to demonstrate to the ICO which lawful basis is used. Data protection impact assessments can help with the task of understanding how to meet conditions for processing and requirement for universities to demonstrate accountability under the GDPR.