The higher education sector, it might be fair to say, presents challenges to effective data protection. This is because of the fragmented nature of relationships between controllers (institutions), individuals employed by institutions who might collect data on their behalf (for example, administrators and academics) and data subjects (for the purposes of this article, students), as well as the high level of autonomy of employees within organisations.
Due to increasing attention on universities from those wishing to access valuable personal data held by institutions or deny access to legitimate users, our minds have been focused on this issue. We need a sector that is aware of its data protection responsibilities and the rights of those whose data we hold. Failure to do so can result in significant fines for institutions and disciplinary action for those who might have caused the breaches.
If we take, for example, the traditional academic scenario of posting exam grades on a student noticeboard (or a virtual platform in these more digital times), we are immediately faced with a challenge to the fair processing and sharing of personal data related to that student. Assessment data related to a student is personal. Although the institution is collecting and processing that data, it still belongs to the student, and if we are choosing to share it, we need to both make the owner aware of the intention to share as well as their right to not have their data displayed in a public forum.
- Social media can help new students make friends – but we must regulate it
- Cybersecurity in the HE sector – getting the basics right
- Cybersecurity remains a critical issue that universities must face
While a short article cannot cover all aspects of data protection and privacy rights exhaustively, I will aim to prompt thoughts around what student data is and how it is used.
Understand that technical controls have limits
Perhaps the most important thing to bear in mind is that this cannot all be managed and controlled with technical controls. Many technical measures (such as access control, authentication and effective data management) can be put in place to mitigate the risks of unauthorised access and breaches, but these cannot do everything. Many breaches are beyond the control of the IT department (such as the oft-cited email attachment containing the personal data of thousands sent to the wrong recipient), and those with data processing responsibilities cannot assume that those clever folk in IT can mitigate any potential breach.
Under principle 1 of the General Data Processing Regulations (enshrined in UK law in the Data Protection Act 2018), any data collected should be processed fairly, lawfully and in a transparent manner. If data are collected for one aim (for example, an assessment), they should not then be used for a different purpose (for example, a disciplinary procedure) without the consent of the subject. Being in possession of students’ personal data does not give you carte blanche to do what you wish with it.
Be mindful that it is well within a student’s rights to make a subject access request; this requires the organisation to provide all electronic data they hold regarding the student. This is a growing practice as individuals become more aware of privacy rights and the responsibilities of organisations to handle their data in a responsible manner. “Electronic data” extend to email and other forms of digital communication. Ensure that any discussion of students is professional and any information shared is done so for fair and lawful reasons. A failure to disclose all data held on an individual, which is subsequently discovered, could result in more significant sanctions for the institution.
Outsource with care
Consider how any use of off-campus systems might affect the host’s (and your) data collection responsibilities. For example, a cool online system that provides informal quizzes on an academic subject might be viewed as a good opportunity to provide extra resources for teaching and learning. However, systems hosted overseas (particularly those without GDPR compliance) that might collect personal data about the student – and which then results in the student being spammed by the third party – need careful consideration. At the very least, a data protection impact assessment to assess whether the organisation has responsibility for the processing of students’ data needs to be carried out.
This is not the same as the use of cloud providers to implement core institutional services, such as email systems and learning platforms. There will be formal agreements in place between the institution and provider (processors) with appropriate impact assessments being carried out before entering into service delivery. This is not the case with the ad hoc use of third-party systems used on a whim by a member of staff.
Social media can be a double-edged sword
Consideration should also be given to the use of informal platforms and social media for communication with students. While this might seem like meeting students in “their world”, the risk of blurring social and work boundaries, which may impact on student privacy, is significant.
For example, a WhatsApp message to a student giving them guidance on an assessment may unfairly advantage that student and lead to accusations of bias or unfairness.
Similarly, setting up WhatsApp groups to allow students to discuss a learning subject has the potential to share personal data (for example, mobile numbers), which students may not wish to do, and if they “opt out”, they may be placed at a disadvantage.
Keep all communication on institutionally managed systems where impact assessments have been carried out, regardless of how convenient informal systems might at first appear.
Make sure everyone understands data protection duties
Finally, ignorance is no defence in law. While there is a growing trend to provide online data protection training, institutions need to consider whether this is sufficient to make staff both aware of data protection duties and how to respect student privacy. It is likely that many “solutions” do little more than provide weak arguments for institutions that: “Well, they’ve been trained, so it’s not our fault.” This claim might be found wanting in the event of a disclosed data breach or unlawful practices discovered as a result of a subject access request.
Anyone with data protection duties needs to be effectively briefed regarding these responsibilities, receive appropriate training and have their responsibilities made clear through documented policy.
Perhaps the best advice is: if in doubt, ask. All institutions should have data protection officers and professional staff with designated data protection responsibilities, and if they don’t know the answer, they might be able to delegate to external data protection experts.
Andy Phippen is professor of digital rights at Bournemouth University.
If you found this interesting and want advice and insight from academics and university staff delivered direct to your inbox each week, sign up for the THE Campus newsletter.
comment