How will the GDPR affect schools and universities?
Educational institutions will need to be increasingly diligent about how they use and process students' personal information, explain Salima Mawji and Salise Dourmoush
The General Data Protection Regulation (GRPR) is the biggest reform to the information-controlling world since the Data Protection Act 1998 first came into force. The European Union’s aim in creating and implementing this legislation is to harmonise the laws relating to information controlling throughout the whole of the EU. Privacy is given the utmost importance. The main changes and the effects for schools and universities will be explored below.
The government has stated that the UK will still be a part of the EU in 2018 and so Brexit will not affect the application of the GDPR in England and Wales, as it will officially come into force on 25 May 2018. The regulation introduces such significant and intricate changes to the sharing and controlling of information that organisations need to start now to prepare for the changes next year.
One of the major changes introduced is the ‘right to be forgotten’, which means an individual can request the deletion or removal of their personal data, including information published or processed online. This of course is not an entirely new concept. The European Court of Justice decided in C-131/12 Google Spain that it is an EU citizen’s right to have personal information about them deleted upon their request.
In the education sector, students and their parents will often find themselves in a dispute with universities and schools and want personal information deleted from the institution’s website. What is interesting is how these institutions will respond to these requests after the GDPR has come into force and whether further disputes will arise, particularly with regard to PhD students, when they request that their information is removed from university websites.
Present and past PhD students and their research are valuable to universities from a marketing, prestige, and funding point of view. Research students are usually used to promote the university, and so universities will want to avoid removing this information from their websites and may even use intellectual property arguments to challenge removing the research. Additionally, individual students’ performances are often used on school’s websites, again to promote the school and its students’ achievements.
A second new right which has been introduced is data portability. Individuals already have the right to access personal data under the Data Protection Act, referred to commonly as a subject access request. This will now have to be provided in a way that makes it easy for a computer to read (i.e. a spreadsheet).
This will come as somewhat of a comfort to individuals seeking personal information from universities and schools, as too often the information received as a result of a subject access request is sent to the applicant in a haphazard way. Deciphering the information is a confusing and lengthy process. The new regulations will eradicate this. An individual can now also request that their data be transferred from one system to another, for example from different cloud storage providers, which will also save time for the organisations.
Privacy notices must also be more detailed, including the conditions under which the data is being processed, and detailing the individual’s right to withdraw consent for their information to be processed at any time.
Conditions for processing data
Schools and universities must be aware that there are six new conditions for processing data:
The person gave explicit consent;
To fulfil or prepare a contract;
There is a legal obligation (excluding a contract);
To save someone’s life or in a medical situation;
To carry out a public function; and
There is some other legitimate interest (excluding public authorities).
If the data is sensitive (i.e. if it relates to race, religion, health status, etc.), there must be an additional justification to process that data, for example explicit consent or medical purposes.
Under the new regulations, consent must be explicit: silence amounting to consent is no longer enough, and ‘tick to opt out’ boxes will no longer be compliant. Instead, specific ‘opt in’ boxes will need to be used. Permission for each and every different use of an individual’s data will need to be agreed to by the individual themselves. This may particularly affect marketing for universities, which use the data to promote products and classes to existing students, and communications with their alumni.
Consent must also be freely given and specific: it must be seen to be a genuine choice. Individuals cannot be coerced or unduly incentivised or penalised if consent is refused. The use of complex or technical language, silence or inactivity, and bundling with consent for other purposes will not be construed as freely given consent. Clear procedures must also be place for acting on a request to withdraw consent.
One can therefore see the challenges which universities and schools will face in controlling the data of their students. On a positive note, students will have many more rights in respect of the information which the university has about them and how this is used.
Six additional general principles must be followed when using personal data. These are:
Data collection must be fair and lawful;
Data can only be collected for a specific purpose and is limited to that purpose;
Data collection must be necessary and not excessive for its purpose;
Data must be kept accurate and up to date;
- Data should not be stored any longer than necessary; andData must be kept safe and secure.
Merely complying with these six principles is insufficient; a data controller must also be able to show how they have complied with them. Educational institutions must have up-to-date internal data protection and compliance policies addressing how the organisation manages data on a day-to-day basis. Clear compliance structures and responsibilities must be in place and roles must be clearly defined, with staff to receive regular training.
Every business based outside of the EU may be required to appoint a representative based in the EU that is accountable for data protection if it is trading with member states. The GDPR’s reach is global. Any company that offers goods or services to anybody in the EU will be required to comply.
Large corporations (such as universities) will need to appoint data protection officers (DPOs) to deal with data protection. This includes organisations processing more than 5,000 personal records per year, those employing 250 staff or more, and all public sector organisations. Risk management is now, therefore, more important. Auditing information must be held and it is likely that a register will need to be compiled including what data is being held, where it is stored, how it is being used, and by whom and for how long it is being held. With the new regulations, universities and schools will need to prove that they are being diligent with students’ personal information.
Some positions (e.g. payroll and accounting) deal with data collected by third parties and are referred to as ‘data processors’ as opposed to ‘data controllers.’ Data protection laws currently do not apply to data processors. However, the GDPR will apply to data processors as well and data controllers will now be liable for compensation claims. If data is to be transferred out of the European Economic Area then express consent for this transfer needs to be obtained.
Universities may find this particularly difficult for international students. As they may still be liable for that data if it is transferred onwards from that place to a third country, it is difficult to see how universities will protect themselves against this risk. This will be especially difficult since the Institute of International Information estimated that in 2014/15 there were around 496,690 international students in the UK.
If a data controller is spread across many member states, then one supervisory authority will have to be the lead authority for that corporation, for example in universities with campuses across member states. Maybe the most important is the Irish data protection commissioner, as Ireland is the base for many large corporations which the GDPR is likely to affect the most, including Google, Facebook, Twitter, Linkedin, and Yahoo. Universities may have to liaise with the Irish data protection commissioner, as they frequently use these social media giants for marketing purposes.
The Information Commissioner’s Office can now fine an organisation up to 4 per cent of its annual worldwide turnover, or €20m, whichever is greater. Sanctions can also include audits, warnings, and temporary or permanent bans. There is a new requirement to report serious or major breaches, such as the loss of an unencrypted laptop with the names, addresses, and dates of birth of over 100 people. There is a presumption in favour of reporting sensitive data and though breaches are not made public, fines or warnings will be publicised.
Naturally, universities and schools are concerned about reputational damage and so they will need to be ever more diligent in their role as data controllers. This will put students and parents in a stronger position when engaging in negotiations with these educational institutions when they have breached their data protection obligations.
Salima Mawji is a director and Salise Dourmoush a trainee solicitor at Match Solicitors