If your university shares student data with you, the basis on which they do that is about to change, with the introduction of the EU’s General Data Protection Regulation (“GDPR”) from 25th May 2018. Other changes introduced by the GDPR will also have a significant impact on the handling of student data, and students’ unions are advised to take steps to prepare now. This article from Laura Moss at Wrigleys solicitors looks at what the GDPR means for students’ unions and what they should be doing now to prepare themselves for its implementation.
What is changing?
The GDPR contains a range of new rights for individuals in respect of their personal data, and new obligations which those who control and/or process data must comply with. Some of the most significant changes which will affect students’ unions are as follows:
- Obligation to obtain consent: the GDPR requires an even higher standard of consent from an individual before their personal data can be legally processed. Consent should be specific, freely given, informed and unambiguous. Pre-ticked boxes and ‘opt-outs’ will not be enough. When the processing of personal data has multiple purposes, an individual should give their consent to each of the processing purposes. An individual has the right to withdraw their consent (for any or all processing purposes) at any time.
- Obligation to display privacy notices: privacy notices (such as those displayed on students’ union websites) will need more detail under the GDPR, including information about who data might be passed to and how to complain. This will need to be balanced against an obligation to make privacy notices clear, concise and intelligible.
- The right to be forgotten: individuals will have the right to request that organisations delete their personal data in certain circumstances (e.g. their data is no longer necessary for the purpose for which it was originally collected).
- ‘Legitimate interest’ justification for data sharing: many universities currently share students’ data with students’ unions on the basis that it is necessary for the purposes of the legitimate interests of the university and the students’ union, and that the processing doesn’t prejudice the rights, freedoms or legitimate interests of the student whose data is being shared. The GDPR removes this legitimate interest justification for public authorities. Although there is no definition of “public authorities” in the GDPR, it is likely that it will include universities, as this is the position under the Data Protection Act 1998.
This means that universities may be reluctant to share students’ data with students’ unions, for fear of breaching data protection legislation, and would need to find alternative justifications for doing so. The clearest option would for universities to obtain explicit consent from students to share their data with the students’ union, but other justifications might include where processing data is necessary for the performance of a contract, or where processing is necessary for compliance with a legal obligation. Work is currently being done to assess whether these justifications would be acceptable to the Information Commissioner’s Office (the “ICO”), particularly as the maximum fines for any breach of the GDPR will significantly increase from their current levels.
Data breach notification: organisations must give notification of all data breaches without undue delay and where feasible within 72 hours, unless the data breach is unlikely to result in a risk to the individuals concerned. If the breach is likely to result in high risk to individuals, the GDPR requires organisations to inform those individuals “without undue delay” as well.
Increased fines: the GDPR will increase the maximum fines that may be imposed in respect of data protection breaches, up to a maximum of €20million or 4% of turnover, whichever is greater.
What should students’ unions be doing to prepare?
Students’ unions should get a head start on preparing for the new regime by taking action now. Reading up on the changes to understand the effect they will have is vital, and the ICO website has lots of useful guidance.
Some other, practical steps to take now include:
- Do an internal audit: you need to understand what happens to data within the students’ union, in order to manage any risks associated with processing it. Interview staff, go to team meetings and carry out questionnaires to try to understand how and what data is collected, what happens to it, where it is stored, who has responsibility for it and what it is used for.
- Review policies and guidance: check your privacy notices and make sure you have an internal data protection policy. These should be transparent, easily accessible and in clear and plain language.
- Review your data sharing agreements: you should be prepared that the agreements you have with your university or college for sharing students’ data are likely to be reviewed, and in some cases, institutions may be reluctant to share students’ data to the same extent as before.
- Develop a response plan: put in place policies and procedures to ensure that you can react quickly to any data breaches and notify in time where required. This could include agreed media statements, important or useful contacts (such as a PR company), required follow-up action and the names of the key people responsible for dealing with incidents. Test the system with a dummy breach.
- Training: give staff regular training on data protection matters. The ICO website has a useful ‘Think Privacy’ toolkit for charities, with free resources to download (available here). Most breaches are due to human error, so effective training of staff is a key part of minimising the risks.
Impact of Brexit
Even when the UK is no longer part of the EU, the Government has confirmed that domestic legislation will be enacted which has a similar effect to the GDPR. Students’ unions should therefore take steps now to understand the changes and prepare for the new regime, to avoid a last minute panic.
For further advice on the issues raised in this article, please contact Laura Moss at Wrigleys Solicitors LLP.
Additional Material from the ICO via Peter Robertson at NUS:
“I understand that you would like some advice on the sharing of students’ personal data between universities and students’ unions. Some universities have been contacting their students’ unions stating that they would not be able to share the personal data without the explicit consent of the students once the GDPR becomes applicable. You believe that as they are public authorities, they would not be able to rely on legitimate interests as their lawful basis to share the personal data. You would like to know if the universities can rely on Article 6(1)(b) or Article 6(1)(c) of the GDPR to share the personal data with their students unions.
It is the data controller’s responsibility to identify a lawful basis for processing personal data under the GDPR. The Overview of the GDPR provides the latest ICO guidance on this topic. We do not currently have in-depth guidance in relation to the legal basis that can be used by universities. I would advise you keep an eye on our website as we will be updating our guidance regularly. The overview can be found via this link
To clarify, universities would fall within what we refer to as a ‘hybrid authority’ (that is to say a public authority who may also carry out some functions which are not of a public nature). Such bodies may rely on legitimate interests for those functions which are not public in nature.
It is for the data controller to also determine what information should be shared. The GDPR does outline what information should be provided to individuals and you can find guidance on this via this link.