If you were to ask anyone “what is the first thing that comes to mind if you hear ‘GDPR’?” it is likely they have heard of it and the responses “bigger fines” and “right to be forgotten” will be top of the list. For the uninitiated though, GDPR and its sanctions applies just as much to education institutions as it does to businesses.
This is a great opportunity for schools, colleges and universities to think about how they handle data, be clear about what data they have, and be prepared to have an open and thorough discussion with data subjects about what data they hold, what they are doing with it, and what rights those data subjects have around any of the processing that happens.
What GDPR brings to the table
As of 25th May 2018 GDPR will be enforceable by law. But GDPR is not only the new rights, stiffer penalties and clearer points on what data protection officers are supposed to do. It’s also the need for transparency and accountability around what data is held, what is being done with it and being able to demonstrate clearly that it is being protected.
Further Education’s call to arms
This is why the further education sector has a particular challenge, but also a powerful opportunity to reflect on the kinds of data they handle, and why. The challenge lies in all the data intensive activities that go on in the education setting. Firstly, data is processed about students from different age groups, across different courses and with different needs. One student may have a chronic condition or a disability that has to be recorded and helps a college to provide them the support they need, whilst another may require acute assistance for financial or wellbeing support. Students will email their teachers and administrative staff with queries and concerns, and staff will need to have a discourse with one another to support their students as they progress through their studies.
Staff and students as data subjects and processors
But students will not only have personal data recorded about them, but students could also be recording personal data about others, particularly if they are undertaking research or practicals as part of their programme or training. Sometimes this will be sensitive data, subject to high standards of ethical oversight, pursuant to participant consent, especially if the student is undertaking a counselling course for example.
Meanwhile, their lecturers and supervisors will almost certainly be doing the same thing, on a larger scale. Perhaps their research may involve personal data related to people’s administrative or health or even mental health care, but at a scale of hundreds of thousands of participants.
Corporate duty and HR responsibility
Of course, no matter what role an individual holds within a further education establishment, staff will have personal data about themselves held by their employer, which will be subject to statutory monitoring and use pursuant to managing their employment, their salary, tax records and so forth. It may be used as part of a promotion review, or (hopefully not!) part of legal proceedings. There may be occupational health records that are being handled. There may also be a requirement to process data for an immigration inquiry.
Understanding the who, what and how
So a first step would be to understand what data is actually being handled and how. It may be the case that more and more FE courses are being handled online. In this event, not only does the student have a fully digital relationship with their educators and educational institutions, but they also have all their personal details online in services which the further education institution either runs themselves or procures through a third party.
This is where it is important to make sure that you know who is running what, and what contracts they need to be subjected to. But this is also where accountability is important – data controllers have to be confident that their processors are competent to handle personal data, and demonstrate that they and the processor, and any third party sub-contractors are protecting the data.
How does GDPR help all of this?
Transparency, accountability, and the justification for personal data use are all being much more rigorously mandated. GDPR talks about this in terms of data minimisation, i.e. using only what you need . The data must be relevant and up to date, and data subjects have a right for data to be rectified. The data can also only be kept for as long as necessary to achieve the purpose, and cannot be archived indefinitely for no reason whatsoever.
CONSENT : Understand your legal bases for processing data
Perhaps the most helpful aspect is around understanding the legal basis for processing the data. GDPR is providing an opportunity to check our understanding of what legal bases such as consent actually mean. Whereas before you may have relied upon consent as a legal basis for processing data, now GDPR has a much higher bar for what constitutes consent.
One of the more noteworthy new tests for consent is whether it was freely given. The likelihood is that when a student registers to receive education for example, they do not have a free choice in your processing their personal data to achieve that purpose; so you could not call that consent under GDPR.
If you want to keep the student informed of other courses they may want or other marketing material, that is where you may need to seek consent or identify another legal basis for that: but beware! Under GDPR, opting out cannot be taken as consent, so if you have a pre-filled tick box in your registration form that permits you to contact the student for marketing or other purposes, that would not be valid consent, regardless of whether they choose to opt out by unticking the box. If you want their consent to receive marketing materials, GDPR means you have to allow them to grant their consent with an affirmative action (ticking a box) and that what they are signing up to has to be explicitly clear.
And you cannot coerce consent– it has to be freely given: a good example is that you cannot coerce consent for data processing that is not essential for performing a contract by claiming that you will not enter into that contract unless you get consent for the marketing.
People and relationships first…
Getting data protection right has long been dependent on a meaningful relationship of trust between data users and data subjects (including students and staff), where one would hope for a clear and transparent representation of how data is used. With GDPR, you have to get this right.
GDPR requires that organisations handling sensitive data put data protection at the core of their business and operations, and requires that certain kinds of breach are reported to a supervisory authority within 72 hours of discovery. It requires training and codes of practice, and makes a lot clearer the responsibilities of data protection officers. But the spirit and much of the letter of the law are around the rights and freedoms of the natural person. It would be ill advised to embark on a meaningful attempt at compliance in the belief that understanding the context of data acquisition and the people involved is unnecessary.
It is vital that awareness raising and understanding form part of the preparations and ongoing management of data protection requirements. This can be achieved by learning about GDPR and how to scale that learning and compliance across all your fellow employees. Remember the rule of thumb: it is better to seek clarification than beg forgiveness – where personal data is concerned, this is always the case.
Dr Nathan Lea is a Senior Research Associate at UCL
About Nathan: With special interest in information security, governance and ethics for shared data to support healthcare and industry, together with Ross Bogert at PA Consulting, Nathan has developed an online course in partnership with FutureLearn. The course supports professionals and their organisations to develop their understanding of protecting personal data and be able to handle data in the digital economy appropriately. The course, Introduction to GDPR, is available on FutureLearn.
For more information about GDPR, take a look at the UK Supervisory Authority the Information Commissioner’s Office guide to GDPR available here
Copyright © 2018 FE News