Top three corporate, commercial and regulatory challenges for the higher education sector
With continuing funding pressures and a general election on the horizon, the next 12 months are likely to bring change.
Here are the top three legal challenges facing the higher education sector in the next 12 months from a governance and commercial perspective - aside from the obvious challenges of rising costs and a stagnant funding regime which pervades all aspects of university operations.
1- Successfully navigating the extensive laws and regulations applicable to increasingly diverse operations
A university's business, and its regulation is complex. Diversification of income generation is a key and necessary part of the strategies of higher education institutions. It can offer both potential risk and reward and often involves partnership working. New activities, and the frameworks in which they are undertaken, need to comply with applicable law and regulation, mitigate risk for the university and deliver the benefits expected to be achieved. Navigating and keeping up to date with the myriad of laws and regulation applicable to an increasing range of activities and the frameworks in which they are undertaken, is an increasing challenge.
For example, in international ventures, understanding the local laws and cultures is vital for securing success, so having local knowledge and a reliable local partner is key. Taxation rules may impact repatriation of income generated abroad and UK laws could constrain the transfer of university data or intellectual assets into the jurisdiction, so these all need to be well understood.
Research and innovation initiatives, which often involve international partners and licensing arrangements, need to ensure the requirements of the National Securities and Investments Act are met. Whilst now a relatively well established piece of legislation, its breadth of application poses a challenge for the HE research sector. Ever-expanding sanctions lists need to be regularly checked and export controls heeded. Where large datasets comprising personal data are involved, data protection compliance is essential for credibility and success.
Research grants for applied research are increasingly focussing on outcomes and public impact and there is rising pressure on research groups to translate their knowledge and commercialise valuable IP and know-how. Again, NSIA and export controls are increasingly relevant and with the involvement of industrial partners, the UK subsidy control regime and procurement rules often come into play.
For riskier ventures or non-core activities, charity law requires trustees to consider using subsidiary companies which poses additional challenges for governing and resourcing the entity in a legally compliant way, whilst protecting the HEI's interests and reputation. Even for your core business, legal regulation and Office for Students' guidance are regularly changing.
For example, this year you will have to get to grips with the new Procurement Act 2023 coming into force and its application. The new Act promises to speed up the procurement process and improve transparency, as well as consolidating and simplifying the existing EU based procurement regime. If an institution considers itself to be public authority and therefore within the scope of these new rules, it needs to prepare for the implementation of the new rules.
How can you address this?
- Having a reliable team of legal advisors on hand to provide comprehensive, practical and timely solutions across the full spectrum of legal and regulatory issues and ensuring you consult them before entering into new markets, initiatives or partnerships as part of your risk/reward evaluation.
- Regular training on legal and regulatory issues for the HE sector.
- Developing checklists and risk assessments to complement internal approval systems which ensure that key legal and regulatory implications are addressed at an early stage and not overlooked.
- In respect of procurement compliance, many universities are reconsidering their public authority status and some have already opted out of the regime which allows greater flexibility and autonomy around how they place contracts and receive services. With an increasingly diverse range of operations undertaken in a university, this can be real benefit, both operationally and financially.
2- Use of Artificial Intelligence
Artificial Intelligence poses many challenges and opportunities for HEIs and you will no doubt be exploring the benefits AI has to offer across your operations. Currently, the use of generative AI is relatively unregulated but this is a fast moving area and any systems/applications using AI need to be able to adapt in the event of future regulation.
Whilst there are many moral and ethical debates around the use of AI, particularly in education, a real and immediate challenge for universities is how its use is impacted by the institution's data protection responsibilities and obligations.
Data protection law does not stand in the way of this innovation but requires you to carefully consider how to be compliant before processing personal data using AI. There are risks that AI can lead to discriminatory outcomes, eg when AI is trained on information that is unbalanced or biased. This has implications for data protection compliance if it leads to unjust discrimination and a violation of the UK GDPR fairness principle. The National Cyber Security Centre has highlighted the cyber risks created by generative AI which also need to be guarded against.
Another area of consideration when using AI is intellectual property, in particular in relation to potential infringement claims against the university for unauthorised use of a third party's IP, but also use of any university owned IP by the AI tool. Any information that the university inputs into the AI tool can then be used by the AI tool which in turn may give rise to infringement. We are starting to see an increasing number of IP infringement claims in relation to the use of AI tools.
It goes without saying that the use of AI by university staff and students needs careful consideration. The potential application of AI within universities is vast given the breadth and complexity of university operations and with AI tools becoming increasingly sophisticated, universities will need to keep up to ensure that those AI tools are used appropriately.
How can you address this?
- Even though not a strict legal requirement, carrying out a Data Protection Impact Assessment is a useful exercise to methodically consider and document data protection compliance.
- Considering how to avoid a personal data breach when using AI by ensuring appropriate technical and organisational measures are implemented to keep personal data secure. What measures are appropriate will depend on the specific AI system and what you are using it for but they are likely to include controls around what personal data you permit staff to input into the AI system and considering how the AI integrates into your existing IT system.
- Considering what training, policies and procedures are needed to ensure those who are processing personal data using AI do so in line with the legal and regulatory requirements. To guard against cyber security risk, your information security training for staff should include how to spot phishing emails and any training should remind staff what counts as personal data to guard against staff assuming that removing names is sufficient to anonymise information.
- More generally, ensuring adequate policies are in place in relation to the use of AI tools by staff and students, recognising that those policies need to be able to adapt to respond to any regulations that may be introduced.
3- Maintaining robust systems of governance and accountability
Particularly where a strategic focus is given to diversification and supporting financial sustainability through income generation and cost efficiencies, higher education institutions must avoid taking their 'eye off the ball' regarding the quality and sustainability of their core business - their academic offering and research activities.
With a regulator focused on quality, financial sustainability and value for money for students, universities need to be able to demonstrate robust and effective internal systems for governance, control and accountability across all its activities and operations. These are essential for ensuring ongoing compliance with OfS conditions of registration, reporting obligations and obligations as a charity to advance education and research for the public benefit.
University trustees need assurance that the institution is making robust, well informed and reasoned decisions which stand up to regulatory scrutiny and appropriately safeguard charitable assets, in line with trustees' fiduciary duties.
How can you address this?
- Regularly review your delegation frameworks, policies and systems of monitoring and internal control to ensure they are fit for purpose; place decision-making at appropriate levels within the institution; and support effective monitoring and oversight of institution-wide activities, including those of subsidiaries, joint ventures and collaborations.
- Regularly review your risk register and ensure sufficient scrutiny of the executive team's implementation of risk mitigation strategies.
- Build 'stress testing' of project scenarios against OfS conditions of registration, particularly financial viability and sustainability, into decision-making on key strategic projects, to support the assessment of potential regulatory breaches and the triggering of a reportable event notification.
- Provide training for trustees and senior executives regarding their legal and regulatory duties and obligations.
- Ensure robust monitoring and management of conflicts of interest, especially in intra-group arrangements which need to be managed on an arms-length basis.