This data must be handled in a way that complies with the Data Protection Act (DPA), which includes an obligation to ensure that it is handled fairly and kept secure. If an institution does not comply with these obligations it could face a fine from the Information Commissioner's Office (ICO) of up to £500,000. Data protection should therefore be an important aspect of regulatory compliance for all HEIs.
Here we explain the key data protection issues that all HEIs should be aware of.
Appointing a Data Protection Officer
Institutions should appoint a data protection officer (DPO). This individual should be referred to in your data protection policy so that staff can ask questions and refer data protection issues to him/her. It is important that staff know who holds overall responsibility and accountability for data protection within your institution.
The DPO should also take responsibility for organising staff training, investigating any suspected information security breaches and keeping up to date with best practice.
Implementing Staff Training, Policies and Procedures
Staff who lack awareness of data protection can make costly mistakes, including failing to keep personal information secure or using it inappropriately.
Training will enable staff to understand data protection issues and what measures should be taken to minimise risk. It should cover everyday data protection issues, such as the rules regarding information sharing and information security. All staff should attend such training, preferably on an annual basis. Staff should be made aware that they can be personally liable for some breaches of the DPA.
As part of their training, staff should also be made aware of your data protection policy and where to find it. The policy should contain practical guidance for staff to follow in certain situations. It should be reviewed and monitored to ensure it is up to date and reflects how the institution works in practice.
Home Working and Using Personal Devices
Staff are increasingly using personal electronic devices for work. This can give rise to data protection issues, as institutions will have less control over the security and management of such devices. However, there are a number of options for managing this.
One option is to use secure remote access software. This is more secure than allowing staff to access web-hosted email systems such as Gmail to send work related emails which often contain personal data.
A further measure is to install device management software on devices used for work purposes, such as smart phones issued by the HEI. This helps to ensure that data remains secure when staff use phones to access work related emails and documents.
Marketing and Promotional Materials
When personal information is used for marketing purposes there are additional rules that must be followed.
Before using personal information such as students' email addresses to aid marketing, your institution should be clear on whether it is allowed to use this data for marketing and fundraising purposes. People should be made aware that they may be contacted by you when their personal information is collected, but there may be extra obligations depending on the nature of the marketing activity. (So for example, prior consent is normally required before sending marketing emails.)
If your institution uses purchased marketing databases you should ensure you are confident that the data was collected with consent to use it for marketing purposes.
Privacy Notices and the Right to Know
The DPA gives individuals the right to know how information about them is used. The obligation to provide this information rests with the HEI.
This obligation is usually discharged by displaying a 'privacy notice' on the institution's website and including it in any welcome pack given to students or employees. The notice should clearly explain how the institution uses the personal information it holds. It should be made available to anyone who requests information about him/herself, including employees and members of the public.
Subject Access Requests
Under the DPA, individuals have a right to ask for and receive the personal data that you hold about them. A request for such information is known as a subject access request (SAR).
SARs are often made for tactical reasons, such as in order to force disclosure of information which may assist in an employment tribunal claim or in other litigation. Whilst there are exemptions to disclosure of some information, SARs must be responded to.
The institution should also note that there is no exemption for disclosing 'embarrassing' emails. Staff should be warned that unprofessional and insulting comments made via email may have to be disclosed as part of an SAR.
Data Protection Audits
Conducting regular data protection audits is an effective way to minimise the risk of data protection issues arising and to keep practices up to date. The institution's DPO should periodically conduct an audit or engage a third party to assist in order to obtain an independent viewpoint.
An audit should be carried out whenever an institution starts using personal data differently, for example when a new website is launched, a new campus is opened, or data is held in a new way.
You should be aware that an institution may be liable for the acts and omissions of contractors it engages to handle personal information on its behalf. Contracts with organisations such as IT and payroll providers should therefore contain robust data provisions that ensure compliance. In our experience the wording used in most contracts is usually inadequate. You should also regularly monitor, review and audit your contractors' DPA compliance.
Institutions should check whether their existing insurance policies cover data protection risks, as ICO fines or the costs of complying with a mismanaged SAR can be extensive.
Insurers now offer 'cyber insurance' which covers information security risks, including hacking and data theft. HEIs should consider taking out such insurance if their current arrangements do not provide for this.