Universities that are not already preparing to introduce their staff to new requirements now have just eight months to do so.
There are many aspects of the new regime that have caught the attention of the media, such as the 'right to be forgotten', direct liability for processors and the extended definition of personal information to include biometric, genetic and pseudonymised information.
However, the most far-reaching impact will be the move away from the current use of consent as the default basis for processing personal data. In future, data subjects will be able to withdraw their consent at any time, making it impractical as the basis for long-term processing, as with student records, employees and alumni. In addition, consent will have to be on the basis of much more granular information about the specific processing operations and any sharing with third parties. It will not be possible to obtain a ‘general consent’ to use someone's personal data, nor to operate by use of ‘opt-out’ requirements.
In general, universities will be able to use a different lawful basis for processing and will not need to rely on consent. This will be much more straightforward in relation to processing of new information. It will, however, require consideration of the position in relation to existing information, in particular where past consents are not likely to meet the required standard for GDPR compliance.
This article sets out the considerations relating to establishing other lawful bases of processing personal data as they affect universities.
The GDPR has a wider territorial scope than the old DPA regime. It covers all processing that:
This provision may also catch overseas campuses, even if they are not ‘established’ in the UK, if they offer remote access to their courses to students in the EU or use e-learning tools to monitor the progress of EU students at those campuses. It is also potentially wide enough to catch recruitment activities by them which are directed at EU students.
The GDPR provides five other ways of processing that may be more appropriate than consent. It is likely that universities will use different bases for different purposes.
Article 6(1) sets out the possible lawful bases of processing for ordinary personal data:
(a) – Consent of the data subject – as explained above, this may not be a practical arrangement for most university purposes and should be considered only where there is no other more appropriate basis;
(b) – Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract – this condition will cover, for example, employees, consultants including external examiners and visiting or honorary academic post-holders, suppliers and students in relation to their contract with the university;
(c) – Processing is necessary for compliance with a legal obligation – this will be appropriate for such tasks as deducting tax, pensions and social security requirements ;
(d) – Processing is necessary to protect the vital interests of a data subject or another person – this allows information to be shared in life-threatening situations;
(e) – Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller – this is only available to public authorities carrying out their public tasks. At present it is not clear whether – or to what extent – a university is a public authority. Clarification is expected from the UK government but it seems likely that at least in relation to some functions, such as undergraduate teaching, universities may be public authorities. To the extent that they are, this will provide an additional basis for processing data that is not covered by sub-paragraph (b); and
(f ) – Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject. Note that this condition is not available to processing carried out by public authorities in the performance of their tasks so may not apply to all university functions. However, it will be a helpful basis where functions (perhaps such as providing optional online learning tools) fall outside any public authority remit. This is likely to include any technology transfer and commercialisation activities.
Article 9(2) sets out the lawful bases of processing for special categories of personal data: these are broadly the same as ‘sensitive’ data under the current regime but have been broadened to include genetic or biometric data used to identify an individual:
This is likely to bring security and access systems within the additional requirements for special categories of data and may require explicit consent (which can be withdrawn).
Whatever bases are used for the various personal data processing activities, universities will need to document the relevant decisions to be able to demonstrate to the ICO which lawful basis is used. Data protection impact assessments can help with the task of understanding how to meet conditions for processing and requirement for universities to demonstrate accountability under the GDPR.
Apdated by the University Business magazine.