Data Protection for the HEI sector

A recent enforcement notice issued by the UK Information Commissioner’s Office (ICO) to an Educational establishment for failing to follow UK data protection law when introducing facial recognition technology for the purposes of cashless catering has served as a timely reminder to the sector that it is important that all personal data collected, processed or stored should be done so in line with UK data protection regulatory requirements.

It is even more striking that the enforcement notice is specific to an automated decision making process at a time the use of Artificial Intelligence (AI) is beginning to gather pace – organisations are beginning to wake up to fact that they can benefit from the use of such technology and the Education sector is no different.

The surprise call for a General Election in May 2024, signalled an abrupt end to the passage of the Draft Data Protection and Digital Information Bill through UK Parliament. The Draft Bill had proposed a number of changes to the existing data protection legislative framework in the UK, however the Bill did not feature as part of the Parliamentary wash-up session before the General Election, which meant it did not (for the time being) pass into UK law.

Although the recent King’s Speech did feature a new Digital Information and Smart Data (DISD) Bill, the detail of what is included in this Bill is still very light, it is possible that parts of the suggested changes to the UK data protection reform that did not make it through the pre-General Election wash up may resurface. Despite all of this, for now, the UK Data Protection Act 2018 (UK GDPR) is here to stay.

So why is this relevant to HEIs?

HEIs process large amounts of personal data both as part of;

• Core operations - regarding prospective students, current students and alumni, and
• Day to day running operations – regarding recruitment applicants, current and former employees and international tuition fee payments

The ICO is one of the most active regulators in Europe, with a range of enforcement powers at its disposal including reprimands, enforcement notices, individual prosecutions and of course financial penalties (£17.5m or 4% global turnover, whichever is greater).

ICO enforcement action is publicly available, and often picked up by media outlets which can adversely affect a HEI’s reputation and ultimately reduce stakeholder trust directly impacting brand, reputation and potentially recruitment.

Furthermore, individuals are increasingly aware of their rights in relation to their personal data and of the ability to lodge complaints directly with the ICO if they feel that a HEI has not processed their personal data in line with data protection requirements or indeed their own expectations.

Key data protection compliance challenges

Some of the pertinent data protection compliance challenges facing HEIs include;

1. Increased use of AI & innovative technologies - The use of AI and emerging technologies raises privacy concerns and impacts on the trust of individuals whose information is being processed. HEIs need to be aware of the impact the use of AI will have on their embedded data protection control environment when implementing and using AI technologies, and the requirement to incorporate Data Protection by Design and Default in any new technology which poses a risk to individual rights. Given the transformative power and increased use of AI, at the start of 2024 the ICO has renewed its focus on ensuring that AI technologies are implemented in a way that complies with the principles of UK data protection legislation.
2. Cybersecurity – Data breaches as a result of a cyber-attack remain an on-going risk. A recent survey indicated that HEIs are more likely to be targeted by cyber-attacks than other educational bodies. HEIs should ensure that internal data breach procedures are robust and fully embedded so that the 72-hour time limit for reporting certain types of data breaches to the ICO and affected individuals is adhered to.

Common pitfalls

From our experience of working in the sector, we have identified several issues that HEIs typically face when ensuring continued compliance with applicable data protection regulation.

• Tone at the top – ensuring that key decision makers are aware of the potential risks of non-compliance and that they allocate sufficient time and resources to implementation and continued compliance.
• On-going employee awareness – ensuring that training and awareness initiatives are embedded in the employee lifecycle to ensure that all employees are aware of key data protection policy and process i.e. data breach response and data subject rights requests where HEIs have a defined regulatory timeframe to respond.
• In-house expertise – Our experience highlights that often the role of the Data Protection Officer (DPO) is ‘bolted-on’ to an existing role, meaning that in reality, this individual often lacks the time, resource and expertise to fulfil the role effectively. HEIs should consider whether there is sufficient expertise in-house or whether it would be prudent to outsource to a third party for support.
• Oversight of data processing and third-party exposure – HEIs, like many organisations struggle to maintain complete documented oversight of data processing and exposure to third parties with whom personal data is shared, but this is crucial to ensure that contracts are in place with third parties which include relevant data sharing clauses and additional safeguards if data is shared outside of the UK or EU/EEA.

Further information

If you have any questions regarding any of the issues highlighted in this article or would like to discuss how BDO can support your institution with navigating data protection compliance, please contact Christopher Beveridge, Director and Head of Privacy & Data Protection, or Louise Sadler, Senior Manager – Privacy & Data Protection.