How should we apply the ICO advice?
The ICO feedback on the approach is clear: the GDPR is only concerned with the controlling and/or processing of personal data.
The ICO said that GDPR does not prohibit certain technologies, it’s the activities that need to be GDPR compliant. This validates the reasoning behind the four pathways and six principles.
If you are not the controller or processor of the personal data, then you are not responsible for how it is processed by someone else. You might have ethical or other responsibilities, but as far as GDPR is concerned, you are not responsible for their compliance.
There is some nervousness about the scope of the official definitions of controller, processor, and personal data. Let’s review them:
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person’
‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law’
‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller’
How do you ensure activities are GDPR compliant?
Based on the ICO advice, it will depend on your answers to the following questions:
- How are students being directed to the technology – does it involve you/your institution processing their personal data?
- Are you/your institution determining the purposes and means of the processing of personal data?
The six principles are designed to address these two questions.
So, to direct students to technologies without you/the institution processing their personal data, you would need to ensure the following:
- Hyperlinks to the technology clearly identify the destination of the link and that it is external;
- You/the institution do not have a contractual relationship with the technology that influences how it processes personal data;
- You do not act on behalf of the student by signing up or logging in using their details.
- the direction you give to students about how they engage with the technology; and
- anything you/the institution has done to affect how the student shares their data with the technology.
So, you would avoid, for example, instructing students how to populate their online profile. Instead, advise them to think carefully before sharing their details and not to share anything if they are unsure. Encourage them to maintain anonymity in some cases. If the technology enables you to create a page or group, be very careful. Creation of a group may redefine you as a processor or even controller.
