Applying ICO advice

How should we apply the ICO advice?

The ICO feedback on the approach is clear: the GDPR is only concerned with the controlling and/or processing of personal data. 

The ICO said that GDPR does not prohibit certain technologies, it’s the activities that need to be GDPR compliant. This validates the reasoning behind the four pathways and six principles.

If you are not the controller or processor of the personal data, then you are not responsible for how it is processed by someone else. You might have ethical or other responsibilities, but as far as GDPR is concerned, you are not responsible for their compliance.

There is some nervousness about the scope of the official definitions of controller, processor, and personal data. Let’s review them:

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person’

‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law’

‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller’

How do you ensure activities are GDPR compliant?

Based on the ICO advice, it will depend on your answers to the following questions:

  • How are students being directed to the technology – does it involve you/your institution processing their personal data?
  • Are you/your institution determining the purposes and means of the processing of personal data?
 To achieve GDPR compliance under pathways 3 and 4, you need both answers to be NO. Otherwise, they need to be referred to pathways 1 and 2.

The six principles are designed to address these two questions. 

So, to direct students to technologies without you/the institution processing their personal data, you would need to ensure the following:

  • Hyperlinks to the technology clearly identify the destination of the link and that it is external;
  • You/the institution do not have a contractual relationship with the technology that influences how it processes personal data;
  • You do not act on behalf of the student by signing up or logging in using their details.
And to ensure that you/your institution are not determining the purposes and means of how the technology processes student data, you would need to think about:
  • the direction you give to students about how they engage with the technology; and
  • anything you/the institution has done to affect how the student shares their data with the technology.

So, you would avoid, for example, instructing students how to populate their online profile. Instead, advise them to think carefully before sharing their details and not to share anything if they are unsure. Encourage them to maintain anonymity in some cases. If the technology enables you to create a page or group, be very careful. Creation of a group may redefine you as a processor or even controller. 

It is not possible to imagine each and every scenario that might arise, so activities should be thought through carefully and watch out for grey areas. The most important aspect of your approach will be communication. Be very clear with students that they should determine their relationship with external technologies and that you respect and support them if they choose to opt out.
 
The ICO has created checklists to help you decide whether you are a controller or processor. View checklists.
css.php
Select the fields to be shown. Others will be hidden. Drag and drop to rearrange the order.
  • Image
  • SKU
  • Rating
  • Price
  • Stock
  • Availability
  • Add to cart
  • Description
  • Content
  • Weight
  • Dimensions
  • Additional information
  • Attributes
  • Custom attributes
  • Custom fields
Click outside to hide the compare bar
Compare
Wishlist 0
Open wishlist page Continue shopping