ICO feedback

ICO feedback

The ICO were asked to give feedback on this approach. They do not approve policies and guidance, but they will respond to questions. So the principles of the approach were contextualised in the scenario below and specific questions were put to the ICO casework team for consideration. The questions are based on genuine objections and concerns presented against the overall approach.

Scenario

The university has a set of approved technologies, which have been assessed and approved in terms of their compliance with GDPR. All members of staff have completed basic GDPR training. Lecturers and students use the approved technologies for the administrative and operational aspects of teaching and learning that require the processing or control of their personal data e.g. submitting assignments, accessing materials, communicating.

However, many lecturers and students want to make use of various other technologies to enhance teaching and learning. For example, they might want to have a debate on Twitter, write a blog on WordPress.com, create a presentation using Adobe Spark, or use Voyant-tools.org to analyse a text.

These technologies have not been assessed or approved and so the technologies and services themselves may not be GDPR compliant. There are so many requests to use different tools, and privacy policies may change regularly, so formal approval of all seems unsustainable.

The following questions only refer to data privacy law and the GDPR, and therefore exclude other legal and ethical considerations e.g. duty of care. We also assume that the learning and teaching activities described do not involve the processing of 3rd party personal data, i.e. we are focusing on the students’ own personal data and assuming they are not going to handle anyone else’s personal data. We also assume that all students are at least 18 years of age.

The ICO reminded us that:

Data protection legislation deals only with the processing of personal data. In the first instance, the university should establish which of the information it processes relates to an identifiable individual. We have published detailed guidance on the definition of personal data in order to help organisations establish if their processing falls within the scope of data protection.

If a non-approved technology is mentioned, suggested, or recommended by a lecturer in class, or in course materials, leading a student to decide to use or sign up to that tool, would the lecturer or university be responsible for the way the technology handles the student’s data:
a) If they fail to explain that the tool is not approved by the university?
b) If they clearly explain that the tool is not approved by the university?

The ICO said:

The university would need to establish whether they are the controller of personal data which is being processed by the technology. This means that the university would need to determine the purposes and means of the personal data being collected. If the university doesn’t decide what information is collected or how it used by the technology, it is unlikely that they would be the data controller and, therefore, wouldn’t be responsible for how the technology then processes the data.

Can a university permit the following activities, subject to all six subsequent conditions¹, and still be considered GDPR compliant?

  • All students on some courses are required or expected to participate in a regular or sustained digital activity such as blogging or building a portfolio. The university ensures that suitable tools are approved. However, some students wish to use a non-approved technology.
  • A lecturer wants to use an online quizzing/polling tool to make his lecture more interactive. The technology does not require students to create an account or submit anything except a room code and user name, which can be a pseudonym. The technology does collect IP addresses.
  • A lecturer and some of her students want to participate in a social media discussion taking place as part of a subject awareness week.
  • A lecturer has created a special interest page on Pinterest and wants to invite his students to post their own findings and comments.

The ICO said:

There is nothing in data protection law that prohibits the use of certain technology and we can’t comment on whether an activity itself is likely to be GDPR compliant.

In regards to the activities you have mentioned, you would need to consider whether they would require the use of personal data and whether you would be the controller for it. If you aren’t collecting personal data or aren’t the controller for it, you wouldn’t need to consider data protection implications.

¹The ICO was presented with the six principles of LTAP in full.

Q3. With reference to the definition that a controller ‘determines the purposes and means of the processing of personal data’. If a lecturer directs students to content she has created on a non-approved technology, does she and/or the university become a controller by this definition and therefore share some responsibility for how the technology processes the student’s data?

Q4. If the activities described in Question 2 are compliant, subject to the six conditions, is the compliance of the university in any way affected by the privacy practices of a technology itself. I.e. if a student is permitted to use a non-approved, but otherwise privacy-compliant technology (e.g. US-based with privacy shield etc), is the university considered to be any more compliant than if the student had opted to use a less compliant technology (e.g. outdated privacy policy and servers in east Asia)?

The ICO said:

If a lecturer directs a student to a non-approved technology, you would need to consider whether this involves the processing of personal data if they are simply being directed to a particular resource. If personal data is being processed, you should then consider whether the university has any control of the data being entered into the technology. If not, it is unlikely that the university would be the controller in this instance and it would be sole responsibility of the technology to comply with GDPR. This also means that you wouldn’t be affected by their privacy practices.

Is there any change to the answers of the previous questions if the students are 16-17 years old?

The ICO said:

Generally, data protection legislation applies equally to children and adults. Therefore, in the circumstance you described, there is unlikely to be any difference in the above advice.

How should we apply this advice?
css.php
Select the fields to be shown. Others will be hidden. Drag and drop to rearrange the order.
  • Image
  • SKU
  • Rating
  • Price
  • Stock
  • Availability
  • Add to cart
  • Description
  • Content
  • Weight
  • Dimensions
  • Additional information
Click outside to hide the comparison bar
Compare