The UK Government relaunched its efforts to reform the UK’s data protection regime on 8 March by reintroducing the Data Protection and Digital Information (‘DPDI’) Bill, along with a new set of explanatory notes. Although the Bill builds on the UK’s existing data protection framework, the proposed legislative changes should help reduce the administrative burden on universities and make the processing of personal data more straightforward.
Defining personal data
The Bill seeks to clarify the circumstances in which an individual may be considered ‘identifiable’. The new definition will provide universities with greater certainty by categorising personal data as:
- Where the person is identifiable by the controller or processor by reasonable means at the time of the processing; or
- Where the controller or processor ought reasonably to know that another person will likely obtain the information because of processing, and such individual will likely be identifiable by reasonable means at the time of processing.
One of the most significant changes is the clarification regarding legitimate interests. The Bill proposes to replace the balancing test by creating a new lawful ground which recognises particular legitimate interests. These include, among other things, processing for the purposes of national security, preventing crime, safeguarding vulnerable persons and democratic engagement. The Bill also enables the Secretary of State to add new categories.
Universities need to be aware that they will still be required to carry out a legitimate interest assessment when processing other types of personal data. The Bill does, however, include some examples of the types of processing that may be considered necessary for the purposes of a legitimate interest (such as internal administration purposes), which provides a helpful guide for universities when trying to identify a legal basis for the processing.
Of particular relevance to universities is the new definition of “scientific research”, which will cover “any research that can reasonably be described as scientific, whether publicly or privately funded and whether carried out as a commercial or non-commercial activity”.
Data subject access requests
The Bill proposes to amend the threshold for charging a reasonable fee or refusing subject access request from ‘manifestly unfounded or excessive’ to ‘vexatious or excessive’. Universities need to determine for themselves whether a request will meet this threshold, and consider the nature of the request and the relationship between the university and the individual in question. The Bill provides guidance on requests that could reasonably be considered ‘vexatious’.
Records of processing
Under the Bill, universities will now only need to keep records of processing where the processing is likely to result in a high risk to the rights and freedoms of individuals. This should help to ease the administrative burden on universities created by the existing requirement to maintain records of all processing activities.
Removal of Data Protection Officers
Universities will no longer need to appoint a Data Protection Officer but must instead designate a "senior responsible individual" who will be accountable for data protection compliance. In contrast to the existing regime, the person must be part of the organisation’s senior management.
In response to the consultation, the Government said it was considering how to amend Article 22 of the UK GDPR to clarify the circumstances in which it would apply, reframing it as a right to specific safeguards rather than as a general prohibition on solely automated decision-making.
The Bill proposes to introduce the new concept of ‘no meaningful human involvement’. The inclusion of an additional safeguard ensures that a decision is only deemed ‘significant’ if a decision produces a legal effect on the data subject or it has a similarly significant adverse effect for the data subject. A significant decision involving special category personal data cannot be taken based solely on automated processing unless the following exceptions apply:
- The data subject provides explicit consent; or
- It is required or authorised by law.
Cookies and tracking technology
By broadening the list of exemptions to when consent is required for placing cookies on a user’s terminal equipment, universities will be able to improve their services. Its important to note that universities will still be required to provide users with clear information on the storage of information, along with a clear option to opt-out of such service.
Although the Bill proposes some significant changes, it does not represent a radical departure from the current law. As universities are already compliant with the UK GDPR, few changes will be necessary (except for designating a senior responsible individual). The Bill does however provide universities with the opportunity to review their current policies and procedures, as well as allowing for greater flexibility over the use of personal data going forwards.
+44 (0)330 045 2747
+44 (0)121 237 3980
You may be interested in...
Browne Jacobson announces key partner appointment to further grow higher education and charities practice
Back in the (Investment) Zone… sort of
Be Connected - Higher Education Spring 2023
Knowledge exchange and intellectual property
Terminating student lettings: a quick guide for landlords
Higher education projects – the end is nigh?
Solar panel projects for higher education institutions
What role do HE employees have to play in public inquiries?
The UK’s Data Protection and Digital Information Bill (No. 2): For universities
Regulating harassment and sexual misconduct in higher education
Government to expand network and Information systems regulations
A pandemic legacy: flexibility
Regeneration: what role can universities play?
The Subsidy Control Act 2022. Putting the new regime into practice
Consultation on holiday entitlement – part-year and irregular workers
FAQs - becoming an academy sponsor
The importance of understanding the transitional provisions under the Electronic Communications Code
Biodiversity Net Gain: positive for nature and an opportunity for landowners
Discrimination comes of age
Law firm picks up record breaking sixth Education Investor Award
Browne Jacobson’s education team has been named as winner of the ‘Legal Advisors to Education Institutions’ category at the Education Investor Awards 2022 for a record sixth time.
Thousands take part in virtual careers event to help increase diversity in the legal profession
Over 3000 young people from across the UK and Ireland took part in a virtual legal careers insight event, aimed at making the legal profession more diverse.
Education team maintains clean sweep of top rankings in latest legal directories
Browne Jacobson’s education team has again been confirmed as a national powerhouse after securing five Tier 1 rankings relating to Education in the latest edition of Legal 500 and maintaining a Band 1 UK-wide ranking for Education in Chambers & Partners UK 2023.
be connected newsletter for higher education - Autumn 2022
Browne Jacobson and The University of Nottingham announce Knowledge Transfer Partnership to promote greater equality, diversity and inclusion in the legal sector and beyond
Law firm Browne Jacobson and the University of Nottingham are launching a ground-breaking two and a half year Knowledge Transfer Partnership which aims to develop and embed long-lasting equality, diversity and inclusion (EDI) principles and learnings into the firm’s practices and processes, amongst its key client-bases and the national legal sector.
Authorship disputes and employment claims
In an academic environment, there can be pressures to publish, particularly where funding is dependent upon research and reputation. Whilst there can be competition between Higher Education establishments to be the first to publish, there can also be internal conflicts over authorship rights where several individuals have contributed to the work.
Subsidy Control Act 2022: economic queries
In July, the long-awaited statutory guidance on the Subsidy Control Act 2022 (Act) was published in draft form (Draft Guidance). A consultation on the draft guidance has recently ended and the results have not yet been published – it may therefore change before the final version is published.
Changes to holiday pay for part-year workers
In July 2022, the Supreme Court handed down its long-awaited Judgement in the case of Harpur Trust v Brazel relating to the correct calculation of statutory holiday pay for part year workers. This decision has implications for all part year workers on contracts which subsist all year round, whether their hours are normal or irregular.
Facing the threat of cyber security breaches
Universities and colleges are not immune from deception by unscrupulous bad actors. The extent to which educational institutions can manage and control risk not only depends on financial management and internal controls, but also the robustness of security and processes which can be exploited from outside the organisation.
Internal reports and privilege
In University of Dundee v Chakraborty, the Employment Appeal Tribunal (EAT) considered whether a first draft of a grievance report could retrospectively be deemed to be privileged.
Data reform in the UK
Since the UK left the EU and are now able to move away from the EU data protection regime, the UK government have implemented a national data strategy with the aim of reducing the burden on organisations but maintaining a high data protection standard.
What opportunities do the REF 2021 results offer universities?
The long-awaited publication of the Research Excellence Framework (REF) 2021 provides universities with opportunities to generate additional income and build upon the quality of their research output.
be connected newsletter for higher education - May 2022
In this edition we provide you with the latest in legal updates, news and insight from the higher education sector.
Harassment and sexual misconduct in Higher Education
Cases involving the handling allegations of harassment and sexual misconduct by Universities continues to hit the news. They are clearly difficult issues for Universities given the competing duties owed to both the reporting individual and the alleged perpetrator and the inevitable sensitivities around the nature of these matters.
ICO consultation on research provisions guidance
The data protection legislation (namely, the UK GDPR and Data Protection Act 2018) contain various provisions that deal with the processing of personal data for research purposes.
Browne Jacobson’s C-suite exec level coaching team appoints two new education specialists
National law firm Browne Jacobson has grown its team behind its dedicated Space + Time executive coaching programme with the addition of two more qualified coaches who will work with clients in the education sector.
be connected newsletter for higher education - February 2022
In this edition we provide you with the latest in legal updates, news and insight from the higher education sector.
Digitising the student experience in higher education: Some practical tips for procurement
Five considerations for HEIs when undertaking an IT procurement for largely “off the shelf” small-scale student-facing applications for online teaching, knowledge stores and document repositories etc.
How will HSE’s focus on occupational health affect UK HE institutions?
What does the HSE's decision to prioritise occupational health inspection & enforcement activities mean for higher education institutions?
Implications of the amended public procurement thresholds
To continue to meet legal obligations, higher education institutions must consider threshold figure changes in the Cabinet Office review.
Fire safety in the higher education sector: looking back and looking forward
Fire safety regulation is undergoing a period of evolution, with many new & far-reaching fire safety developments having significant implications for those responsible for educational premises.