By now, most of us are aware that come May 2018, the General Data Protection Regulation will be coming into force – the biggest change to data protection laws in the last 20 years. This will affect how institutions will be able to communicate with students and prospective students – and with the fines being up to £20m Euros or 4% of global turnover, it’s certainly one not to ignore.
Most activity around GDPR is compliance led. All the discussions are being focused on what you and your team needs to do to be compliant – but institutions may not be aware what their students need to know. There are lots of talks about the time frames, the fines, the risks, getting a Data Protection Officer in place, the review, the audit, planning for provision etc.
But what are our student’s rights when it comes to GDPR? Are they entitled to have a right to their basic information? Do they have a right to access their information? And do they have a right to ask universities to erase their information? In short, yes, and they also have rights to many more requests when it comes to their personal data. We’ll look at them in some more detail here:
Students rights to basic information
Under GDPR, data subjects have a right to confirm as to whether their personal information is being processed and then to receive a minimum set of information regarding the process of that processing. This includes the identity of the data controller, the reasons for processing the personal data and a range of other necessary information to ensure fair and transparent processing. Typically, this is documented in a privacy notice or a series of privacy notices.
"with the fines being up to £20m Euros or 4% of global turnover, it’s certainly one not to ignore."
Students rights to access information
In terms of rights of access, data subjects are also entitled to access the following information:
- The reasons why their data is being processed
- A description of the personal data concerning them
- Details of who has received or will receive their personal data
- Details of the origin of the data if that data wasn’t collecting directly from them
If a student wishes to exercise their subject access right and receive a copy of their personal data they need to issue a subject access request - and that must be issued in writing, physically or electronically.
Students rights to rectify their personal data
Data subjects are entitled to have their data rectified if it's inaccurate or incomplete. If the data in question has been disclosed to third parties, you must inform the third party of the rectification and the data subject about the third parties that are involved in their data. The controller must respond to a request for rectification within a month, or this can be extended by two months if the request is complicated.
You could always decide to take no action, but you have to explain why e.g. the data rectification was incorrect. Inform the data subject of their right to complain if they disagree.
Student rights to erase their personal data
This is otherwise known as the right to be forgotten. The right entitles the data subject to require an organisation that holds this information to delete the data, cease further distribution of the data and have third parties halt processing of the data where the retention is not GDPR compliant. This right is not an absolute right, it is quite often misunderstood but in most cases provided that an organisation has and maintains a lawful basis for processing the data it will not be significantly affected by the right to be forgotten.
Students rights to restrict processing of their data
Under the data protection act, individuals have a right to block or suppress processing of personal data and this restriction of processing under GDPR is very similar. When processing is restricted they can request it and you can restrict it, you are permitted to store the personal data but not process it any further. You can retain enough information about the individual to ensure that the restriction is respected in future.
"All the discussions are being focused on what you and your team needs to do to be compliant"
Student rights to data portability
This allows individuals to obtain and reuse a digital copy of their personal data in a safe and secure manner. Data covered by portability requests includes personal data that the data subject has provided as well as any observed data i.e anything observed or measured about the data subject, such as marks, grades or attendance records. There is data that is excluded and that is derived data - data calculated using other values e.g. ranking data and inferred data, data created using predictive analytics such as student risk or intervention records.
Student rights to object to processing their data
Data subjects have a right to object to the processing of their personal data where the basis for processing is either a public interest or the legitimate interests of the controller. This won't apply to many colleges or universities. If it does, the burden of proof is now with the controller who must cease processing unless it can demonstrate compelling legitimate grounds for the processing.
"Under the data protection act, individuals have a right to block or suppress processing of personal data"
Student rights to a breach notification
A breach notification to the information commissioner is mandatory where it is likely to result in a high risk to the rights and freedoms of the individuals. Notification must occur within 72 hours of the breach. Data processors also have a requirement to notify their customers without undue delay in any breach.
If a breach is likely to result in a high risk to the rights and freedoms, those concerned, the individual data subject must be notified directly without undue delay and be provided with specific information about the steps they need to take to protect themselves.
Students rights to lodge a complaint
Any data subject has a right to lodge a complaint with a supervisory authority if they consider the processing of their personal data infringes the GDPR. Upon investigation the supervisory authority shall inform the complainant on the progress and the outcome of the complaint.
Students rights to compensation
Any data subject has the right to compensation for a material or non-material damage resulting from a GDPR infringement. The compensation could come from both the controller and the processor.
Our company, Tribal, is a provider of services and technology to the education sector. Many of our customers rely on us to manage, host, or process their staff and student data. As much, data protection is absolutely at the heart of everything we do. Which is why we are committed to ensuring that our systems, our services and our staff comply with GDPR, and hopefully our clients too.