Last updated: 
1 week 6 days ago
Blog Manager
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

GDPR: Student Unions

Monday, October 9, 2017 - 09:11

I've been asked how universities can share students' details with their students union. Since there doesn't seem to be any law giving universities "special powers" to do that, the choice seems to be between the six normal legal bases under the General Data Protection Regulation (GDPR). Two of these – legitimate interests and consent – are obvious candidates: the choice seems to depend on whether the union would prefer to receive a near-complete list with tight restrictions on its use, or a partial list that may be usable for a wider range of purposes.

Like its predecessors, the GDPR allows a data controller to process personal data (including disclosing it) where this is "necessary for the purposes of legitimate interests pursued … by a third party" (Art.6(1)(f)). However, if disclosing on this basis, the university must satisfy itself that the students union's interests in receiving the data are not overridden by the rights and freedoms of the individual students whose details are being disclosed. Universities therefore seem likely to require assurances from the union that the data will only be used for a limited set of purposes, and to limit the disclosure to only the data necessary for those purposes. Individual students can object to their data being disclosed (they have a legal right to opt out of union membership in any case), but there is no need to obtain individual agreement from every one.

Alternatively the university might choose to disclose only the details of students who have consented to this. Under Recital 32 of the GDPR, consent must be indicated by "a clear affirmative act", so the university cannot disclose information for those students who remain silent. The union is therefore likely to receive a shorter list under this approach. However the university is not required to apply the balancing test. The union must set out to students what purposes it will use the data for, in such a way that each student has a free informed choice whether or not their information should be disclosed. Provided the university knows that such a choice has been offered and accepted, it should be able to disclose that individual's data.