Charities, Public Authorities or Commercial Enterprise? GDPR in the Higher Education Sector

Guest post by Mairi Laird

In May 2018, the 1998 Data Protection Act will be replaced by the General Data Protection Regulation (GDPR).  The rules on holding and using personal data – information which can identify a living breathing human being – are getting tighter and most of them are about being able to demonstrate organisations are following the new rules. GDPR is a lot about risk management and accountability. It’s all about proving organisations have the right to process people’s data.

For universities this could be a problem. Many alumni signed up as students at a time way before even the Data Protection Act 1998 and long before the notion of data protection had gained any sway in society.  There was no need in the early 1990’s to record who gave you that email address and what they said you could do with it.  Contact details were ported across from paper records long archived and lost.  You had to opt out of receiving emails and phone calls, not opt in.  Pre-ticked boxes were common.

Those dealing with GDPR in universities need to be asking themselves, can we demonstrate that we have consent from alumni to contact them?  Do we have a right of reasonable expectation?  Is it reasonable for a university to contact an alum to try to raise money from them?

Universities are charities, regardless of their legal structure, whether founded by Royal Charter, set up as a company limited by guarantee, incorporated trust or a Higher Education Corporation such as Coventry University[1].  Some are regulated directly by the Charity Commission, but most are exempt charities and regulated by the Office for Students in England and equivalents in the rest of the UK..  This means that when it comes to communication the rule applied are those that apply to charities.  The Information Commissioner’s Office – the ICO – has taken enforcement action against charities that were contacting people repeatedly to fundraise, and also against those who were wealth screening to find out who were most likely to be the higher earners with the spare cash to donate.  They made it clear in 2014 with their action against UCAS that procedures had to be tightened up and rules applied properly.

I am sure you have heard about consent under GDPR and how it’s all about consent.  It is and it isn’t.  GDPR has 6 lawful basis for processing personal data and consent is only one of these.  The basis are:

(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.

(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.

(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).

(d) Vital interests: the processing is necessary to protect someone’s life.

(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

So, if you’re storing someone’s personal data, if you want to use it to contact them or in research or for any purpose – make sure you can apply one of the above reasons.  Otherwise, both you and the university are in trouble, as they are the data controller for the information, and thus considered liable in law.

Mairi Laird has recently started her PhD in the Faculty of Law and Business, Coventry University, under the supervision of Prof Umut Turksen, Prof Sally Dibb and Dr Sara Degli Esposti. As part of her PhD project, she will be exploring legal and organisational aspects related to the implementation of GDPR in the Higher Education sector.

[1] ‘The Law of Higher Education: Dennis Farrington, David Palfreyman: 9780199297450: Books’> accessed 5/7/2018



Coventry University