Jisc provides a lot of different services: too many for us to look at each one from scratch before the General Data Protection Regulation comes into force next May. Instead, we’ve identified four different patterns that seem to cover the majority of services. We hope that having a common set of expectations for each pattern will simplify discussions with service managers, customers and users.
The first group is the simplest: services where an individual makes a request to Jisc, we respond to what they’ve asked, and the activity is complete. These transactional services include things like websites, helpdesks, and events. In each case we need to process sufficient information to understand the request and respond to it: for example for a helpdesk question that’s likely to be your name and an email address or phone number so we can return the answer to you. When you visit a website, we need to record your Internet Protocol (IP) address to send the requested page to your browser. To process an event booking we need a bit more information, but there’s still an obvious point when the transaction is finished and we no longer need to process its associated personal data.
The second group of services involve an individual having a longer term relationship with Jisc that doesn’t have a natural end-point. For example you might subscribe to updates from our website, or be nominated as one of our site contacts. Some of the transactional services in the first group may offer you the option to convert to one of these longer-term relationships: for example you can ask us to save your details for next time you book an event, express an interest in hearing about related training courses and so on. For these services we need to think about things like when to send you reminders, which other uses of your information you’ll consider “related” and so on. In legal terms, Jisc is likely to be the data controller for both these groups of service.
The third group of services involve an indirect relationship between Jisc and individual users. For a wide range of services we have a direct relationship with one or more individuals at each customer organisation whose role is to authorise others – for example by creating accounts or approving requests – as users of the Jisc service. Since Jisc doesn’t have a direct relationship with these services’ users we need to think about how to route information and communications via their authorisers. The nature of each service may introduce additional issues: for example services such as repositories may let users store information that the law expects us to take care of, for services such as personal certificates we can control what information may be stored, but for eduroam there’s no storage at all. In legal terms, Jisc will be a data controller for personal data about authorisers but may be a data processor, on behalf of the customer organisation, for user and stored information. We expect these variations to involve more detailed discussion with service managers but the basic pattern seems likely to remain the same.
Finally there’s a small group of services that have no relationship with individual users. These include keeping networks, systems and data secure, and other expected activities of either Jisc or the organisations that use our services. Here we need to pay particular attention to the new GDPR requirement of “accountability”: we must ensure that all processing of personal data is justified, that none of it would surprise the individuals whose data may be processed, and that there’s a clear overall benefit to the data protection and other rights of those individuals. We’re considering whether formal Data Protection Impact Assessments of these services will help us both ensure and demonstrate that. With all these services, we need to be as open as possible about what we are doing and how it benefits individuals. With that in mind, it’s helpful that legislators, regulators and others have been stressing that keeping systems and networks secure protects the privacy of those using them.
Over the next few months we’ll be working with service managers to establish which group is most appropriate, and how that can guide them towards GDPR compliance.