Showing accountability for personal data

A few weeks ago I gave a presentation to an audience of university accommodation managers (thanks to Kinetic for the invitation), where I suggested that we should view Data Protection as an opportunity, rather than a challenge.

That may seem strange, given that universities probably have the most complex data flows of any organisation. And there definitely are challenges, resulting from both sides of our hybrid nature as part-business, part public service. From the one we may inherit a feeling that consent is the answer to everything, from the other a tendency to think that data sharing agreements are some kind of magic wand; both sides take us into areas where the legislation is unclear, for example the extent of our public function; research has its own special issues; and there’s always a temptation to assume that if “they” are doing something then it must be OK.

But it seems to me that the new General Data Protection Regulation actually creates an opportunity to distinguish ourselves from bad practice in both commercial and government sectors. The GDPR introduces a principle of Accountability, which I summarise as data controllers demonstrating that they have thought about their data processing activities themselves, rather than simply relying on either data subjects’ “consent” or “common practice” when it gets to tricky areas. For an organisation practising accountability, the law becomes a guide to how to do things right, rather than a barrier to be worked around in the hope that it will be someone else that gets found out.

A tool we’ve used to do that is the Data Protection Impact Assessment (DPIA), which has helped us to a better understanding of the complex balance of interests around running a Security Operations Centreproviding a Learning Analytics Service to universities and colleges, and using data to improve support for student Wellbeing and Mental Health. And DPIAs shouldn’t just be internal activities: by publishing the resulting reports (with redactions if needed, but so far it hasn’t been) we can both demonstrate that we have thought carefully about what we are doing, and reassure users and funders of our services that what we are doing is necessary, proportionate, beneficial and appropriately protected.

The positive response we’ve had from law-makers and regulators, as well as users and funders, suggests that this is indeed a distinctive and welcome approach.

By Andrew Cormack

I'm Chief Regulatory Advisor at Jisc, responsible for keeping an eye out for places where our ideas, services and products might raise regulatory issues. My aim is to fix either the product or service, or the regulation, before there's a painful bump!

Leave a Reply

Your email address will not be published. Required fields are marked *