1. Students’ Unions 2011 Data Protection and Students’ Unions Mairead O’Reilly 19 July 2011

2. What we will cover today 1. Overview of relevant data protection law 2. Data sharing between universities and students’ unions  data sharing under Data Protection Act 1998  rules on electronic marketing 3. Discussions with universities

3. OVERVIEW OF DATA PROTECTION LAW

4. Overview of data protection  Which of the following are personal data?  photo of a student attending an event  a student’s details on a card index held by a students’ union  an email address  “suppressed” details of a marketing contact  details of a business or organisation  details of delegates at a conference or attendees at a workshop

5. Definition of personal data Personal data  Information about a living individual from which they are identifiable (either from that piece of information or in conjunction with other personal data held)  Paper records  Non trivial

6. Sensitive personal data  Racial or ethnic origin  Political opinions  Religious or similar beliefs  Trade union membership  Physical or mental health or condition  Sexual health  Criminal offences or alleged offences

7. Processing  obtaining  recording  holding  organising  adapting  amending  destroying  retrieving  consulting  using  disclosing  blocking  erasing  sharing/tranferring!  very widely defined

8. Who is responsible for compliance with the Data Protection Act? Data Controller  The organisation which determines how personal data is used  Must comply with the Data Protection Act Data Processor  Not subject to the Data Protection Act  Is students’ unions data controller?

9. Contracts with Data Processors  Data controller remains liable  Data Processing Agreements  Data processors to act only on instructions of data controllers  To comply with all of the obligations imposed on the data controller

10. The Eight Data Protection Principles 1.Fair and lawful processing of personal data 2.Obtained only for specified and lawful purposes 3.Adequate, relevant, not excessive 4.Accurate and up-to-date 5.Not to be kept longer than necessary 6.Process in accordance with subjects’ rights 7.Appropriate security measures (technical and organisational) 8.Do not transfer outside EEA without adequate protection

11. Fair processing information  Who are you – data controller  What will you use the information for  Anything else, e.g. sharing lists with third parties

12. Fair and lawful processing Also must fulfil a Schedule 2 condition most likely to be either:  consent  legitimate interests (balancing act)  necessary for compliance with a legal obligation or to perform a contract  vital interests

13. Sensitive personal data 1  Must satisfy one Schedule 2 condition and Schedule 3 conditions  Obtain explicit consent  Unless already in public domain  Under legal obligation in connection with employment

14. Sensitive personal data 2  Not-for-profit organisation – political, philosophical, religious, trade union purposes – limitations apply  Vital interests of individual or another person  Medical proposals by medical profession

15. Electronic marketing  privacy and electronic communications regulations apply to email, faxes, text messages, picture messages, automated calling systems

16. Electronic marketing  no unsolicited e-marketing to “individual subscribers” without consent  opt-out or opt in by tick box or statement when data collected  consent must be given to the sender (i.e. no lists received from the university unless marketing is solicited – of which, more later)  exception: prior consent not necessary for existing relationship in connection with sale of similar goods/services

17. Direct marketing - restrictions  Section 11 Data Protection Act notice allows individuals to stop direct marketing  Mailing preference service  Telephone preference service

18. DATA SHARING BETWEEN UNIVERSITIES AND STUDENTS’ UNIONS

19. “We cannot share student data with you because of the DPA”  Does the university have a legitimate basis for sharing under the DPA?  Is sharing in keeping with expectations of students?

20. Legitimate basis under the DPA  Consent usually not required unless data being transferred is sensitive  Transferring to students’ unions is a form of processing  Need to satisfy Schedule 2 condition  Legitimate interests (balancing exercise):  legitimate interest of students’ unions in reaching and providing support services to students

21. Is sharing consistent with expectations of students ?  Fair processing information:  Who is data controller? University  Purposes for which data will be used  Any further relevant information, e.g. sharing with students’ unions  New purpose  Unexpected use of students’ data  Preferable to tell students about sharing at the outset in enrolment forms

22. Email marketing by students’ unions  Privacy and Electronic Communications Regulations 2003  “Marketing” widely interpreted  Consent to be given to sender of marketing  Unions cannot rely on consents given to universities  Make marketing “solicited”

23. Solicited marketing  “I would like to be kept updated about [x] Students’ Union’s activities, so that the Union can contact me about student affairs.”  Universities to use this wording when first collecting students’ data

24. Other options 1  Send pre-marketing email and seek consent for further communications (technically not compliant)  Arrange for Universities to send marketing on Unions’ behalf (impractical?)

25. Other options 2  Risk-based approach:  risk of enforcement low provided no complaints  consent given to universities  technically, consent required  PECR do not apply to marketing by post

26. How to avoid this issue going forward?  Encourage universities to inform students at enrolment that their information will be shared with students’ unions  Include data protection obligations in MOU with university:  require university to transfer students’ data  undertaking from university to inform students that data will be shared with students’ unions  require university to obtain necessary consent for electronic marketing

27. Template letter to university 1  Transfer of names, addresses and non-sensitive personal data does not require consent  Reference to Schedule 2 condition – legitimate interests  Fair processing:  reference to student enrolment form  sharing consistent with expectations of students

28. Template letter to university 2  Electronic marketing:  confirm whether consent of student obtained  Students’ unions offer to take responsibility for ensuring necessary consent obtained before sending electronic marketing  Future:  agree wording on enrolment form

29. DISCUSSION

30. Mairead O’Reilly Associate Bates Wells & Braithwaite 2-6 Cannon Street London EC4M 6YH m.oreilly@bwbllp.com Tel: 020 7551 7613