As part of the nation’s post-pandemic recovery, there has been a government push for universities and educational institutions to reopen safely in 2020, although experts have warned of the need for rapid detection and containment of outbreaks to help limit transmission to the wider community.
The published principles for managing coronavirus transmission associated with higher education endorsed by SAGE stress the importance of clear strategies for testing and tracing. With strict fines and penalties in place for data breaches and leaks, it’s essential that universities know what they should and shouldn’t be doing, particularly when collecting medical information relating to their students. So, what systems should they have in place to ensure their students’ data is processed lawfully and kept as safe as it possibly can be?
University staff and students must be aware of what happens to their data; this means processes must be completely clear and transparent. Institutions should also bear in mind that the only acceptable circumstance for health or track and trace data to be shared in the case of Covid-19 is if a public health body, for example Public Health England (PHE), requests it. It is therefore essential that processes are in place to avoid mixing or aggregating it with other data that might be shared elsewhere by mistake.
While all personal data should be protected, there are considerable privacy implications of identity-based health tracking, such as biometric data and immunity passports. Under GDPR, biometric and health data are labelled as a ‘special category’, making them the most classified type of personal information an institution may hold. Any data breaches or failure to comply with these regulations will incur steeper fines than breaching GDPR rules for ‘non-sensitive’ personal data.
Data for health
When universities collect biometrics and health data, including fingerprints and temperature data, they must comply with stricter data- protection conditions than those that apply to other types of data. These include establishing a legal justification for the collection, which usually includes gaining consent; this must be a genuine exercise of informed choice for the students concerned. They should therefore be able to refuse consent without detriment. Institutions will also be required to undertake a data protection impact assessment to assess, amongst other things, the purpose of the collection of the data, its efficacy, and whether a less intrusive means could be deployed to achieve the same purpose.
Universities may need to adapt their processes to obtain specific consent for testing, which may be via an app or by including a consent form alongside any online application or registration options. Given that students are not isolated from their local communities, it would significantly help institutions if any testing they conduct was integrated into a local or national public health ‘test, track, and trace’ system. This would provide a clear legal justification for mass testing of students without the need to rely on consent.
For many universities, student data and feedback form a key part of their marketing strategy. One of the most obvious risks of a data protection breach is using email addresses collected for one purpose, such as tracing, for another purpose, such as for marketing. At a time when universities are dealing with large amounts of personal information, it’s even more important to ensure organisation and administration systems are watertight. Ultimately, a university’s framework for processing data needs to be endorsed by its governing body, and to remain GDPR-compliant they must ensure information is stored safely, to prevent unauthorised use or use for incompatible purposes.
As is the case with any confidential information, personal data must be disposed of correctly, whether through professional shredding services (for information stored physically) or software (where data is stored digitally). It is also important for universities to ensure this is completed within the 21-day limit set by the Government in its track and trace guidelines. Universities may need to plan their data disposal carefully around term dates or holidays if external services are required, to guarantee data is not kept for more than the specified 21 days.
Initiatives, such as testing students for Covid-19, raise complex data-protection questions. Consistency across the HE sector would be a welcome step forward, but until HE is integrated into a local or national public health testing system, institutions must ensure that they have a legal justification for testing and decide whether testing itself is even proportionate. If it is, they must inform students on how their data is going to be used, including what the consequences of a positive test are and how those consequences will be enforced. Data protection laws should not be a barrier to keeping students reasonably safe in a pandemic; all institutions should be able to keep their student bodies safe without unreasonably intruding on their privacy.