General Data Protection Regulation (GDPR)
One of MSL’s top priorities is the security of clients’ data as well as data provided by individuals to MSL for other business purposes. For us, this goes hand in hand with maintaining compliance with all applicable legislation and regulation governing the processing of that data.
You will be aware of the updated data protection law, the General Data Protection Regulation (GDPR), which comes into force in May 2018. Whilst MSL regrets it cannot give legal advice to its clients (all of whom should take responsibility for their own compliance), we will share with our clients the challenges of understanding the GDPR and ensuring our compliance over the coming months.
MSL has an ongoing GDPR compliance programme in preparation for the new laws and we are monitoring guidance from the UK Information Commissioner’s Office (ICO) and European authorities as it becomes available.
At this stage, we believe it will be necessary to make some changes to the privacy terms and notices on the MSL web site and to our European client licence and service agreements.
Our objective is to ensure compliance by MSL and work with our clients as they endeavour to comply too. If you are an existing MSL client and will be affected by this, MSL will be in touch with you in due course.
While the regulations apply directly to all our European clients, there will also be advantages in enhanced security and flexibility for our other clients, as a consequence.
MSL proposes to use this page to post relevant news and updates on GDPR to inform and assist its clients to prepare for GDPR compliance.
As product changes are approved for inclusion in MSL’s Roadmap, these will be described on the Roadmap pages and also referenced here.
The ICO has published comprehensive guidance on the six available lawful bases for processing data, a checklist to help as you decide the most appropriate basis for your activities (particularly relevant are legal reason and legitimate interest) and two examples illustrating different bases. Access this guidance here.
More ICO Guidance – for clients wondering about the requirements in GDPR for data controllers to document their personal data processing and seeking advice on what to document and how to document it, this article has been published.
And there are some helpful templates to download here.
1. Licence Agreement variations for each of our Student Case Manager clients, which update the relevant SCM terms and conditions for GDPR compliance, are now being sent out for review and signature.
2. ICO Guidance – the ICO has updated additional GDPR guidance on two areas of interest to MSL clients:
Lawful basis for processing – there’s a helpful summary on the possible options under the regulation here
FAQ for the Education Sector – including sections on ‘consent for marketing’ and data portability here
1. Profiling and automatic decision making – the MSL System has popular features which employ these techniques and it is an area which we plan to enhance in the future. So, following the ICO publication of guidance on these issues in October and November 2017, MSL considers that our revised licence agreements need to accommodate clauses which acknowledge these functions and grant permission to MSL from the data controller to carry out such processing (if required). These clauses have been drafted and await our legal advice.
2. Proposed Data Retention Policy – we’re grateful for everyone who has commented so far on the proposal and MSL is keen to solicit more feedback before we finalise it. Please review and let us know what you think!
3. The ICO has published further guidance on the following matters here.
Lawful basis for processing (personal data) – this is particularly important for students’ unions and well worth reading. There’s an example quoted describing how a university might decide on which lawful basis to adopt for processing student data – suggesting a combination of a ‘public task’ option (similar to ‘legal obligation’ but only for public bodies) for some processing and ‘legitimate interest’ and ‘consent’ for others. Note that the ICO does not default to advising the use of ‘consent’ and that ‘legitimate interest’ is very powerful, indeed the Regulation itself states that e.g. direct marketing to individuals may be considered a ‘legitimate interest’ task for an organisation. Note also that the ICO advises that organisations cannot change the basis of their processing once communicated, without cause.
Profiling and automatic decision making – has been expanded.
Documentation – for data controllers and data processors.
1. Consultation with Clients on a proposed MSL data retention policy has continued and an outline of the main principles applying to clients’ student data can be reviewed here (requires log in).
2. The ICO has recently published further guidance documents on the following matters which can be seen here.
Reporting of breaches of personal data – there is a helpful table at the end of the document describing examples where reporting is / is not required to both the ICO or to affected individuals
Profiling and automatic decision making – including a definition of profiling, which may be relevant to MSL clients who use our System’s capabilities to personalise information presentation or processing
Setting regulatory fines for breach of the Regulation – including factors to be taken into account and outlining where ‘reprimands’ may be more appropriate than fines particularly for minor infringement.
Consultation with MSL clients on their requirements for personal data retention, to inform our work on drafting the policy to be introduced in May 2018, is under way. Work has also started on a licence agreement variation applicable to Student Case Manager so that GDPR compliance can be maintained.
The ICO has published draft guidelines for contracts between data controllers and data processors - read their consultation documents here.
Clients wishing to be involved in MSL's consultation or offer their views are invited to contact email@example.com.
MSL has completed the essential legal drafting of new agreements for new clients and a standard contract variation for existing clients to maintain compliance with legislation on data protection through the introduction of GDPR.
We are now consulting with our legal advisers and with clients on the introduction of a standard data retention policy for personal information, which will be included with the new agreements.
Another useful resource from the ICO in the shape of this 12 step checklist to ensure you're organisation is prepared for May 2018:
The ICO has helpfully provided a self-assessment tool for organisations planning its own compliance programme:
If you have questions about MSL's GDPR compliance programme, please contact us using the form opposite.
MSL Community Q & A
MSL provides this information in good faith for the benefit of its clients but accepts no responsibility or liability for its accuracy in law or otherwise. Clients are advised to seek their own legal advice. MSL reserves the right to modify or delete this information without notice.
Q What if a student changes their mind about their data sharing - i.e. whether it's to give or withdraw permission - is there something in place that can switch on or off a student's data feed from the University without SU staff having to manually do it?
A Adding or removing a student’s data from the feed that is provided to MSL is the responsibility of the data controller i.e. the Students’ Union / Association and/or their University or College.
Q What steps are in place to identify a data breach? I presume we may need to share this with our University in order to help reassure them.
A Our forthcoming GDPR compliance contract change will include MSL’s obligation (if it is MSL’s breach) to report a personal data breach without undue delay and in any event within 48 hours, in recognition of the data controller’s obligation to report to the ICO within 72 hours. If it is the client’s breach (e.g. an unencrypted file goes awry) then it’s their obligation.