There is no legal conflict between protecting data and students’ lives

A recent opinion article in Times Higher Education described a “clash between privacy rights and protecting lives” of students in the UK and the USA.

The article, by Iria Giuffrida, assistant dean for academic and faculty affairs and professor of the practice of law at William & Mary Law School in Williamsburg, and Alex Hall, director of legal and compliance services and university solicitor at the University of Hertfordshire, said that universities were being prevented from calling in parents to help prevent potential suicides by “strict data protection rules designed expressly to prevent the sharing of personal data unless specific, complex conditions can be met”.

The authors concluded that “if students are to learn in an environment in which both their lives and their privacy are valued, privacy laws must change – or, at least, be clarified”.

The Information Commissioner’s Office (ICO), the UK’s data protection regulator, is happy to provide that clarification. In reality, there is no conflict between data protection law and the need to protect the lives of young people. UK universities, colleges and further education providers should not hesitate to share personal data to prevent harm to the physical or mental wellbeing of a student in an urgent situation.

We know that universities work hard to provide vital support to students who are struggling and that staff often have to handle sensitive personal information about them. And we are aware that, sometimes, front-line staff at universities are hesitant to share students’ personal data in urgent or emergency situations, citing data protection concerns as the problem. But that should not be the case. Data protection law is clear that organisations can share personal data in urgent or emergency situations, including to help them prevent loss of life or serious physical, emotional or mental harm. 

Put simply, university and college staff should do whatever is necessary and proportionate to protect someone’s life. You certainly won’t get into trouble with the ICO if you share information with someone who is in a position to help a student at risk. We are a pragmatic and proportionate regulator, which means we do not seek to penalise or punish organisations for acting in good faith and in the public interest in an urgent or emergency situation. 

To help universities and colleges feel confident they can share students’ personal information lawfully, we have set out some practical advice. The first tip is to plan ahead. Having an emergency plan in place that takes into account data sharing can help prevent any delays in a crisis, when rapid decisions need to be made.

As a starting point, universities and colleges should consider in advance the types of data they currently hold and which are likely to be shared in an emergency. They also need to consider how they will share the data securely. The best way to do this is through a Data Protection Impact Assessment, which helps you to identify and minimise data protection risks.  

When there is a need for universities and colleges to share students’ data on a more frequent basis, such as with health and well-being organisations, it can also help to have a data-sharing agreement in place so that information is shared in a safe and timely way. Such agreements set out the purpose of the data sharing, cover what happens to the data at each stage, set standards and help all the parties involved to be clear about their roles and responsibilities. 

Staff training should also be prioritised. Staff are more confident in using and sharing personal data appropriately when they have clear guidance and training around their roles and responsibilities. This includes specific advice on how to handle personal information in an emergency situation and how to make appropriate decisions about data sharing.  

The ICO also has many data-sharing resources that can help. Our data-sharing code of practice provides practical guidance on how organisations can share data fairly, lawfully and proportionately, including a specific section on sharing personal data in an urgent situation or in an emergency. Alongside the code, our data-sharing information page has many helpful resources, including myth-busting facts, case studies, FAQs and checklists. Universities UK also has a useful guide.

While sharing personal data can be an appropriate and lawful way to support a student at risk, we recognise that this advice does not resolve all the issues around students’ personal data where there is a mental health concern. But we hope it goes some way towards doing so by busting common data-sharing myths and reassuring universities and parents that data protection law enables data sharing to save lives and protect young people.

Viv Adams is principal policy adviser at the Information Commissioner’s Office.