Data Protection Issues

The plan was to use previous NIIMLE and WeTN agreements as a starting point for the development of an agreement between the SURF partners in SUNIWE. It was envisaged that service-based approaches would arise from current and future projects within SURF and Staffordshire University, so it was seen as an opportunity to establish an agreement with the whole of SURF. The aim was to produce an agreement that could be adopted by WeTN for the WeTN portal.

An agreement was required because of the origin and nature of the data being displayed by the portal. Each institution in SURF held personal data about the learner (name, address, etc) and acted as data controller for that data. The project proposed that a user would authenticate at their local institution and use the portal to view personal information from each institution that they were registered with. The personal information would be provided via Web services which would each query the student record system at their institution. The portal would call the Web services and aggregate and display the data. The portal would be hosted centrally on a Staffordshire University server. The key data protection issue was that information from the SURF Colleges would be processed by Staffordshire University in the portal. This would require an agreement between the data controllers (all of the institutions) and the data processor (Staffordshire University) where the portal was hosted.

The Staffordshire University Information Protection and Security Officer and the University Solicitors were consulted. The agreements from previous JISC projects (JISC-SHELL and NIIMLE) were reviewed as a starting point but these were focused more on learner records rather than personal information. It was decided that the most pragmatic way to progress was to pilot an agreement with the project partner colleges at Stoke-on-Trent and Shrewsbury to cover the SURF portal pilot. This pilot would then be evaluated and the agreement amended accordingly. Finally the agreement would be rolled out to the rest of the SURF Colleges. The pilot agreement or the amended agreement would be used for the WeTN portal depending on the timing of the WeTN portal pilot. WeTN investigated their requirements relating to the agreement in parallel with SURF so that all requirements could be considered for the SURF pilot agreement. At WETN tutors were planned to be more involved in accessing information.

In discussions of the workings of the portal with the various experts, it was important to stress that the learners would not have direct access to the student record databases as the information would be delivered via a Web service with a tightly defined set of operations limiting the information that would be delivered. Learners would only have read access to the information their institution held about them. Similarly the University would not have direct access to the College databases. It was also important to make it clear that the processing of the data by the University was purely presentational, i.e. raw XML from the Web services was turned into XHTML for display.

Communicating the concepts of the service-based approach to the non-technical legal experts was a challenge. It was essential to get the technical experts to explain the workings of the system directly to the legal experts. Passing on detailed information about the system to the legal experts via an intermediary was quickly found to be counter-productive. The best arrangement was to get the legal, DP and technical experts together.

The portal would only be accessible to students on Staffordshire University courses hence the data protection agreement would only apply to students on Staffordshire University courses within the SURF Colleges. It was agreed that the DP consent form that students sign when they join the University would be sufficient to cover this use of the data.

The project had identified a requirement related to e-resources for sending information to specific groups of users, e.g. the Careers Service would like to send specific information to particular ethnic groups and social groups. The personal information could not be used to target groups in this manner, but the requirement could be satisfied via a subscription-style solution, e.g. a general statement to all learners on a portal page saying something like “If you would like information on….click here”. It would need to include a disclaimer covering how the learner’s personal details would be used and how long those details would be kept.

Because of the personal nature of the information, data used in development and testing of the Web services and portal needed to be anonymized. This was done by exporting data from the databases and writing scripts to shuffle and edit fields.

After a long process of redefinition and refinement, the pilot agreement was produced which included the following:

1. A description of the objectives of the portal pilot

2. Details of the services the portal is composed of

3. The roles and responsibilities of the parties in the agreement

4. Definition of the length of the pilot agreement

5. Obligations of the University in hosting the portal

6. Obligations of the institutions in hosting the Web services.

7. Details of the evaluation of the portal/agreement

8. Termination arrangements

9. Limitation of liability

10. Confidentiality obligations of each party

The agreement is available from the downloads section.