Sharing IT services may encompass several situations in terms of education delivery. What needs to be considered will depend on the aims and objectives and the particular model being adopted; whether outsourcing is taking place, a merger occurring or an institution is sharing particular in-house services with another college, university or third party, for example.
There are a range of legal issues to be considered by colleges and universities embarking on the journey to sharing IT services, relating to employment, procurement, health and safety, finance and taxation to name a few. This guide, however, will focus on the main legal areas associated with sharing IT services. Contract, data protection, ownership and freedom of information law will be considered.
Sharing IT services is likely to involve entering into multiple contracts with different parties such as other institutions, publishers, cloud providers and commercial partners. Within this context, issues may arise relating to ownership, acceptable use of resources, licensing or liability and these areas will be dealt with in more detail elsewhere in the guide.
Terms and conditions within contracts usually determine what responsibilities and liabilities different parties will have. Prior to formally signing on the dotted line, it is vital for institutions to clarify
- What their role is in the arrangement
- What obligations they will have and whether these are in line with previous agreements
- What risks they will run and whether the contract meets their expectations
Otherwise, a college or university may be agreeing to a binding agreement that is overly restrictive or onerous and one that does not meet preferred outcomes or timescales. Similarly, where contracts fail to address key issues, this will lead to uncertainty in the event of something going wrong.
The contract between the colleges and the IT support company should have provided for this type of situation and made clear any consequences. In the absence of any provision relating to loss of data, the colleges will be unlikely to receive compensation without lengthy arbitration/litigation.
Institutions will already have binding contracts in place. Under a service level agreement, for example, a college will have certain rights and specific obligations contained within the terms. So, in sharing IT services, an institution will have to check that any pre-existing contractual obligations are consistent with any proposed sharing. Previous arrangements may become unworkable and an exit strategy will be required. However, changing contract terms unilaterally or abandoning a contract early may have large financial penalties for an institution.
This situation highlights the essential step of checking pre-existing contracts and ensuring that any new contract terms are consistent with obligations already undertaken. In this case University A could easily have avoided any penalty by fulfilling the existing contract.
The university will have to check the original licensing agreement in order to prevent any breach. Here additional permission is likely to be required to host works off-site and make them available to all students and staff. The Copyright Licensing Agency (CLA) licence applies to the UK. Students accessing materials under the licence can do so anywhere as long as they are registered with University of Nowhere. However, the licence is unlikely to extend to an off-site VLE.
Clarifying existing contractual obligations early on will enable institutions and their partners to make informed decisions when considering sharing IT services. Extensive negotiation may be necessary to reach a mutually acceptable agreement.
Top tips for contracts
- Decide on aims and objectives and reflect them in the terms of the agreement being negotiated
- Make sure there is an agreement in place where all relevant details of the shared IT services are included as well as relevant indemnity clauses
- Ensure all parties have signed the agreement
- Address all costs relevant to the service and be aware of your institutions contribution ratio and payment dates (funding arrangements, outlays, overheads, procurement, technical support, storage, penalty clauses)
- Check that the period of service is in line with your institution’s expectations and preferences, make sure you are not tied in longer than necessary
- Know what the procedure is, and whether penalty clauses may be enforced if one party wishes to change or terminate the contract at a later date. Think through a suitable exit strategy before entering an agreement
- Ensure appropriate dispute resolution measures are in place and check that existing contracts and licences are consistent with the new shared IT services agreement
- Re-assess insurance implications for your institution by virtue of this new contractual relationship
When sharing IT services, colleges and universities may be sharing a common platform, storage facility, process or infrastructure. This is likely to be addressed contractually. On the other hand, where personal information is being shared as part of the service either within an organisation or externally, data protection law will apply. Sharing personal information over a managed network, cloud or Janet Network service will have important legal consequences for a college or university.
Personal information, or data, is defined in the Data Protection Act 1998 (DPA) as significant biographical information that either relates to an identifiable living person, or which in combination with other information would identify them. In general terms, processing must be carried out fairly and lawfully. Usually, at the time of collection, data subjects (eg staff and learners) are told what information will be processed, for what purpose and to whom it will be disclosed. This is generally achieved by way of a fair processing notice.
The DPA is not a barrier to sharing personal information provided it is done lawfully and the sharing is considered ‘fair’. Many institutions will already share data with other organisations, either when required to by law or where this relates to the operational business of the college or university. There are also specific circumstances where consent will not be required to share, but generally staff and learners should know that sharing is taking place and that specific parties will have access to their personal information. For further information on data protection law in the context of research, refer to our guidance. There is also general information available on the ICO website.
When sharing personal data, an institution must ensure:
- There is a clearly identified and lawful purpose for distributing and sharing
- The sharing is fair
- An adequate notice period has been provided
- The rights of data subjects are not compromised
In order to determine what obligations it has in processing personal information, a college or university should firstly clarify what its role will be in the particular situation. Where an institution (either jointly, or alone or in common) determines the purposes for which and the manner in which any personal data is, or is to be processed, that institution is designated the 'data controller' for the purposes of the DPA.
There may be more than one data controller when sharing IT services. A 'joint data controller' processes data for the same purposes and is jointly liable under the Act. A 'data controller in common' processes personal information for a different purpose and each party is independently liable. A 'data processor' carries out data processing on behalf of the 'data controller'. The institution should have a data processing agreement in place to set out what exactly the data processor will do and how that processing will be carried out.
Here, University A is the data controller as it collected the data and determined the purpose for that collection. This means that University A will be liable under the Act for the data loss and University B’s responsibilities, as data processor, are likely to be contained in a data processing agreement.
This is a data protection breach. In this situation, both colleges are likely to be data controllers ie they both collect the data and decide how it will be processed. We will assume the data is collected for the same purpose (joint data controllers). So, both X and Y will have joint liability under the Act.
Top tips for sharing personal data
- Identify who will be doing what with the information, clarify roles (controller/processor)
- Check that there are processing conditions which will allow this data to be shared
- Ensure the information to be shared is adequate, relevant and not excessive
- Define the purpose of sharing and decide whether this is an entirely new purpose (consent). Decide whether sensitive personal data is involved (explicit consent)
- Inform data subjects where there is no reasonable expectation of sharing in the way intended
- Consider technical support resource implications within any data sharing agreement
- Ensure data subjects can exercise their rights under the Act
- Have a formal data sharing agreement in place which reflects obligations and responsibilities
- Make sure the institution and the third party can meet their data protection obligations
Outsourcing the processing of personal information to an external party; using Gmail for learners, for example, does not lessen a data controller’s legal responsibilities. Under the DPA, legal obligations fall on the institution to take reasonable steps to ensure that appropriate and adequate security measures are in place. Deciding what ‘measures’ are sufficient will, to some extent, depend on particular circumstances but factors such as the nature of personal information being processed, the likely harm that would result from any unauthorised disclosure or access, the technology available and the costs involved will be relevant.
There are also implications where a college or university outsources to an organisation outside the EEA (European Economic Area). Where information is transferred outside the EEA, institutions must consider security risks and any data protection law of the relevant country, as well as any specific obligations of disclosure that may apply. A guide on outsourcing can be found on the ICO’s website.
Reliance on the Safe Harbour agreement is no longer valid for the transfer of personal data from the EU to the US, following a ruling by the European Court of Justice. This means institutions will now have to use other mechanisms to satisfy the legal basis of transfer. A useful summary of the current position is detailed on our blog. The ICO 's response to the Safe Harbour ruling is available on their website.
Here, as the data controller, University X is liable under the DPA for the security breach, even though it was carried out by Help Co. University X should have ensured that any outsourced processing of personal data was adequately and securely processed. Using a reputable organisation that offered guarantees of secure processing would have prevented the breach. A detailed data processing agreement should also be in place making all roles and responsibilities in the arrangement clear, including what happens in the case of an unauthorised disclosure.
Top tips for outsourcing data processing
- Choose carefully; contract with well established, reputable organisations that offer guarantees of security, robust policies and procedures as well as trained staff
- Have a data processing/sharing agreement in place that clearly identifies roles, responsibilities and liabilities
- Check that the agreement states what security measures and back up systems are in place to fit the nature of the personal data being processed and that these meet agreed consistent standards
- Ensure that any data processing/sharing agreement is enforceable in the UK and the country in which the organisation is located
- Make sure the organisation is obligated to report security breaches
- Check that your own procedures allow you to act effectively and swiftly where any breach of security occurs
In a merger, personal information is likely to be shared. This will not cause difficulties where the purpose of processing is the same, or at least not substantially different. Indeed, many data protection policies contain an express clause that refers to this scenario. A fair processing notice is not expected to anticipate every situation but should contain enough detail so that a data subject (learner or staff member) has a reasonable expectation that their data will be processed in that manner eg a clause stating that personal data of all subjects will be available to the new body in the same way as before.
So, unless individuals were led to believe that their personal data would never be disclosed in this way, and the purpose of the processing remains consistent, the Act is complied with provided subjects are informed of the merger. It may also be argued that the sharing of non-sensitive personal information is in the legitimate interests of the data controller or third party under Schedule 2 of the DPA.
In a merger, prior to any disclosure/sharing, the data controller (college or university) should seek reassurances that personal information will continue be used solely for a designated purpose in line with the data protection notice. Confidentiality must also be protected where appropriate.
It is not uncommon for employers to ask for attendance information of employees attending institutions. However, this example of sharing was not part of Louise’s processing agreement or fair processing notice, nor was it part of any agreement between the employer and the college. The information in this case should not have been disclosed without consent.
The crux of the issue is what the staff and learners were told or expected at the time of collection. This particular processing of personal information by the IT company has not been disclosed to staff and learners, nor is it part of a processing agreement. Without consent, this will be an unauthorised use of personal data and a breach of the DPA. In addition, direct marketing of this kind is regulated by the Privacy and Electronic Communications (EC Directive) Regulations 2003. Sending unsolicited emails without permission is likely to constitute a breach.
Regardless of any merger, in order to comply with the DPA and protect the privacy of the learner, the library cannot disclose the information as this is personal data that is collected purely for specific records purposes.
Top tips for sharing personal data in a merger
- Where possible, anonymise information that is handed over to the new body
- Inform students and staff of the merger and explain any changes that involves the processing their personal data
- Ensure that any personal information shared is accurate, relevant and not excessive
- Make sure that further processing of personal information is in line with student and staff expectations
- Adopt a previous data protection policy or put in place a data sharing agreement or fair processing notice that is disseminated to all learners and staff
- Continue to provide an adequate level of protection for information
The main issue here is where content is generated as a result of sharing IT services. This issue can arise whether works are developed on an institutional network or where they are hosted externally.
Generated content will include teaching, research and learning materials, software, patents, designs, databases, and logs and a lot more besides. Intellectual property rights will attach to such works.
Copyright protects specific original works. A copyright holder has the right to control any copying, adaptation, publishing, performance and broadcast of works and under what conditions this may be done. Further information on copyright is available in our guide.
Colleges and universities, as employers, will usually be the copyright owners of materials created by employees unless there is an alternative agreement in place. This situation is different for learners though, who will usually own the copyright in their own work. It is also very likely that in sharing IT services, use will be made of other people’s materials, which will normally mean having appropriate licences in place.
Where a change, such as a new partnership, contract or merger takes place, existing licences will need to be checked to ensure adequate permissions are available for the intended use.
Many licences, including some software licences issued by Microsoft and Adobe do allow transfer in a merger situation. Where the language of a licence is clear there is no further need for interpretation. However, where a licence makes no such provision, there will be a risk for any institution which continues to make use of those works in a merger. Although strictly in legal terms, additional permission may be required to prevent infringement, it is likely to prove particularly onerous and potentially very costly for institutions to check each individual licence and contact every rights holder where required.
In most cases, the intention of the copyright owner will be satisfied by making materials available to learners and staff within colleges and universities regardless of whether the works are available in a single institution or a merger. However, use of commercial works beyond the terms of a licence such as one based on the number of users, is likely to increase the risk of potential claims. Ultimately some form of risk management will be required.
Ownership of any content created is an important and potentially complex issue that should be addressed contractually by institutions prior to sharing IT services.
This is tricky as there is likely to be joint ownership and without agreement, the matter will probably have to be resolved through costly litigation. This also prevents the software licence agreement being drafted, which could lose the colleges money meantime. If the question of ownership had been addressed and agreed within a contract, this issue would not prevent the colleges licensing a potentially lucrative product.
Professor Plum created resources in the course of his employment, so A will own the copyright (as his employer) so these can be uploaded. Terms of licences attached to third party works in the recordings will need to be checked; that permission includes storage on an off-site VLE and access by students other than those attending University A.
Professor Plum is likely to own performance rights in his lectures so his consent will be required to copy the ‘performance’ and make it available in this way. The students gave permission for their materials to be included in the original VLE. However, B will need additional permission to host them in the new environment. This example highlights the different complex ownership issues that may arise even in what seems a relatively simple arrangement.
In this situation, the universities are likely to lose out financially; having already provided a licence to the provider, exclusivity cannot be granted. Reading terms and conditions prior to signing an agreement is essential to enable institutions to make an informed choice, and where appropriate, negotiate a less restrictive contract or seek an alternative.
The students should have sought relevant advice before accepting the cash and agreeing access to their data. It is also likely to be a breach of the terms and conditions of the wireless network that a username and password were shared, which might also lead to disciplinary action being taken.
Top tips on ownership
- Check existing licences to see what permission your college or university has regarding specific works
- Where the licence does not cover the intended use, seek additional permission to avoid risk of infringement
- When generating content, clarify ownership through formal agreement and protect your interests
- Check terms and conditions of contracts and only agree after due consideration of all aspects
- Be particularly vigilant where contracting with external parties
- Seek advice to clarify each party’s obligations and terms of agreement
- Carry out proper due diligence prior to negotiation and consider long term implications
UK institutions, as public authorities, are already familiar with their legal duty and obligations under freedom of information legislation. If a request is made to a college or university and they ‘hold’ the information, then unless an exemption applies it must release it to the requestor within 20 days. Personal information may escape disclosure under the relevant legislation. See our guide for more details on freedom of information (FoI) legislation.
FoI law will also apply where institutions are sharing IT services. As such, all partners will need to be made aware of the legal obligation to disclose. This may be particularly problematic where colleges or universities are working with a commercial organisation and sharing content over a network. Nonetheless, any contractual agreement must state that any non-exempt information held by the institution will be subject to FoI.
Here, use of a cloud provider does not prevent the application of FoI; the law will apply in the same way. So in this situation, even where data is stored in the cloud, the university is still deemed to ‘hold’ the information requested. Where emails have been deleted but are recoverable, they are still likely to be considered to be 'held' by the institution and subject to FoI.
When considering any IT sharing proposal, colleges and universities should firstly clarify what the aims and objectives of any merger, outsourcing or in-house arrangement are. In doing so, institutions must consider all legal and contractual obligations currently undertaken and ensure that any restrictions can be met in any new sharing situation eg relevant licensing agreements cover that particular hosting and access of materials, potential data sharing satisfies conditions under the DPA, information can be retrieved when a freedom of information request is received and so on.
By following our top tips as listed in the guide, and thinking through the issues carefully and thoroughly prior to entering a binding agreement, a college or university can be confident and successful in concluding a sharing IT services contract that is fit for purpose both in the short and longer term.
- Data protection and research data
- Copyright law
- Recording lectures: legal considerations
- Data protection and FoI legislation
- Risks of cloud computing