Guide

Your students, mobile devices, law and liability

Addressing the legal issues surrounding student mobile use at university or college.

Archived

This content was archived in October 2017

About this guide

Published: 1 May 2013
Updated: 9 October 2015

Introduction

There is an increasing expectation that college and university IT systems are opened up to allow staff and student access to the full range of institutional ICT facilities via their own mobile devices. This guide is intended to allow an informed response to the question: “won’t that increase our potential legal liability?”

Opening up the system to mobile access does not introduce new types of liability for colleges and universities to address, but in some circumstances there may be greater potential to be held liable and this has to be recognised and managed in order to achieve the benefits that own mobile use can bring.

This guide informs managers as to the consequences and the actions they may need to take in their institution to minimise these risks. Not opening the system to mobile access may actually increase the likelihood of unauthorised device use, whereas recognising the risks and managing them will help encourage responsible use as well as confidence in legal compliance.

Students will increasingly expect that all information and services currently available from a university or college desktop will be available to them via their mobile device. At the same time, institutions will want to ensure that systems and information are secure, and users adhere to policies on access to systems. The student is also likely to expect a level of support in the use of his particular device.

Mobile devices come in many differing forms, resulting in interoperability and other technical and cost issues which will also need to be addressed (but are not discussed in this guide). Opening up the institution’s systems for mobile access by students essentially results in the balance of control moving from the institution to the student. The issue therefore arises as to what extent legal liability also shifts with this move.

Key points

There is an increasing expectation of access to systems via mobile technologies
Legal liability extends to mobile use
An institution will need to decide on its mobile strategy, and decisions on mobile use will follow from strategy
Up-to-date technological measures are essential to protect systems. Adhering to a robust security policy is key
Policies and procedures should be reviewed to ensure mobile use is included
Users should be made aware of the do’s and don’ts

Comparing the legal risks

This section compares the legal risks associated with on-campus desktop access, institutionally-provided mobile access, and own-device mobile access.

“Opening up the system to student mobile access increases the risk of compromising the security of the system”

Best case: Incidents detected and managed according to policies and procedures, temporary disruption for users but legal liability unlikely to arise.

Worst case: System compromised, complete system crash, resulting in legal liability for data protection breaches, for publication of illegal images introduced via malware, police involvement, breach of duty of care/internet safety duties.

“Opening up the system to student mobile access increases likelihood of copyright infringement”

Best case: Any Infringement is ‘minor’ and use accepted by rightsholder, and/or appropriate licence fee paid for use.

Worst case: Risk of institution’s loss of access to key resources through licence breach. Cost implication for institution found liable to pay for the unlicensed access by others to its materials.

“Opening up the system to student mobile access will result in loss of personal or confidential data”

Best case: Students may only access their own personal data. Any data loss is detected quickly and investigated, apology given where appropriate, and dealt with as per data protection and discipline policies.

Worst case: Major data loss, sensitive data placed in public arena, distressed data subjects, Information Commissioner's Office (ICO) investigation, finds no enforcement of policy, inadequate security, no attempt to educate students. Substantial monetary penalty imposed by ICO for breach of data protection.

“Mobile access means greater anonymity and access for students to others resulting in increased internet safety issues”

Best case: Institution has an up-to-date, regularly reviewed internet safety policy and procedures in place, deals with issue promptly, unlikely to result in liability.

Worst case: Tutor expects learners to exchange mobile numbers for discussion task. He makes his own mobile number available. Young learner with history of being bullied reluctantly agrees. Receives unsavoury text messages, lecturer ignores concerns despite having inadvertently received one of the messages, situation escalates, neither learner nor lecturer is aware of college practices and procedures on internet safety. Eventual police involvement and court case which highlights inadequacy of the college practices. Potential for civil action for damages for breach of duty of care.

Legal liability

A provider has a duty of care towards its students and visitors accessing its systems; this means that it must consider what harm is reasonably foreseeable if it did not take care, and it must take reasonable precautions to prevent such harm (or else it will be liable for negligence). This duty of care is a well-established legal principle.

An institution also has statutory duties with regard to data protection, copyright, internet safety, bullying and harassment, and equality (amongst others) and can be held liable for harm or loss caused where the legal duty has not been met.

Consumer protection legislation may also increasingly become a factor e.g. where an institution is considering a mobile micropayment system for content. An institution also has a statutory duty to provide information under freedom of information legislation.

Liability, data protection and privacy

This concerns institutional liability for breach of the Data Protection Act 1998 following loss of personal information.

What’s the risk?

Risk of unlawful processing of personal data resulting in harm to an individual. This results in action by the ICO including imposing monetary penalties and loss of institutional reputation as well as a potential ethics committee and/or funders’ investigations.

Example

A student is undertaking university research which involves interviewing adults who suffered abuse as children and who have agreed to be interviewed on condition that their data would be anonymised. For speed and ease, the student uses his phone (rather than the university supplied encrypted laptop) to record interviews (which include names, dates of birth and sensitive personal details on particular abuse incidents) with the intention of anonymising and recording the data into the research database later.

His mobile phone has no security on it and is left on the bus on the way home. An investigation by the ICO reveals a lack of training and procedures in the university (it transpires own devices are often used in this department’s research without appropriate security), and after investigation, the ICO decides the seriousness of the breach and the distress caused to the data subjects merits a monetary penalty.

Action

Update data protection policy to clearly include own device use and where such use is inappropriate
Educate students in appropriate collection and use of personal data
Provide technical help in use of security measures
Review regularly the security of the institution’s systems
Review access restrictions – only those who need to access personal data should do so.

Liability, copyright and learning resources

This concerns institutional liability for copyright infringement and secondary infringement where the institution can be held to be responsible for the actions of its students.

What’s the risk?

Risk of an institution losing temporary or permanent access to essential resources through licence breach. Cost implications for institution found liable to pay for the unauthorised and unlicensed access to its materials.

Example

A student, who has a part-time job in a large office, legitimately accesses material from his college resource centre via his mobile phone for the purposes of his studies. He stores it on his phone for his personal private study and research but then also sends it to his work colleagues as a useful resource for them.

The material is then shared widely around the workplace, including the company’s office in India. The rightsholder contacts the college complaining that the material is being used for commercial purposes contrary to the terms of the licence. The college provided no guidance for students on copyright. The rightsholder seeks payment for the commercial use which is costly for the college given the wide circulation of the material.

An institution is unlikely to be able to prevent this type of activity entirely, and mobile devices make it more likely to happen. In a desktop situation, such as in the institution’s resource centre, preventative measures are easier. Informality is inherent in mobile use, and the culture and nature of the mobile user often includes the view that anything can be accessed and shared - all of which increases the likelihood of copyright infringement occurring where systems are opened for own device use.

Action

Institutions need to show that students have been provided with information on copyright
Student behaviour policies and AUP should be in place including clear do’s and don’ts for mobile use
Policies should be enforced to send clear messages on institution’s expectations
There needs to be clear notice and take down procedures for removing potentially infringing material found on the system
Warnings need to be given to students on compliant system use at access points to e.g. learning resource area.

Liability and inappropriate material

This concerns liability for harm to users, and damage to reputation where offensive or illegal material is found on the network, which breaches race, equality, harassment, obscenity or child pornography legislation.

What’s the risk?

Opening up the institution’s system to access via mobile devices inevitably increases the likelihood of offensive or illegal material being either deliberately introduced (due to perceived anonymity), or accidentally introduced (via malware on a mobile app, for example).

However, the likelihood of legal liability arising from this is low provided the institution is using up-to-date measures to manage the technical risks and takes action in accordance with its policies when a breach is discovered, and with the ‘always on’ nature of mobile access, such breaches can happen at any time. Users may also have different expectations as to what they can do with their own mobile device, and some activity may not sit easily or comply with institutional policies.

Action

Ensure systems are kept protected with up-to-date security
Consider use of mobile device management software for access restrictions
Educate users on behaviours and acceptable use
Have a notice and take down procedure and incident handling procedure.

Liability and internet safety

This concerns breach of duty of care with regard to students, and breach of statutory safeguarding duties.

What’s the risk?

Risk of harm to student from bullying and resulting in bad publicity and loss of reputation of the college.

Mobile devices have features such as cameras and location-aware apps, both of which a tutor may wish to use in a class activity, but which lead to the sharing of data between the students. The student culture of always on, easy access, and sharing, makes it increasingly likely that a seemingly innocent and educational use leads to an internet safety issue, e.g. bullying or harassment, where contact details are shared where otherwise they would not be.

Action

Have a risk assessment procedure for new activities which includes appropriate use of technology. Consider whether other activity options more appropriate e.g. mediated discussion is sometimes a better option
Ensure institution’s data protection and internet safety policies and practices are up-to-date and include mobile activity
Ensure staff are up-to-date on internet safety risks in the institution
Educate learners on appropriate behaviours, use and available support mechanisms
Educate learners on their responsibility for their own safety and security.

Liability and equality duties

What’s the risk?

This concerns liability for discrimination related to disability under the Equality Act 2010 to the detriment of a student with regard to the provision of services.

Action

Ensure staff are aware of the institution’s duties regarding accessibility and discrimination
Encourage a culture of disclosure, where the student feels comfortable in asking for help
Consider what alternatives could be provided for this student in order to comply with the duty not to discriminate and with the need to make reasonable adjustments, for example, materials placed in an area of the college system where access could be provided.