Introduction
There is an increasing expectation that college and university IT systems are opened up to allow staff and student access to the full range of institutional ICT facilities via their own mobile devices. This guide is intended to allow an informed response to the question: “won’t that increase our potential legal liability?”
Opening up the system to mobile access does not introduce new types of liability for colleges and universities to address, but in some circumstances there may be greater potential to be held liable and this has to be recognised and managed in order to achieve the benefits that own mobile use can bring.
This guide informs managers as to the consequences and the actions they may need to take in their institution to minimise these risks. Not opening the system to mobile access may actually increase the likelihood of unauthorised device use, whereas recognising the risks and managing them will help encourage responsible use as well as confidence in legal compliance.
Students will increasingly expect that all information and services currently available from a university or college desktop will be available to them via their mobile device. At the same time, institutions will want to ensure that systems and information are secure, and users adhere to policies on access to systems. The student is also likely to expect a level of support in the use of his particular device.
Mobile devices come in many differing forms, resulting in interoperability and other technical and cost issues which will also need to be addressed (but are not discussed in this guide). Opening up the institution’s systems for mobile access by students essentially results in the balance of control moving from the institution to the student. The issue therefore arises as to what extent legal liability also shifts with this move.
Key points
- There is an increasing expectation of access to systems via mobile technologies
- Legal liability extends to mobile use
- An institution will need to decide on its mobile strategy, and decisions on mobile use will follow from strategy
- Up-to-date technological measures are essential to protect systems. Adhering to a robust security policy is key
- Policies and procedures should be reviewed to ensure mobile use is included
- Users should be made aware of the do’s and don’ts
Comparing the legal risks
This section compares the legal risks associated with on-campus desktop access, institutionally-provided mobile access, and own-device mobile access.
“Opening up the system to student mobile access increases the risk of compromising the security of the system”
Best case: Incidents detected and managed according to policies and procedures, temporary disruption for users but legal liability unlikely to arise.
Worst case: System compromised, complete system crash, resulting in legal liability for data protection breaches, for publication of illegal images introduced via malware, police involvement, breach of duty of care/internet safety duties.
“Opening up the system to student mobile access increases likelihood of copyright infringement”
Best case: Any Infringement is ‘minor’ and use accepted by rightsholder, and/or appropriate licence fee paid for use.
Worst case: Risk of institution’s loss of access to key resources through licence breach. Cost implication for institution found liable to pay for the unlicensed access by others to its materials.
“Opening up the system to student mobile access will result in loss of personal or confidential data”
Best case: Students may only access their own personal data. Any data loss is detected quickly and investigated, apology given where appropriate, and dealt with as per data protection and discipline policies.
Worst case: Major data loss, sensitive data placed in public arena, distressed data subjects, Information Commissioner's Office (ICO) investigation, finds no enforcement of policy, inadequate security, no attempt to educate students. Substantial monetary penalty imposed by ICO for breach of data protection.
“Mobile access means greater anonymity and access for students to others resulting in increased internet safety issues”
Best case: Institution has an up-to-date, regularly reviewed internet safety policy and procedures in place, deals with issue promptly, unlikely to result in liability.
Worst case: Tutor expects learners to exchange mobile numbers for discussion task. He makes his own mobile number available. Young learner with history of being bullied reluctantly agrees. Receives unsavoury text messages, lecturer ignores concerns despite having inadvertently received one of the messages, situation escalates, neither learner nor lecturer is aware of college practices and procedures on internet safety. Eventual police involvement and court case which highlights inadequacy of the college practices. Potential for civil action for damages for breach of duty of care.
Legal liability
A provider has a duty of care towards its students and visitors accessing its systems; this means that it must consider what harm is reasonably foreseeable if it did not take care, and it must take reasonable precautions to prevent such harm (or else it will be liable for negligence). This duty of care is a well-established legal principle.
An institution also has statutory duties with regard to data protection, copyright, internet safety, bullying and harassment, and equality (amongst others) and can be held liable for harm or loss caused where the legal duty has not been met.
Consumer protection legislation may also increasingly become a factor e.g. where an institution is considering a mobile micropayment system for content. An institution also has a statutory duty to provide information under freedom of information legislation.
Liability, data protection and privacy
This concerns institutional liability for breach of the Data Protection Act 1998 following loss of personal information.
What’s the risk?
Risk of unlawful processing of personal data resulting in harm to an individual. This results in action by the ICO including imposing monetary penalties and loss of institutional reputation as well as a potential ethics committee and/or funders’ investigations.
Action
- Update data protection policy to clearly include own device use and where such use is inappropriate
- Educate students in appropriate collection and use of personal data
- Provide technical help in use of security measures
- Review regularly the security of the institution’s systems
- Review access restrictions – only those who need to access personal data should do so.
Liability, copyright and learning resources
This concerns institutional liability for copyright infringement and secondary infringement where the institution can be held to be responsible for the actions of its students.
What’s the risk?
Risk of an institution losing temporary or permanent access to essential resources through licence breach. Cost implications for institution found liable to pay for the unauthorised and unlicensed access to its materials.
Action
- Institutions need to show that students have been provided with information on copyright
- Student behaviour policies and AUP should be in place including clear do’s and don’ts for mobile use
- Policies should be enforced to send clear messages on institution’s expectations
- There needs to be clear notice and take down procedures for removing potentially infringing material found on the system
- Warnings need to be given to students on compliant system use at access points to e.g. learning resource area.
Liability and inappropriate material
This concerns liability for harm to users, and damage to reputation where offensive or illegal material is found on the network, which breaches race, equality, harassment, obscenity or child pornography legislation.
What’s the risk?
Opening up the institution’s system to access via mobile devices inevitably increases the likelihood of offensive or illegal material being either deliberately introduced (due to perceived anonymity), or accidentally introduced (via malware on a mobile app, for example).
However, the likelihood of legal liability arising from this is low provided the institution is using up-to-date measures to manage the technical risks and takes action in accordance with its policies when a breach is discovered, and with the ‘always on’ nature of mobile access, such breaches can happen at any time. Users may also have different expectations as to what they can do with their own mobile device, and some activity may not sit easily or comply with institutional policies.
Action
- Ensure systems are kept protected with up-to-date security
- Consider use of mobile device management software for access restrictions
- Educate users on behaviours and acceptable use
- Have a notice and take down procedure and incident handling procedure.
Liability and internet safety
This concerns breach of duty of care with regard to students, and breach of statutory safeguarding duties.
What’s the risk?
Risk of harm to student from bullying and resulting in bad publicity and loss of reputation of the college.
Mobile devices have features such as cameras and location-aware apps, both of which a tutor may wish to use in a class activity, but which lead to the sharing of data between the students. The student culture of always on, easy access, and sharing, makes it increasingly likely that a seemingly innocent and educational use leads to an internet safety issue, e.g. bullying or harassment, where contact details are shared where otherwise they would not be.
Action
- Have a risk assessment procedure for new activities which includes appropriate use of technology. Consider whether other activity options more appropriate e.g. mediated discussion is sometimes a better option
- Ensure institution’s data protection and internet safety policies and practices are up-to-date and include mobile activity
- Ensure staff are up-to-date on internet safety risks in the institution
- Educate learners on appropriate behaviours, use and available support mechanisms
- Educate learners on their responsibility for their own safety and security.
Liability and equality duties
What’s the risk?
This concerns liability for discrimination related to disability under the Equality Act 2010 to the detriment of a student with regard to the provision of services.
Action
- Ensure staff are aware of the institution’s duties regarding accessibility and discrimination
- Encourage a culture of disclosure, where the student feels comfortable in asking for help
- Consider what alternatives could be provided for this student in order to comply with the duty not to discriminate and with the need to make reasonable adjustments, for example, materials placed in an area of the college system where access could be provided.