• Home
  • Login
  • Welcome to the Staff Intranet
YOU ARE HERE: Skip Navigation LinksEdinburgh Napier Staff Intranet > Service Depts > Governance & Compliance > Governance Services > Data Protection > Code of Practice > Internet, Online and Web 2.0 Services

Page:  1  2  3

 

9.  The Internet, Online Services & Web 2.0 Services

 

9.4 Web 2.0 Services

Since the use of Web 2.0 services, i.e. Facebook, YouTube, Twitter, LinkedIn and other externally hosted services, almost always involve the use of personal data, there are potential data protection and legal implications for the University, its staff and students.

 

University staff entering into an arrangement with an external service provider for the provision of Web 2.0 services must consider the following data protection risks:

 

9.4.1 The role of the service provider

The nature of the agreement with the service provider will determine whether the University will be legally responsible for any Data Protection breaches. If any of the following apply, the service provider may be deemed to be acting as a data processor for the University and therefore the risk of responsibility for any breaches remains with the University:

  • The University has negotiated a specific agreement with the service provider
  • The service is branded as a University service
  • It is not immediately apparent to users of the service that they are providing data to an external service provider rather than to the University
  • Students must sign up to the service as a compulsory requirement of a course or programme
  • The service provider can only use the data in ways or for purposes specified by the University

 

If any of the above situations apply, staff must ensure that there is a data processing agreement in place between the service provider and the University in advance of the service being implemented. Templates to assist with data sharing agreements are available from the Information Governance Manager.

 

The University may avoid becoming legally responsible for the service providers' Data Protection compliance by ensuring that it is clearly stated that service providers are separate legal entities. The University would not be determining the purposes for, and the manner in, which any personal data is to be processed and is not therefore a data controller. This can be achieved by:

  • Clearly identifying that the service is provided by an external service provider, both on the site itself, in any supporting institutional documentation (e.g. course handbooks) and in the way that the user access the service (e.g. if students enter the site from WebCT or Moodle, they are given a message that they are now leaving the institution's service and connecting to an external service provider)
  • Providing users of the service, such as students, with clear guidance on what information is accessible to and used by the institution, and what information is accessible to and used by the service provider
  • Ensuring users of the service sign up to use the service directly with the service provider and not through the University. In this way, each individual can decide on the extent to which they wish to establish their own relationship with the service provider, and can withhold or disclose whatever personal information they wish
  • Making participation in and contribution to the service optional for users - e.g. users can choose whether or not to contribute to a research wiki

 

Staff proposing to use an external service provider should ensure the following:

  • Where users are to register individually, that the terms of the service which users will be signing up to are appropriate for the UK legal environment. This is particularly important where use of the service is compulsory for a course.
  • Users must not be required to sign up for Web 2.0 services which purport to require them to waive legal protections guaranteed by UK data protection law
  • Depending on the nature and extent of use of a service, clear guidance is to be provided either by a short briefing to students or in the relevant course handbook about the data protection implications of their registration. This should include advice on the effective use of privacy enhancing elements of the service, how to unsubscribe and remove personal data from the service

 



9.4.2 Publication of personal information

Use of some Web 2.0 services may involve requiring users to publish their personal data on the Internet. University staff must be aware that compulsory use of such services by the University, or use of such services in circumstances which place users who do not wish to make such disclosures at a significant disadvantage, may breach Data Protection legislation.

 

This can be avoided by using services which let users conceal their identity, e.g. by allowing the use of aliases. However, withholding of names does not equate to anonymising data and staff should be alert therefore to the risks inherent in requiring the disclosure of so much information that a user can be identified even in the absence of use of their name. Users should be clearly advised on what information will be published and what information will be available on a more restricted basis.

 

9.4.3 Transferring personal information outside the EEA

Many Web 2.0 and cloud computing service providers are based outside the European Economic Area (EEA), e.g. in the United States. As a result, personal data supplied to those service providers is likely to be processed outside the EEA. While it is acceptable for individuals in the EEA to choose to supply their personal data to non-EEA service providers, Data Protection legislation prohibits the transfer of personal data by data controllers i.e. the University to third parties outside the EEA, unless certain conditions are met.

 

In circumstances where University staff propose to use Web 2.0 service providers, they must ensure that they know where information that is supplied to the service providers will be processed, so that appropriate measures can be adopted. The following are methods of dealing with personal data transfers outside the EEA in circumstances where a web service is to be used:

  • Where users have a choice whether or not to sign up, the University should ensure that its users are adequately informed about the data protection consequences of doing so
  • Where the user registers directly with the service, is aware of the overseas transfer, and has control over what information is provided to the service provider, the University must ensure that its users are adequately informed about the data protection consequences of doing so
  • When the University is providing user personal data to the service provider as a third party, University staff should consider whether:
    • the country in which the service provider is based has adequate protections for personal data in relation to the proposed transfer (see below)
    • the type of transfer is exempted from the general prohibition on transfers to non-EEA countries
    • there is a need to negotiate a customised agreement with the service provider

When the University is using the service provider as a data processor, the University should negotiate a customised agreement with that service provider. Advice should be sought on this from the Information Governance Manager.  

9.4.4 Information provision

In order to comply with Data Protection legislation and related legislation, where the University uses an external Web 2.0 service provider to collect information about or contributions from people on its behalf, the relevant staff must provide clear information preferably in the course handbook about:

  • How the University or other parties will use the information
  • Who will have access to or will retain copies of the information
  • What information will be generally accessible over the Internet
  • Any cookies that may be downloaded to the user's computer
  • Any monitoring of an individual's usage and activity in the service
  • The country that hosts the service if it is hosted outside the UK

 

In addition staff should ensure that:

  • Users must give their consent to the use of cookies where relevant and be able to opt out of monitoring.
  • If an externally-provided service is designed to appear to be part of the University (e.g. a template has been used to apply the University's branding to a blog) people who register at that site (e.g. in order to post comments to the blog) understand that they are not just entering into a relationship with the University but also with the service provider.
  • Users are given clear information as to what information is available to, and used by, which party.
  • They avoid using services where it is not possible to opt out of advertising and marketing emails. In cases where use of the service is compulsory or where the service provider is a data processor acting on behalf of the University, this may breach the Privacy and Electronic Communications (EC Directive) Regulations 2003. To minimise these risks, users should be given clear instructions on how they can opt out of advertising and marketing activities if they wish to do so.

 

9.4.5 Information retention

Personal data placed on Web 2.0 services based in non-EEA countries may, in some circumstances, be legally held

indefinitely and the service providers may have no legal obligation to remove it. Data Protection legislation requires that the data controllers and data processors should keep information about individuals for no longer than necessary. Staff should therefore:

  • Consider carefully if the Web 2.0 services they wish to use will expose the University to liability for breach of Data Protection legislation or expose their users to unwanted long-term personal data disclosure
  • Ensure that the Web 2.0 services they wish to use have adequate data privacy guarantees concerning the appropriate removal and disposal of users' personal data after the purpose for which it was collected and processed has ended.

 

9.4.6  Take Down/deletion

Additionally, where the University has entered into arrangements with Web 2.0 service providers to provide particular services involving the processing of user personal data, the responsible staff should consider whether it is likely to be necessary to take down or delete information that has been posted to the service to prevent the processing of information likely to cause someone substantial damage or distress. Before signing up to a service, staff should consider whether the terms of use and facilities of the external service will enable them to do this quickly, if necessary.

 

Guidelines for staff and students have been prepared on the legal implications of the use of Web 2.0 services. 

Page:  1  2  3

Page last updated 04 September 2018 

Edinburgh Napier University is a registered Scottish charity.
Registration number SC018373