Are universities using GDPR as an excuse not to safeguard harassment survivors?

Students who have been brave enough to take action against sexual misconduct have repeatedly been let down by the reporting process, with universities citing data protection regulations to justify their failings. Luckily, two progressive organisations are working to support survivors, while urging institutions to use data as an informative force for good

The #MeToo movement spurred a revelatory storm that shook the roots of society. Social media became a tool that connected survivors all over the globe, supporting a sense of community that empowered individuals and gave them the courage to share their stories. For too long, their silence had been internally fermenting – over days, weeks, months, years, even decades. It took one five-letter hashtag for the pressure cooker to finally explode. 

So, almost four years down the line, has anything really changed? If the UK’s education sector represents a microcosm of the nation at large, the recent emergence of Everyone’s Invited – an anonymous reporting platform designed to expose the prevalence of rape culture on campus – suggests unfortunately not. As of June this year, the website had received testimonies from almost 3,000 students – 2,556 from secondary schools and 406 from primary level. Also in June this year, Ofsted published its review of sexual abuse in schools and colleges, following detailed research and analysis actioned by the government. Among the report’s most disturbing revelations was “just how prevalent sexual harassment and online sexual abuse are for children and young people. It is concerning that for some children, incidents are so commonplace that they see no point in reporting them … the issue is so widespread that it needs addressing for all children and young people.”

This paints a worrying (and it goes without saying, abhorrent) picture of the sector. 

It’s an issue that’s arguably most insidiously present within university grounds; so common are cases in this particular setting, that the higher education (HE) regulator, the Office for Students (OfS), published guidance in April this year asking institutions to take responsibility for protecting students against sexual misconduct with “robust” reporting procedures and increased mental health support, also calling for bystander and consent training for both students and staff. The news followed a surge in accusations claiming universities had repeatedly ignored warnings urging them to tackle rape culture, with the OfS stating that those who fail to do so moving forward will face sanctions. 

When it comes to sexual misconduct in UK universities, one of the most concerning statistics is the number of students – almost all of whom identify as female – suffering at the hands of staff. Valuable data insights enabled by the bravery of survivors, often to the detriment of their wellbeing, have lifted the lid on this. But when GDPR (General Data Protection Regulation) was introduced in May 2018, enforcing new rules relating to how we collect and process personal data, it unintentionally became a deterrent to sexual misconduct complaints. 

Changing the complaints process

On 26 April 2021, Culture Shift, an organisation that works with more than 65 UK universities and colleges to monitor and prevent bullying and harassment via its online reporting platform, published its Data protection and case management report. The detailed guidance for higher education institutes (HEIs) delves into “why data protection doesn’t need to be a barrier to ensuring individuals are safeguarded and free from discriminatory treatment”. Recognising that GDPR had been used in a way that meant universities could get away with not being as transparent as they should be with all parties involved in the complaints process, Culture Shift wanted to empower survivors and help to remove the hurdles entrenched in current procedures. 

“We’ve been doing this work for a few years now,” Gemma McCall, Culture Shift co-founder and CEO, told ET. “We first started when we collaborated with the University of Manchester back in 2016. And the reason for us launching our platform in the first place was because the prevalence of sexual violence within HE is really high, but reporting rates are incredibly low.

“We built our software to try and make a system where anyone who had experienced or witnessed anything could report at a time and in a place where they felt comfortable and safe,” Gemma explained. First, the organisation tried to tackle barriers that were seemingly ‘easier’ to remove – creating a safe, anonymised environment, for example, which helps to alleviate survivor fear that can leave them feeling like they “can’t tell their truth”, in Gemma’s words. “But then, as we got into the work,” she added, “we realised, actually, the process itself is really letting people down.”

“…the reason for us launching our system in the first place was because the prevalence of sexual violence within HE is really high, but reporting rates are incredibly low” – Gemma McCall, Culture Shift

This was the primary motive behind Culture Shift’s creation of the data guidance – the fact that the details of the investigation, including the outcome, are not shared with the reporting survivor, which ultimately means there’s no closure for what can be an incredibly traumatic experience. “The reason why you’d make an official complaint is for something to happen, and action to be taken – for a predator to be removed from the institution,” said Gemma, “yet you never find out what happens in the end.”

An organisation fully in support of Culture Shift’s data guidance for the sector is The 1752 Group, a research and lobby organisation working to end sexual misconduct in HE. Back in December 2015, a small group of individuals coordinated what they believe to be the first UK university conference addressing staff-to-student sexual harassment, held at Goldsmiths, University of London. 

“We were set up after attempting to address issues of academic staff sexually harassing and assaulting students at Goldsmiths, where we were PhD students,” explained Dr Anna Bull, director of research at 1752. “After several years of fighting alongside others to simply try and get the institution to keep students safe on campus, we realised that this was a national issue and established ourselves as an organisation. We call ourselves 1752 because £1,752 was the amount of money Goldsmith’s were willing to put in to address the issue. We wanted to have the name as a reminder that those kinds of sticking-plaster solutions are really not going to make any difference,” said Anna. As the Group’s website states: “Our name is a reminder of a turning point for change.”

Recent headlines have shown the necessity of the organisation’s work, with growing complaints placing Goldsmiths under pressure to hold a full independent inquiry. In 2017, an equality, diversity and inclusion practitioner with eight years’ experience in the sector was hired to lead the review – a role Anna claims costs Goldsmiths £55,000 a year. 

In an email to ET, a spokesperson for Goldsmiths said that while sexual violence is “sadly pervasive” throughout society, including in higher education, the university is “determined to identify and tackle these behaviours”.

“We are committed to encouraging the reporting of all forms of sexual violence,” they added. “…Following recent feedback from our students, we are looking to improve the support available to those using our reporting system to ensure survivors’ needs remain at the heart of this work. Goldsmiths Students’ Union runs anti-sexual violence training for students and is currently running remote Consent Matters training to help educate students on consent and healthy relationships. The college continues to run Understanding and Responding to Sexual Violence training for staff.”

The staff misconduct epidemic

Five years on from Changing the Culture, the Universities UK (UUK) report that examined violence against women, harassment and hate crime targeting students, and HEIs are still insensitively mishandling student reports and their subsequent data. “It’s embarrassing,” Anna said, exasperated.

The lack of data regarding staff-on-student offences means there’s still no national guidance on the matter. That’s why a year ago, 1752 worked alongside transatlantic law firm McAllister Olivarius to produce such a framework – a move that’s deemed both timely and progressive.

“I’m sensing from the response that we’re a bit ahead of the curve; that universities are nervous to implement what we’ve recommended because it’s pushing the practice forward quite a lot.”

Example recommendations put forward in the guidance are that the outcome, and potentially the sanctions taken against a staff perpetrator, are shared with the complainant once the case has been closed. 

“While some universities have started to share sanctions,” said Anna, “it’s still extremely rare. It’s a step too far for many.”

GDPR and the confidentiality 'roadblock'

In the last few years, bad press has motivated some universities to take action, but as Anna explained in our interview, it’s actually further on in the reporting process that problems tend to occur. 

“The confidentiality that universities wrap around the process in order to, as they perceive it, uphold GDPR, is one of the ways in which survivors are being let down when they come forward,” she said.

Image source: andranik.h90/Freepik

“To give you a sense of the habits of secrecy that they’re in, universities should be sharing the steps that they’ve taken – any prevention plans that are put in place after a complaint – to make sure such misconduct doesn’t happen again. I’m not seeing students even getting that information.”

“To give you a sense of the habits of secrecy that they’re in, universities should be sharing the steps that they’ve taken – any prevention plans that are put in place after a complaint – to make sure such misconduct doesn’t happen again. I’m not seeing students even getting that information” – Dr Anna Bull, The 1752 Group

A 2018 study by 1752 highlights the sort of ‘secrecy’ Anna was referring to; after conducting interviews with students and early career academics across 14 UK HEIs to gather first-hand insights from survivors, the group began to unravel the sort of factors that motivate universities to suppress such reports – a big one being institutional fears surrounding reputational damage – an archaic, out-of-touch and yet lingering construct that’s still so ingrained in the HE sector. As a testimonial from PhD student Aditi emphasises:

“I said I wanted to file a police complaint, but [the university] were like, ‘If the police complaint comes out then the university will be in trouble, the university’s image will go down.’ […] They were kind of threatening me [in the] background, because they were saying, ‘If you file a complaint then that will make a legal case and that professor is also saying that he can file a police complaint on you.’”

Have we really reached a point in time when league table positions are considered more important than student safety and wellbeing?

“You can imagine what it feels like for a student to put in a complaint – that decision alone might have taken them months or years to feel safe enough to report formally,” said Anna. “It takes six to nine months to go through the process – which again, requires them to give multiple interviews and give evidence. They probably haven’t been able to tell many people about it as they’ve had to keep it confidential. The whole reason they’ve done this is to keep themselves and others safe, so they just want to know that reporting has been worthwhile. They get through that entire process and they just get a letter saying: ‘Thank you, your complaint has been upheld, goodbye.’ That’s it. That feels like a huge disappointment to many survivors who have reported.”

Anna is by no means exaggerating, as that same 2018 study confirms; for example, a testimonial from Gemma, an undergraduate student interviewee, highlights just how inconclusive the reporting process can be:

“All I received was this email saying, ‘Appropriate disciplinary action will be taken.’ So that’s the end of that. […] The head of department could have just sat down with [the lecturer] with a coffee and been like, ‘Mate, don’t do that again. Don’t be an idiot.’ […] I could have spent 10 months of my life stressed to high heaven about this bloody procedure and this stupid man, and it’s literally done nothing.”

Another testimonial from a PhD student named Fiona, emphasises just how re-traumatising the current process can be for survivors: 

“I had to go back through emails, I had to [go] back to something which I’d forgotten, and like tried very hard to forget. […] And this dredged up stuff that was incredibly emotional; I found it really difficult. […] And then on top of that, you’re not just dredging it up for you, you’re dredging it up for public consumption, to people that you don’t know, and you don’t trust, and who are very senior to you and you have this distant respect for as academics.”

It’s also worth noting that this same study examined 61 policies relating to staff sexual misconduct from a sample of 25 institutions, particularly considering conflict of interest. Four policies included variations of the phrase: “The university does not wish to prevent liaisons between staff and students, and it relies upon the integrity of both parties to ensure that abuses of power do not occur.” This means HEIs are actively and knowingly putting the onus on students to stop themselves from being victimised. Only one solitary university policy even vaguely alluded to any wider ethical or professional framework for disciplinary action. Only one member of staff out of all cases reviewed lost his job following a student’s complaint, another two resigned during investigations and secured new posts abroad, while 12 abusers remained in their posts – potentially still to this day. 

“There are a lot of reasons why universities aren’t giving more information, but one of the main reasons is that habit of secrecy and confidentiality, which comes from an over-interpretation of GDPR” – Dr Anna Bull, The 1752 Group

Additionally, all but four of the staff members engaging in sexual misconduct were reported by interviewees to have targeted at least one other woman, and so the report points to serial offenders as the “most urgent issue for HE institutions to address”.

“There are a lot of reasons why universities aren’t giving more information,” said Anna, “but one of the main reasons is that habit of secrecy and confidentiality, which comes from an over-interpretation of GDPR.”

The data/protection imbalance

It seems that across a large section of the UK HE sector, an air of panic was the main motivator behind preparatory actions ahead of GDPR’s introduction. Universities erred on the side of caution, choosing to delete masses of data for fear of facing financial penalties if they were found not to have handled it correctly. After participating in discussions on data-sharing with the Information Commissioner’s Office (ICO), Gemma and her colleagues understand that certain myths and misconceptions relating to the process of data protection are preventing further progress in this area. “You’ve got to show your working out with GDPR,” she explained. “You can’t just share it without thinking about it. You’ve got to show the considerations you’ve made, and whether it’s ‘fair and proportionate’ – those are the words of the ICO. You’ve got to show that you’ve considered the rights of the data subject.” 

Rather than investing in additional training and resources to boost employees’ understanding of GDPR, both Anna and Gemma agree that institutions still generally prefer to avoid the process entirely. 

“The main issue here is that data protection law doesn’t override every other responsibility you have” – Dr Anna Bull, The 1752 Group

“The main issue here,” said Anna, “is that data protection law doesn’t override every other responsibility you have. It has to be balanced with the Human Rights Act, with the Equality Act – which is likely the most relevant in this situation because it gives people an equal right to access education on the basis of protected characteristics. So if you’re saying, ‘Right, well we can’t share any information about ongoing actions or sanctions we’re taking because that’s confidential,’ – the staff member’s data, for example – ‘That’s their personal data – we’re not allowed to share that’. But you have duties under the Equality Act to ensure that student and staff complainants feel safe on campus to preserve that equal right to education.”

Universities employ specific members of staff to prevent breaches of such policies, and supposedly ensure balance across institutional responsibilities that support the safety and welfare of students. “But actually,” said Anna, “if it were a fight between a data protection officer (DPO) and the equality and diversity manager – who do you think would win?”

Raising awareness of data rights

The lack of understanding surrounding data protection is a missed opportunity, and another potential avenue to letting students down (something many universities can’t really afford amid concerns for how COVID has impacted student recruitment and retention, among other things) since, interestingly, students today actually have more faith in educational establishments to protect their data than they do in technology companies. In a 2020 study by Jones et al., a student participant stated: 

“I personally trust schools and universities more than these companies that are for-profit and I trust that they’re going to use this information in a way that I feel more comfortable with, that doesn’t try to take money out of my pocket.”

This study and others of its kind show that students are more likely to trust public institutions than private corporations, but researchers agree that more surveys are required to form a definite picture of students’ views on the matter – especially since this existing data is largely US-centric. Additionally, with EDUCAUSE’s Center for Analysis and Research’s (ECAR) 2019 survey finding that 70% of student participants had confidence in their education provider to safeguard their personal data, we can make an informed assumption that students do hold a certain level of trust in their university; however, it’s worth noting that only 45% of participants in that same study believed they benefited from the institution’s privacy and security policies, and only 44% understood how the university was using their personal data. From this, researchers concluded that students’ trust does not mean they grant unlimited and unrestricted access to their information, but rather that they expect a higher standard of information privacy and security in return for that trust. That’s why (among other reasons), according to Gemma and Anna, the implementation of anonymous reporting procedures can be so beneficial for universities.

“My main bit of advice would be to allow for both anonymous and named reporting because doing so will allow you to receive more reports,” said Gemma. “With more information, you can take better, more informed, targeted action for the actual issues within your institution.”

“With more information, you can take better, more informed, targeted action for the actual issues within your institution” – Gemma McCall, Culture Shift

On top of this, Gemma suggests that universities regularly publish information about the data coming through their systems. “There are a handful of universities that are doing this,” she said, “and University College London (UCL) is probably the most comprehensive report that I’ve seen.”

Speaking of UCL; in 1752’s guidance document on submitting a Subject Access Request (SAR), UCL is listed as the prime example of a university website page that details how individuals can submit a request. Both Anna and Gemma firmly agree that educating people on data rules and regulations, as well as personal data rights, is fundamental to positive change – that’s the whole point of Culture Shift’s data-sharing guidance and 1752’s SAR advice (linked above). Many people aren’t even aware that they possess the right to request any and all information a public institution holds on them through an SAR. As 1752 state: “Complainants and witnesses have previously found this a useful means to find out more about a disciplinary process and its outcomes. Types of information that can be requested include emails, outcomes of disciplinary procedures, or any data held on your personnel/HR file.” Universities can and should raise awareness of this for the benefit and safety of their entire communities – which can be easily achieved through a website page such as that modelled by UCL. 

Maintaining progress momentum

The force of #MeToo and subsequent movements means institutions can no longer afford to overlook issues such as sexual misconduct. Where they have previously largely sat idly by, some universities, at least, are beginning to action complaints. With data increasingly underpinning every facet of life as we know it, the time for public institutions to use such information as a revolutionary force for good is long overdue. When it comes to the HE sector, in particular, the ethically and socially conscious generations of the future will no longer accept shady excuses for the mishandling of data, nor the lack of transparency surrounding serious complaints. Unfortunately, until education providers acknowledge and accept their role in ending this pernicious culture that’s rife within the sector, students will continue to suffer.

“Even though it absolutely breaks my heart that survivors have to keep telling their stories, which is really difficult and re-traumatising when people are recounting what happened to them, I thank them for sharing that testimony and their experiences because it keeps the conversation going,” said Gemma. “As long as the spotlight is on it, then people have to pay attention and take action.”

Leave a Reply