How will Brexit affect data access?

How would a ‘hard Brexit’ affect legal access to university data held overseas? Hazel Davis finds out

Though it’s folly to predict on paper what will happen with Brexit, as we go to print, the UK could still exit the EU with a ‘hard Brexit’. If this happens, there is real worry that businesses might not be able to access data held within the European Economic Area (EEA). But what does this mean for universities, and are we right to be worried?

What the law says

The UK government has already put legislation in place to ensure that a UK version of the GDPR continues to apply, and !CO (Information Commissioner’s Office) guidance will just need minor adjustment to reference the ‘new’ regime. Work is in hand to do this whenever the time comes. There are currently two options on exit day, whenever that may be, that are relevant to the flow of personal data. The Withdrawal Agreement will apply, which includes provisions whereby the UK and the EU respect each other’s data protection regimes during the implementation period, as they will be fully aligned at Brexit. The political declaration currently says that both sides will work to secure a European Commission adequacy decision to allow data to flow between the two areas at the end of the implementation period. The other option is leaving with no deal.

This means that organisations will need to ensure there are arrangements in place to allow data to flow from the EU to the UK. The ICO has issued extensive ‘no deal Brexit’ guidance to help organisations cater for that outcome. In the event of’no deal’, EU law will require additional measures to be put in place by UK companies when personal data moves from the EEA to the UK, in order to make them legal, and transfers of personal data from the EEA to the UK will be affected.

How is higher ed affected?

Higher education institutions use data overseas for research projects, but, as independent strategic data advisor Andy Youell points out: “As research projects tend to be based on ad-hoe arrangements with overseas partners, there is no widely adopted template approach here.” Internet privacy and ProPrivacy VPN expert Ray Walsh says: “W here it comes to data sharing between universities on the continent and those in the UK, the problem largely revolves around the fact that it is impossible for adequacy talks to begin until the UK has actually left the EU. This means that there is a lot of uncertainty surrounding what personal data will be able to flow uninterrupted from the EU to the UK and vice versa.” In theory, says Walsh, “UK Universities that currently receive applications from students living in the EU shouldn’t need to worry about processing their data, including names, addresses, and other personal information. Personal data from those applicants can be received and sent back to them legally because neither GDPR nor the Data Protection Act 2018 restricts the transfer of data directly to a consumer/student.”

[HEls] need to conduct audits to determine what the state of play is and any action plan to address areas of improvement or concern – Shehzad Najib

Where an application to study in an EU or UK university originates with the institution itself- as is the case with Erasmus students, for example – Brexit may cause issues if data is being stored and processed on data servers outside of each respective region. Walsh warns: “This data will need to be covered by an adequacy decision, an appropriate safeguard, or an exception, in order for the data to be exchanged legally.”

“HEis shouldn’t haven’t any qualms in their data being stored outside of the UK, particularly where the cloud storage is using one of the large cloud vendors, such as Oracle,” says higher education sales consultant Louise Parker. “The policies they put in place for data privacy and protection are vastly superior to those that an individual HEI could put in place, due to their sheer size and scale of operation – alongside the damaging effect on their reputation that they would have in the event of a data breach. There is a desire to remain as close to EU legislation as possible.” However, she adds, “Let’s not forget that the majority of cloud vendors are US companies and as such, UK organisations have been putting their data into non-EU datacentres for a number of years. Providing that HEls take care that their cloud provider ensures transfers of personal data outside the European Economic Area (EEA) are done in a compliant way (eg using the EU-US Privacy Shield or EU Model Clauses), there shouldn’t be cause for concern.”

Getting your affairs in order

Shehzad Najib is co-founder of educational portfolio and assessment platform Kinteract. He says that though organisations should seek legal advice on data hosting and protection, the immediate implication of a ‘hard Brexit’ would be an administrative one: “Leaving the EU presumably doesn’t mean that we believe our data is suddenly less secure there,” he says, “so the smart approach would be to ensure that we give the EU special treatment re data access and request them to do the same.”

Najib says that many higher education institutions, “have more data stored overseas than they think, so they need to conduct audits to determine what the state of play is and any action plan to address areas of improvement or concern”. Various cloud-hosting providers allow you to specify which datacentre or region your data resides in. Software might have to be reconfigured – and in some cases re-engineered – to migrate.

Technically there should be no difference between private or public cloud, says Najib: “Practically speaking, quality public data services set the security bar at a higher standard than many private data hosts will be able to manage. For an organisation with true expertise in data security (such as MI6), private, and therefore total digital and physical control of the data, allows a higher level of protection.” The ultimate solution to data access is technical, says Najib, “as legal recourse will only ever take you so far”.

He adds: “Institutions can choose a cloud provider that offers a regionalised or home country instance or ask their current provider to switch their data centre (if offered). Most cloud providers are au fait with recent data protection and privacy legislation updates, and have built regionalised datacentres and continue to do so as part of their service offering.”

Overall, the EU is unlikely to want to harm EU students studying or seeking to study in the UK, Walsh agrees: “For this reason, it seems likely that universities and other institutions will be given the freedom to share data – providing that the EU’s strict GDPR rules are met (which they should be thanks to the UK’s Data Protection Act 2018). This is also how non-EU countries currently communicate with universities within the EU, which gives UK education institutions an idea (by comparing themselves to those in the US, for example) of how data will need to be treated.”

You might also like: Fewer than half of UK schools think they are GDPR compliant