How InAcademia helps to support corporate GDPR obligations: Data protection by Design and Default
With the increased awareness of data privacy and the requirements of GDPR it is vitally important for businesses that rely on personal information concerning European data subjects to manage personally identifiable information ethically and legally.
Today's generation of higher education students is arguably the most digitally connected and privacy conscious demographic group in history. So much of their personal life is conducted online that they are rightfully wary of sharing too much information with companies lest it be exposed or misused.
Compliance with GDPR is therefore not only a legal necessity but the structured approach it promotes also helps to design excellent business practices.
If your business offers services to students, you need to be able to accurately verify their student affiliation with a university. No matter how you choose to do this, your method could unnecessarily expose you to the risk of non-compliance or introduce the risk of a data breach.
All businesses need to comply with data protection regulations, and this can have significant impact on the amount of effort needed to manage customer information.
The Seven Principles of GDPR Compliance
- Lawfulness, fairness and transparency. It is vital to determine a lawful basis for the collection and processing of any data that is used to verify student status. It’s necessary to be clear and open with users as to exactly how the information requested to evidence their student affiliation is to be used and kept safe
When asking a user to upload an image of a student card or to cite their academic email address, it might not always be clear to the user exactly which elements of the data you plan to use and how. Given that 4 out of the 5 biggest fines issued for GDPR non-compliance were due to issues around the clarity of what users were consenting to, a solution is needed to clarify this grey area.
- Purpose limitation. When buying-in data from third parties to utilise in the student affiliation validation process, or when using data originally collected from users, the data can only be used for its original purpose and must not used for other purposes such as marketing emails or shared elsewhere in the organisation. Use of personal data without consent is the most common reason for non-compliance fines with 40% of cases seeing users’ data being used in a way they had not consented to.
- Data minimisation It’s only allowable to collect personal data that is adequate, relevant and limited to what is necessary, so collecting and storing personally identifiable information beyond these limitations reduces the user’s trust in your business, while increasing both the risks of it being used without the required consent and could even create a valuable target for thieves. Working with data minimisation in mind reduces operational overheads as there is ultimately less data to manage.
- Accuracy As well as ensuring any data that is collected is accurate, GDPR also requires you to ensure that this data is kept up to date. In the case of student verification this is not always straightforward: a student ID card or enrolment certificate is, strictly speaking, only accurate at the point at which it is issued, after that there is no guarantee to its accuracy, even if the ID contains an expiry date, and it is the responsibility of the organisation collecting the data to take reasonable steps to ensure that incorrect or misleading personal data is either updated or erased.Valid university email addresses also come with issues around accuracy (see Why email is a poor way to identify students)
- Storage limitation If you are providing an ongoing service rather than a one-off purchase, how will you re-verify their affiliation in the future without storing personal data (and in doing so, how do you satisfy yourself that the stored data is still accurate)? And what about products that might require future purchases? Do you store the data just in case and if so for how long?
- Integrity and confidentiality Data security is a huge undertaking and it goes beyond just technical security, it also encompasses organisational measures such as security policies and procedures as well as staff training. In short data must be stored in a way that ensures protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.
The risks associated with not getting this right are significant. Perhaps the most high-profile example of this was with British Airways who, in 2018, allowed the personal details of 400,000 customers to be compromised. According to the ICO the breach was preventable, but BA’s security measures were inadequate. The breach resulted in BA receiving a fine of $26m. For many organisations the reputational damage of a data breach can be far worse than the financial implications.
- Accountability The final step to GDPR compliance is accountability and governance, and it is your organisation’s responsibility to demonstrate that appropriate measures, controls and records are in place. Best practice data governance requires the creation of data processing agreements with any third parties who process personal data on your behalf, but how realistic is it to create and maintain bilateral DPAs with a vast number of national and international institutions and multiple data sources, before it becomes unscalable?
InAcademia: the solution for GDPR compliance for validation of academic affiliation
Managing personally identifiable information is not something that can be taken lightly. One solution to mitigate the various risks involved is to minimise the amount of data you are collecting and storing. This is where InAcademia can help.
InAcademia provides a secure, real-time affiliation verification service that is highly privacy preserving. It provides a link between businesses and the global academic federated identity service eduGAIN and can provide evidence of academic affiliation without compromising the user’s privacy. There is no need to collect and store photos of ID cards, to maintain databases of university email addresses or other similar information. InAcademia was created and is operated with the concept of privacy by design and default at its heart.
- Lawfulness, fairness and transparency: when using InAcademia, you can relay to the user exactly what information is being used to validate their academic affiliation, and InAcademia is careful to ensure that consent is requested from the user before sharing it with your organisation;
- Purpose limitation: Our solution returns a value which verifies an individual’s affiliation with an institution, along with a pseudonymised transient or persistent identifier, and because no further auxiliary information is transferred in the validation process, there is a reduced risk of the purpose of use deviating from that consented to.
- Data minimisation: This is the core concept of InAcademia; we exist in order to minimise the data required to prove an affiliation with an institution. To validate academic affiliation at any one of the institutions that have enabled InAcademia, there is no need to request document uploads or academic email addresses.
- Accuracy: InAcademia obtains its verification directly from the user’s institution in real-time, and therefore the information is as reliable as having sourced it directly from the institution, and it is always fresh.
- Storage limitation: when the initial validation has been performed, there is no need for your organisation to store the validation result, and when up-to-date evidence is needed, the service is cost effective enough to request a fresh validation.
- Integrity and confidentiality: By using InAcademia you help to mitigate the risks posed by data security. For businesses that have a requirement to identify returning customers we can provide a pseudonymised identifier unique to that user that can help to ensure that users aren’t able to benefit from one-time only offers.
- Accountability: when using InAcademia, you need only agree to one data processing agreement, and you benefit from our existing trust relationships with hundreds of institutions across Europe.
Find out how InAcademia provides this service and how you can benefit from using InAcademia when supporting student users.