Universities accused of hiding student suicides and suicide attempts behind GDPR : Should safeguarding override data protection laws?

Universities are entrusted with the care and education of their students, but recent events have sparked debates about what to do when the duty of care clashes with data protection. Viv Adams, ICO Parliament and Government Affairs team Principal Policy Adviser, said that under UK law, universities have the legal authority to share personal data in situations where there’s an urgent need to prevent harm: “University staff should do whatever is necessary and proportionate to protect someone’s life. Data protection law allows organisations to share personal data in an urgent or emergency situation, including to help them prevent loss of life or serious physical, emotional or mental harm.” This provision aims to enable institutions to intervene effectively in cases of potential loss of life or serious harm, whether physical, emotional, or mental.

But universities seem hesitant to do so: in recent cases, universities were accused of using data protection regulations as a reason for not informing parents that their child had attempted suicide. One notable case involved Cardiff University, where a student received an automated email informing her of academic failure shortly before her tragic death by suicide. Another example involved university announcing the death of a student by suicide before their family had had time to tell their wider circle of relatives, and deleting student records in advance of any coroner’s inquest. Other troubling cases include universities telling students by email that they were being expelled, awarding zero marks without explanation, and not calling emergency contact numbers in emergencies. These incidents, along with other reported cases of inadequate support and communication by universities, have underscored the need for a comprehensive review of safeguarding practices within the higher education sector. 

At a debate on the subject among MPs that took place in Westminster Hall, Nick Fletcher, Conservative MP for Don Valley, outlined the findings of a survey carried out which showed that about half of students felt their universities were unsupportive. In response to the survey he said, “Given students pay £9,000 every year to universities, the question is, is this acceptable?”

The debate over the introduction of a legal duty of care for students in higher education has gained traction, driven by bereaved parents advocating for greater accountability and support from universities. The petition calling for the introduction of a legal duty of care collected over 128,000 signatures. But the government’s response has emphasised existing duties of care owed by higher education providers, cautioning against the introduction of further legislation deemed disproportionate.

Prof. Steve West, vice-chancellor of the University of the West of England Bristol and president of Universities UK, which represents 140 providers, backed the government’s response and said the proposed additional statutory duty of care was not the best approach to supporting students. While acknowledging the imperative to enhance student support services, they advocate for a holistic approach that encompasses cultural shifts within universities and collaborative efforts across the sector to prioritise student well-being. Their guidance includes measures such as universities putting procedures in place to make sure that key family members, carers or friends are contacted if there are serious concerns about a student’s mental health, even without their permission.

These cases highlight the complex interplay between data protection regulations, duty of care obligations, and safeguarding responsibilities within universities. While legal frameworks provide guidelines, challenges persist in ensuring effective implementation and balancing students’ privacy rights with their welfare. 

Our HE/FE training

Having strong support services on campus, staffed with professionals who are well trained in these issues, can go a long way to improve student welfare outcomes. VinciWorks offers a package of courses for higher and further education, and also offers an automated data tracking and reporting solution. Our new video-led Safer Universities course explores the challenges that students face, dispels myths and gives clear guidance on the responsibilities of individuals, staff and students, to ensure they can act accordingly and responsibly. It includes both subject matter expert and lived experience interviews, some brief dramas, and the learning points unpacked in accompanying text in a dynamic and engaging way. It is structured around four main areas, safeguarding, extremism prevention, suicide prevention, and consent and sexual violence.

You can also download your download your free copy of our Safer Universities guide here.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”

Picture of James

James

VinciWorks CEO, VInciWorks

Spending time looking for your parcel around the neighbourhood is a thing of the past. That’s a promise.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.