Tag Archives: legislation

Trust and Technology


 

 

 

 

Ed Stout
Support Services Manager
Leeds Beckett University 

EUNIS 2017

The final keynote session of the EUNIS 2017 conference from Nikolas Guggenberger, RWTÜV Foundation Assistant Professor of IT Law at University of Münster School of Law, took on an interesting look at ‘Trust by technology from a legal perspective’ in the form of a deeper investigation into public Blockchain, the technology behind crypto-currencies such as Bitcoin. Very early in the presentation, Nikolas had us asking ourselves “what causes us to trust something or someone?” which seemed quite an intriguing question as it isn’t one that I had particularly spent time thinking about before. My initial thought was simply that it is something I personally build through experience but is that really an option in the anonymous world of virtual currencies?

Nikolas gave a number of us less educated on the workings of public Blockchain, an insight into what it is and how it functions. Blockchain is a distributed, decentralised database, which particularly came into the public domain since the origin of the most successful crypto-currency, Bitcoin. It uses maths, cryptography and a network of distributed users (PCs) to ensure the authenticity of a transaction that can be verified by the whole community. The members of the community that verify this authenticity can take a small transaction fee for playing their part in the process (this is known as mining).

 

 

 

 

 

 

 

The huge potential of a public Blockchain is yet to be fully unlocked but the principle in use removes the need to trust third parties such as banks during transactions and instead relies on the trust of the Blockchain itself. The scope of trust by Blockchain was illustrated by Nikolas in the diagram below:

 

 

 

 

 

 

 

Nikolas offered us a very interesting insight into the potential of Blockchain and some of the legal considerations from his professional view point. It became evidently clear that there is a huge scope for benefits to be realised beyond that currently using Blockchain and that these could become a standard in our future. I found it a highly interesting keynote and one to investigate further in the coming weeks and months.

This blog post first appeared on http://www.edstout.co.uk/2017/06/27/day-3-reflections/

 

Consequences for an IT Department of the General Data Protection Regulation (GDPR)


 

 

 

 

Ed Stout
Support Services Manager
Leeds Beckett University
 

EUNIS 2017

 

 

 

 

 

 

 

During his EUNIS 2017 keynote ‘General Data Protection Regulation – Consequences for an IT Department’, Rainer W. Gerling, CISO of the Max Planck Society & Honorary professor for IT Security in the department of Computer Science and Mathematics at the Munich University of Applied Sciences, took us on a journey to better understand the soon to be fully in force General Data Protection Regulation (GDPR) within the European Union. In 2012, the European Commission tabled an initial proposal to regulate data protection within the EU and by the end of 2015, the European Commission, European Council and European Parliament had come to an agreement to take it forward. At this point in 2017, we are currently residing within the grace period before it formally comes into full force on 25th May 2018… this leaves all of us with not a lot of time to get our houses in order!


 

 

 

 

 

 

Microsoft within the development of their Windows 10 operating system now offer more than 50 native data protection settings within the ‘Privacy Settings’ however, Rainer stressed that it is highly important that we in HE review these settings to adjust from defaults.

 

 

 

 

 

 

 

Given the serious nature of the proposed fines, which can be as much as €20 million if found in breach of the regulations, it is certainly worth taking the new legislation very, very seriously. Encryption is paramount in accordance with GDPR Article 32 and what needs to be encrypted? Well, pretty much everything!!

 

 

 

 

 

 

 

Technically, standards which are considered ‘state of the art’ only remain so for a limited lifespan as new and improved solutions are developed, as is demonstrated in the below in relation to cryptographic protocols. It is therefore, important that we continually review to ensure that we are meeting legislative requirements.

 

 

 

 

 

 

 

So what should we be doing now? We should be:

  • Contacting our relevant data protection officers to discuss the implications of the legislation in line with our own institutions technical configuration.
  • Acknowledging that it is not simply the IT departments’ responsibility to ensure that we meet the relevant legislative needs but that the University as a whole is responsible.
  • Documenting our technical measures in line with ISO27000.
  • Collaborating with other HE institutions.

And we should be…

  • Improving our technical measures and accepting that state of the art is a moving target.

Rainer suggests that the current technical recommendations are:

(Click on photo to expand)

 

 

 

 

 

 

 

This blog post first appeared on http://www.edstout.co.uk/2017/06/27/day-3-reflections/

HERB, TEF and Brexit – a maelstrom of change

In this post to accompany the Exhibitor briefing for the UCISA17 Conference, UCISA Executive Director Peter Tinson considers the current political landscape and its impact on the education sector.

The machinations of leaving the European Union continue to feature strongly in the news headlines and this is likely to be the case at least until there is some clarity on the UK’s future relationship with the remainder of the EU (and probably for some time after that). However, the impact of Brexit is already being felt by higher education institutions. The number of EU students applying for undergraduate study through UCAS fell by 7% from last year contributing to an overall decline in applications at the January UCAS deadline. Although UCAS receives a good proportion of applications after this deadline, since most of these come from groups that have seen the steepest decline in applications (international, EU and older (19+) students), there are little grounds for optimism that the numbers will recover.

In addition to Brexit, the Government policy of placing tighter restrictions on visas for non-EU students has also had an impact. Since 2010, when the Coalition Government came to power, the number of international students has fallen by around 43,000. The fall has been concentrated in the middle and lower ranking institutions and contrasts with other higher ranked institutions that have increased their international student intake, in some cases substantially. In England, this compounds the effect of competition for undergraduate places that resulted when the cap on student numbers was withdrawn. The more successful institutions have managed (and in many cases, planned) to increase undergraduate student numbers with the lower ranked institutions failing to attract their target numbers. As a consequence, the gap between the most successful and those that depend on student recruitment will continue to grow.

There is potentially some good news for the sector with the publication of the Government’s Industrial Strategy. Although the full details have yet to emerge, universities will benefit from both investment in innovation, technology and research and from a strengthened regional development agenda. In addition, there are proposals for new Institutions of technology that will deliver vocational focused qualifications in STEM subjects. What the relationship will be between such institutions and their local universities and colleges remains to be seen – given the developments in the further education sector (see below), partnerships between institutions of technology and universities cannot be ruled out.

The Government announced a number of amendments to the Higher Education and Research Bill. These may appease some of the Bill’s critics, particularly in the House of Lords, and subsequently ease its passage through Parliament. The Bill has not been watered down completely however – there remain some potential disruptors to the sector and Jo Johnson’s desire to see new entrants to the market remains strong. There is a strong push towards the provision of accelerated degrees. It will be interesting to see if those institutions that are currently suffering falling student numbers take the opportunity to develop accelerated degree programmes or whether alternative providers will see a gap in the market to develop new offerings.

There is reference to the Teaching Excellence Framework (TEF) within the Bill with the amendments deferring implementation of a subject level TEF to 2019/20. The TEF will continue to evolve – the suggestion is that this year will be one to see the effect and impact with any lessons learned giving rise to change in subsequent years. Any changes may have to take into account the sector’s response to the new measure. The TEF can apply to any higher education provider, be it a traditional institution, a further education college providing HE, or an alternative provider. There appears to be some dissention in the ranks – WonkHE has identified six institutions, including two alternative providers, that opted out of the first stage and reported that thirty three institutions have opted out of TEF2 in spite of being eligible. Is this an indicator that an exercise that was initially badged as being light touch has now become sufficiently burdensome that the burden outweighs the value to the institution?

Finally, the reports on the further education area reviews in England have been being published since November. The reviews invited colleges, employers and other local representatives to review provision and make recommendations to “ensure employers and young people get the skills and training they need to help their local area thrive”. Most recommendations centre on mergers, consolidations and strategic collaborations. Whilst many of the proposed mergers have been between further education colleges in a given area, there have been a number of collaborations proposed between further and higher education institutions and at least one merger between an FE college and university. The proposals in England are similar to recent changes made to the further education sector in both Scotland and Wales – with both higher and further education now under the same Government department, could this be the precursor to closer collaboration and an integrated skills and higher education policy?

Sources:
Times Higher: UK’s ‘lower ranked’ universities take non-EU student hit (23 February)
WonkHE: Path clears for HE Bill as Government announces major changes (24 February)
WonkHE: TEF1, TEF2 and a complex game of snakes and ladders (20 February)

GDPR – Understanding Penalties, Fines and Liabilities

In his second post, Craig Clark, Information Security and Compliance Manager at the University of East London, looks at the interpretation of Article 83 of the General Data Protection Regulation.

GDPR – Understanding Penalties, Fines and Liabilities

Introduction

The introduction of the General Data Protection Regulations (GDPR) has been dominated in the main by one topic – what fines organisations could face if they are found to have breached the GDPR by a supervising authority which in most cases for the UK will be the Information Commissioners Office (ICO).
Many media outlets have been quick to leap on the fact that the maximum fine for non-compliance is €20,000,000 or 4% of global annual turnover, whichever is higher. However in the haste to report this, many commentators have forgotten to clarify that this is the maximum fine. Below, I have attempted to breakdown the conditions for imposing administrative fines and show there is a bit more to it.

Understanding the Fining Structure

The GDPR has been designed to ensure that organisations take the appropriate measures to protect personal data against the risks of loss in the 21st Century. For organisations that fail to meet the requirements, the GDPR allows the supervising authority to take a range of actions including:

  • Issue warnings;
  • Issue reprimands;
  • Order compliance with Data Subjects requests;
  • Communicate the Personal Data breach directly to the Data Subject.
  • In addition to the above the supervising authority have the power to impose administrative fines that will in each case be effective, proportionate, and dissuasive.

    There are two tiers of administrative fine that can be imposed. The maximum fine for the first tier is €10,000,000 or in the case of an undertaking up to 2% of total annual global turnover (not profit) of the preceding financial year, whichever is greater. The second tier maximum is €20,000,000 or in the case of an undertaking up to 4% of total annual global turnover (not profit) for the preceding financial year whichever is greater. The fines within each tier relate to specific articles within the Regulation that the controller or processor has breached. As a general rule, breaches of an obligations by controllers or processors will result in a fine within tier one, while breaches of a data subjects rights and freedoms will result in a fine within tier two.

    Question: Does your organisation understand what articles of the GDPR relate to a tier 1 or tier 2 fine?

    How will Fines be Determined?

    The GDPR is clear that in order to ensure any fine is proportionate, a range of factors will be assessed by supervisory authorities when investigating organisations that breach the GDPR.

    Of key importance will be the nature, gravity, duration and the character of an infringement. It is also worth noting that actions taken by the controller or processor to mitigate any damage suffered by data subjects, along with the degree of responsibility for the technical and organisational measures implemented by Controllers and Processors to prevent the breach occurring will be considered during an investigation.

    The Regulation also allows supervising authority to take on a holistic approach to an investigation and consider factors such as infringement history including previous correction notices, level of co-operation, the categories of personal data affected, the manner in which the breach became known and was reported, the level of adherence to approved codes of conduct or certification mechanisms and any other aggravating or mitigating factors.

    Minimising Fines

    It is logical to suggest that an organisation which demonstrates they have a positive approach to ensuring security, with a range of technical, management and operational controls will receive a lower fine then an organisation that takes no measures, or blatantly disregards its obligations under GDPR. It is also worth noting that the Information Commissioner has made it clear that in terms of incident reporting, organisations that proactively report breaches will be given more credit than organisations who do not report a breach that is then discovered by a 3rd party.

    Question: Does your organisation currently document breaches? If they do, how are these reported?

    In summary, organisations can significantly reduce the likelihood of receiving a maximum fine by establishing a culture that promotes information security best practices and an ethos centred on protecting personal information. As we have seen with the results of the TalkTalk breach, the ICO is now entering a new phase of exploring the upper limits of the monetary fines available to them. It is highly likely that this current trend will continue into 2018 meaning that GDPR compliance should be high on the list of 2017 objectives for organisations that fall within its scope.

    EU-GDPR: Using the fear stick is missing an opportunity

    The General Data Protection Regulation is scheduled to come into force in May 2018. As it will be EU Law before the process to leave the EU is completed, it will be one of the pieces of legislation that will roll over into UK law. In this article that was first published on LinkedIn, Craig Clark, Information Security and Compliance Manager at the University of East London, highlights the opportunities GDPR presents.

    For those that have worked in privacy for a long time, the path towards the final draft of the General Data Protection Regulation has been incredibly long (2011) and at times frustrating. Now that the count down is well underway, CIO’s, Information Security types and those in IT or legal functions seemingly can’t escape the barrage of GDPR related content on their news feeds and meeting agendas.

    I have kept a close eye on how the GDPR compliance issue is being pitched by vendors, lawyers and GRC consultants and in an overwhelming number of cases the key point they want to drive home is the increased penalties for non compliance – usually with a headline similar to : IF YOUR ORGANISATION DOES NOT COMPLY WITH THE GDPR THEY COULD BE FINED €20 MILLION!

    While this is technically correct it is entirely misleading, not least because the next line should read (or 4% of annual global turnover, whichever is higher). The GDPR is about much more then penalties, fines and liabilities. While one of the core aims is to enhance the protection of Data Subjects with an significant increase in their rights, there are many potential benefits for organisations. The problem is that by leading with a large negative, there is a serious risk that the advantages the Regulation offers are going to be overlooked.

    Lets take a look at some key advantages:

    Improved Records Management

    Perhaps the most obvious benefit is that the GDPR presents an opportunity to explore and refresh how you gather, store, and use and delete data. This is a chance to unleash real business value out of all that personal information you currently curate, often, at the moment, for no other reason than because it is there. This leads to huge costs of storing unnecessary data and the complex challenge of now trying to unravel what they need to store for business purposes. By employing data minimisation, and ensuring that data subjects data can be kept up to date as a matter of design, organisations could benefit from:

  • improved efficiency in customer interactions
  • reduced data storage costs (electronically and physically)
  • less wasteful marketing campaigns that use out of date information
  • lower security risk due to less personal data on file
  • lower likelihood of regulatory intervention
  • Development of Trust

    For many organisations trust is the hardest virtue to instil in its customers and the first thing to be lost when things go wrong. If we take the TalkTalk data breach as a classic example, their customer base significantly reduced in the immediate aftermath of the data breach and despite major changes to their Information Security practices, this has had a significant impact on their customer numbers and subsequently the forecasts they can make about future performance. Quite simply people no longer trust them.

    By mandating the need for improved security and reporting organisations have the opportunity to show that they take the security of customers data seriously. After all without that data, what would the business be? By actively demonstrating a willingness to comply with and embrace GDPR organisations will demonstrate a strong commitment to their customers and keep them coming back, protecting and growing the organisational brand.

    Improved Operational Effectiveness

    One of the most positive aspects that can be taken from GDPR is that it allows business to fully champion a risk-based approach to Information management. This means that whilst the rules are the same for everyone, how these rules are applied will largely be up to the organisation to decide depending on the level of risk that a given data activity presents for people’s privacy. Many of the obligations in the GDPR can be implemented in varying degrees depending on the risk appetite. This means that organisations can choose to implement procedures and practices based on their business and the level of privacy they need to provide, rather then implementing procedures for the sake of it. This could be regarded as a source of uncertainty for the C-Suite but in practice, the risk-based approach is what will make the GDPR not only effective but fair.

    Pulling it Together

    Once an organisation has looked past the headlines and begins to scope out how they are going to achieve compliance, the obvious question is “Where do I start?” Make no mistake, GDPR compliance will be complex for medium to large enterprises but there is a path through it. One of the first things organisations should look at is the ICO document 12 steps to take now. This guide will allow organisations to being planning and feeding in their specific requirements. Once the initial plan is outlined it is my view that the smoothest path to compliance is to integrate a Personal Information Management System (PIMS) into the current business model. For organisations that utilise an Information Management System (ISMS) such as ISO27001 this will be familiar territory. For those that do not, the current PIMS standard in the UK is BS10012:2009 however BS10012:2016 is being rewritten to include the requirements of the GDPR. Implementing this standard will allow an organisation to benchmark personal information management practices with recognised best practice. Crucially, it will also allow organisations to produce auditable evidence on their data privacy practices and go a long way to satisfying the Information Commissioners Office that organisations take on board that data privacy is no longer ‘best efforts’.

    New Prevent guidance – challenges and considerations

    Last month saw HEFCE issue a revision of their framework for monitoring of the Prevent duty in higher education institutions in England. The revised framework places a clear onus on institutions to evidence that they have followed due process when considering their Prevent duty. Further it is worth considering the Prevent duty and the implications of the monitoring requirements when reviewing institutional policies.

    Although the HEFCE Framework has been updated, the Home Office guidance underpinning it has not altered since the initial framework was published. Paragraph 27 of Home Office guidance states the there is an “expectation that institutions will have policies around general usage […] we would expect these to contain specific reference the statutory duty”. It is pleasing to see that the Advice note (also updated) that accompanies the updated Prevent monitoring framework points to the UCISA Model Regulations and the suggested amendment to accommodate the Counter Terrorism legislation.

    Paragraph 27 goes on to state that institutions “should consider the use of filters” as part of their overall strategy to prevent people from being drawn into terrorism. The HEFCE framework places more emphasis on the need “to consider” by directing providers to provide specific comment on “their approach to web filtering in relation to the Prevent duty, particularly where a decision has yet to be taken at the time of the provider’s previous submission to HEFCE”. The Advice note asks “What factors were taken into account when considering whether and how to use filtering to limit access to harmful content? Has a final decision been taken on web-filtering and how has this been reflected in IT policies and communicated to staff?” (interestingly the framework doesn’t ask for evidence on how it has been communicated to students). What is important is that institutions should take a risk based approach to assessing whether or not they should implement filtering and use the conclusion from those discussions in their evidence to HEFCE.

    So what are the potential impacts on policies (and in this regards, the regulations on the use of IT facilities and the network should be regarded as policy)? If there is no filtering then it needs to be clear in the regulations (for both staff and students) that the network is monitored and that any research that may access material of an extremist nature will require specific approval (for example, through a research ethics committee). That approval is still needed if filtering is in place but in that instance it will be required in order for IT service departments to have authority to turn filtering off for given individuals or research groups. There remains a concern that if there is a public statement to the effect that filtering has been turned on, those of inquisitive mind will look at ways of circumventing it and those who are at risk of being drawn into extremist activities will seek other ways of accessing such material.

    Finally the Advice note suggests that HEFCE is looking for further evidence of IT policies to provide oversight of websites and social media output across the institution, asking about arrangements for managing both institution’s ‘branded’ websites and social media and for student union (and their societies) websites and social media to ensure that they are not used to promote extremist materials or activities. A blend of approaches is probably needed here. The regulations for use of institutional IT facilities should give adequate coverage for institutional websites – they are likely to be established using institutional resources and maintained by institutional staff. If not, then it may be necessary to include specific Prevent related conditions into contracts where website content is maintained externally. There need to be named individuals (or groups of individuals) with responsibility for officially sanctioned social media accounts who will be bound by the regulations (as outlined in the Social media for staff legal checklist published by Jisc and included in the UCISA Social Media Toolkit). It may be necessary to come to separate arrangements for Students’ Union – they are often separate legal entities and their services may not be hosted by the institution. In these instances, there may be reliance on clauses relating to bringing the institution into disrepute to take action against an individual (which may or may not be an IT regulation issue) or specific agreement (such as within a tenancy agreement) with the Student Union to ensure monitoring takes place.

    Peter Tinson
    Executive Director
    UCISA

    The current environment

    The run up to the General Election in 2015 saw very little in the form of legislation and little change in the sector. The year since has been far busier with the publication of the Green Paper Teaching excellence, social mobility and student choice, the introduction of the Counter Terrorism duty on higher and further education institutions (the PREVENT duty), the drafting of the Investigatory Powers Bill and consultations on the information provided to students and the HESA Data Futures programme. The proposals within the Green Paper require refinement – it is not clear what the impact will be on institutions and it is anticipated that there will be further consultation during 2016. Although the Paper only applies to higher education in England, it is probable that a number of the measures proposed will also be introduced in time in the other countries of the UK.

    The publication of the Green Paper in November demonstrated that the Westminster Government is looking to shape the English Higher Education sector rather more than it has in the past with emphasis on teaching excellence, better information for students and widening participation. The Green Paper contained little detail and it is not clear how soon detailed proposals will be presented. The BIS Select Committee, whilst welcoming the approach in principle in its recent report, urged caution over the pace of implementation, noting that the second stage of the Teaching Excellence Framework “should only be introduced once Government can demonstrate that the metrics to be used have the confidence of students and universities”. The Green Paper also noted that universities needed to be more accountable for how student fees are spent. This reflects a theme first visited in a Private Members Bill tabled by Heidi Allen, Conservative MP for South Cambridgeshire so it is perhaps not surprising to see elements of her proposals feature in the Green Paper.

    Despite the emphasis on a light touch approach, it is evident that universities and colleges will need to make effective use of data in order to meet the anticipated requirements of the Green Paper. There are a number of other developments that will place similar demands on our institutions. The HESA Data Futures programme is seeking to redesign and transform the collection of student related data. The programme is in its early stages with a recent procurement to appoint an organisation to design and deliver the future business process, technology and application architecture. UCISA will continue to ensure that suppliers of student records systems are engaged with this initiative. Further, the Higher Education Commission’s report From Bricks to Clicks notes that data analytics has the potential to transform the higher education sector, but cautions that UK institutions are currently not making the most of the opportunities in this area.

    There continues to be funding pressure on all UK higher education institutions. In Northern Ireland funding has reduced by 28% in real terms since 2010/11 leading to downsizing by the universities in the province. In Wales, a cross-party review of higher education funding and student finance arrangements is due to report in the autumn. Although funding cuts proposed by the Welsh Government have been rescinded, it is likely that there will be some rationalisation within the sector over the coming year. The Scottish Funding Council has also cut the level of funding with some institutions noting that continued cuts put “pressure on institutional viability”. In England, the introduction of competition has resulted in some big winners and losers – those institutions which have seen a fall in student numbers are now having to cut their cloth accordingly. In the Further Education sector, the outcome of the Area Reviews is expected to be mergers between further education colleges.

    There may be a lull in the development of policy as elections for new administrations in Scotland and Wales take place in May followed by the referendum on the UK’s EU membership in June. It remains to be seen if changes in the constituency of those Governments are reflected in changes in education policy. It goes without saying that a vote to leave the EU will also have a significant impact on universities and governmental policies. 2016 promises to be an interesting year.

    Prevent duty – getting the background

    I’m sure many of you have been following the twists and turns of the Prevent Duty through to the 18th September when it came into force.

    Andrew Cormack has discussed the Prevent Duty guidance within his Regulatory Developments blog  over the last 18 months. I have been keen to understand the implications specifically for Loughborough University, especially with the scaremongering by some that we would be forced to implement comprehensive content filtering; an impartial, fact-based viewpoint from Andrew has been well received.

    I am pleased to see Andrew’s blog referencing our ‘proportionate and appropriate’ understanding in his recent post, the “Government again stressed that measures should be proportionate and appropriate to the risks faced by individual institutions.”

    The work surrounding the Prevent Duty has a number of stakeholders within a University; and has been driven by Student Services at Loughborough. Clearly there is a place for the IT business unit to have an input to this policy, but I wanted to ensure I had a background knowledge when contributing.

    A really helpful resource, and the main purpose of this blog post, is to raise awareness of the Jisc WRAP (Workshop to Raise Awareness of Prevent) Training.  I attended the two hour training course a couple of weeks ago to provide a background to the Prevent Duty and this training course fulfilled my learning objectives entirely.

    The course is delivered using the online Adobe Connect software, all you need are headphones and a microphone (most computers now have a microphone built it, so a pair of headphones just helps minimise audio feedback). The beauty of this course is you can attend from anywhere, from your office, a quiet room, from home etc…

    It was really interesting to hear the view points of other delegates who were from a very diverse background, in fact I was the only person from HE IT. To manage expectations, the course is not designed to inform IT departments about IT controls; however to provide “… an understanding of the Prevent strategy and your role within it.”

    I found the course extremely helpful as background to engage with our Student Services department; it was very well delivered using a variety of engagement tools: video, polls, chat, discussion forums etc

    If you are looking for a background into the Prevent Duty, this course from Jisc Training Technologies is excellent, comprehensive; and in my perspective, an exemplar in how to deliver online learning.

    I would also encourage colleagues to let other areas of their institution know about the course: Student Services, Academic Registry, Students Union, Physical Security etc.

    Matthew Cook
    Assistant Director of IT
    Loughborough University

    PREVENT and the model regulations

    The Counter Terrorism and Security Act passed onto the statute book earlier this year. Although the legal duty on higher education providers has yet to pass through Parliament, the Home Office has issued guidance for universities and colleges which institutions may use in preparing to meet the duty.

    The guidance includes very little on ICT. It does make reference to the existence of acceptable use policies which determine what is and is not permissible use of institutional IT facilities and the expectation that those policies contain specific reference to the statutory duty. With a new academic year about to begin, it is apposite to review regulations. UCISA’s Model Regulations for the use of institutional IT facilities and systems largely meet the requirements of the Act in that they encourage users to behave lawfully and have provision for dealing with those that do not. Although there is reference to the expectation that users should recognise that their behaviour is subject to the law of the land (and clearly the Counter Terrorism and Security Act falls under this umbrella term), the Model Regulations can be strengthened by adding a statement that the institution has a duty under the Act and referring to the Act itself in the list of relevant legislation. Paul Lambert, IT Director at Teesside University offers an example modification, changing the first line of section 7.4 (Inappropriate material) to read:

      < Institution > has a statutory duty, under the Counter Terrorism and Security Act 2015, termed “PREVENT”. The purpose of this duty is to aid the process of preventing people being drawn into terrorism.

      You must not create, download, store or transmit unlawful material, or material that is indecent, offensive, defamatory, threatening, discriminatory or extremist. The University reserves the right to block or monitor access to such material.

    Currently the duty on HEIs builds on the good practice that already exists in most (if not all) institutions. Although it is not anticipated that the legislation determining HEIs’ duty within the remit of the Act will greatly alter that, we will hold off any formal revision of the Model Regulations until the impact of the duty is fully understood.

    Finally, ICT is just one of the areas that the guidance covers; for a more comprehensive overview of the current position for higher and further education institutions, see Andrew Cormack’s blog.

    Peter Tinson
    Executive Director
    UCISA