Last updated: 
3 months 1 week ago
Blog Manager
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

GDPR: Alumni processes

Friday, May 5, 2017 - 08:48

Most universities maintain databases of alumni, for purposes including keeping them informed about the organisation, offering services and seeking donations. These activities have a lot in common with other charities, so the Information Commissioner's guidance is relevant. Indeed the Information Commissioner's recent description of using consent-based relationships "to improve [supporters'] level of engagement with your organisation and encourage them to trust you with more useful data" is likely to be very much what universities are aiming for. However the way in which individuals join alumni databases is likely to be different from other charities, so it's worth reviewing these processes and communications in the light of planned changes to data protection law in May 2018.

Whereas most charities recruit supporters directly, in universities this will often take place as part of the individual's transition from being a student in a contractual relationship with the organisation to an alumnus with a long-term relationship based on freely-given consent. For both legal and practical reasons this transition needs to include an exchange of information: the university needs to inform the alumnus about future storage and processing of data, and obtain their consent to this (since it is no longer necessary for the purpose of education); the alumnus may well need to provide updated contact details, since those used while a student are likely to go quickly out of date.

In May 2018 the General Data Protection Regulation (GDPR) will change the requirements for consent to be valid; the European Commission's recently proposed draft e-Privacy Regulation may also change the law on how this may be communicated:

  • Article 13 of the GDPR sets specific requirements on the information that must be provided along with a request for consent: the organisation's identity and contact details; the purpose(s) of processing; how long data will be kept; how to exercise rights, including to withdraw consent and complain to a statutory authority; any third-party recipients of the data; any international transfers; any automated decision-making. Consent must now be indicated through a positive action (silence, or leaving a pre-ticked box are no longer sufficient) and must be easy to withdraw. And a record must be kept of how consent was obtained, when, and on what terms.
  • The European Commission has recently proposed a new e-Privacy Regulation, which would extend the requirement to obtain consent before sending marketing messages (which may well cover supporter recruitment). At present prior consent is only required for e-mail, but the draft text would extend this to all electronic communications, including phone and SMS.

The combination of these two changes may make it harder to re-establish communications with alumni after they leave. In particular, if prior consent to electronic messages has not been obtained then universities may only be permitted to use postal mail, and that a time when ex-students are particularly likely to have changed address. Starting the alumnus relationship before students leave should help to achieve a smooth transition.

Under the GDPR it may be possible to continue to use existing data about alumni, but only if the information and process used to collect it met the new GDPR standard. If this is not the case then new consents will need to be obtained. However recent cases of misuse of personal data by high-profile charities may lead alumni to expect this level of engagement anyway; the GDPR then provides universities with an opportunity to demonstrate that they are implementing best practice. Again, the possibility of changes to the law on communications means this may be easier if done before May 2018.


In discussions with a couple of universities, we've concluded that responsible alumni processes seem likely to satisfy the requirements of both the legitimate interests and consent bases for processing. While legitimate interests could let a university over-ride an individual's opt-out and consent could permit processing that was too intrusive for the balancing test, neither of those behaviours seems to fit into the sort of post-graduation relationship a university wants.

On what communications are needed, too, both bases seem to lead to very similar requirements in practice. Both require you to tell alumni how you will use their personal data. And if you've heard nothing – not even an address update – within a few years after graduation, then continuing to send messages to a student's old home address seems questionable in terms of expenditure as well as the data protection duty to keep information up to date.

The university that continued to send marketing to the previous owner of my house after I'd returned one envelope as "gone away" might well have problems satisfying either justification, but well run alumni programmes shouldn't.