Skip to content
contact us | home | accessibility


Google Custom Search
good practice and innovation
about us infoKits Tools & Techniques Publications Events
You are here: Home » infoKits » Creating an MLE » implementation » Legal requirements

7.3. Legal Requirements

MLE implementation is likely to make a wider range of institutional data available to more people. Consequently, your institution will need to review its existing policies to ensure that your ICT systems operate within the law.

The following section does not aim to describe this process in detail, but rather to provide information on the most relevant legislation, and to highlight

  1. useful sources of information, and

  2. the key issues, so that sufficient time and resources can be allocated to the task.

7.3.1. Data Protection Act

The Act will apply to any MLE system in which personal data is collected, used or distributed. Your institution must ensure that

  • there are clear lines of responsibility for the data

  • they have a detailed knowledge of what data is processed, and why

  • they inform users if any of their personal data is being processed, and why

  • take reasonable steps to protect the data

  • the systems for processing and protecting the data are monitored and evaluated

  • training on data protection is provided for all staff involved.

Your institutions will need to carry out an audit of the requirements of the Act in relation to its systems. The JISC's Code of Practice on the Data Protection Act is a useful starting point for gathering information on these requirements - the following sections are particularly relevant to MLE implementation:

'HE and FE institutions are obliged under the 1998 Act to have in place an institutional framework designed to ensure the security of all personal data during the collection to destruction cycle. A key current international benchmark for Information Security Management Systems (ISMS) is BS7799. A framework that meets this standard will provide a high level of compliance with the 1998 Act. Where complete compliance with BS7799 is infeasible or unreasonable for all, or certain types of, institutional personal data processing operations, certain minimum standards should still be met. Such standards should ensure:

  • a level of security appropriate to the risks represented by the processing and the nature of the data to be protected.

  • that data security is assured no matter where or by whom data is stored or processed and throughout the whole procedure, including the transmission of data.

  • that there are clear lines of responsibility and the controller's ultimate responsibility for data security is clearly understood.

Your institution should, as a minimum, ensure that:

  • existing and proposed personal data processing operations are evaluated for potential risks in order to determine the cost, effectiveness and practicability of proposed levels of security.

  • appropriate levels of security are applied, commensurate with the anticipated risks, and appropriate to the type of personal data held.

  • agreed levels of security are applied, monitored and regularly reported upon as regards their effectiveness

  • all staff are trained to take effective action to protect personal safety, data and equipment (in that order) in the event of disaster.

  • competent people are assigned to be responsible for the accuracy and integrity of personal data held in each part of an institution's personal data processing operations.

Your institution should not:

  • display results outside their local area (e.g. via the Internet) without obtaining the consent of the data subjects; ...'

This has implications for management responsibility, requirements for training and documentation, and also technical development. As a recent JISC Report points out, the introduction of an MLE may require institutions to raise the level of security they provide in their systems:

'Authentication is currently used to identify the user and thus protect his/her file store and Email activities. With the introduction of an MLE, authentication may result in processes (e.g.: testing and other assessments) that contribute to the user's final degree status. Thus it is important that the strength of the authentication process, and institutional information security in general, be consistent with risks the institution would encounter if security measures were to fail. It would be useful to review current institutional security polices in light of these new requirements.' JISC Report on Security

It is important that the question of security is addressed at an early stage in the development of the MLE. This is one of the recommendations of the JISC Technical Review of Building MLEs in HE Projects:

'Many projects intend to secure their systems with SSL [Secure Sockets Layer] but towards the end of the project cycle. Aside from exposing users of prototype systems to the risk of plain text password interception, retrofitting SSL is not always straightforward. SSL should be used from the outset.'

7.3.2. Freedom of Information Act

The JISC has produced briefing papers on the Freedom of Information Act, and the separate Freedom of Information Act for Scotland. Public authorities (including universities and colleges) must deal with requests for information from individuals. A wide range of information is covered by the Acts, but it is important to note that personal information is one of the exemptions:

'There is an absolute exemption from the provisions of the FOIA if an applicant making a request for information under the FOIA is the subject of the information requested and they already have the right of 'subject access' under the Data Protection Act 1998. There is also an exemption from the provisions of the FOIA if the information requested under the FOIA concerns a third party and disclosure by the institution would breach one of the Data Protection Principles.' (See Key Resources: JISC Briefing Paper on the Freedom of Information Act.)

7.3.3. Current Law on Internet Service Provider Liability

If an MLE enables users to post their own material on the Internet, it provides new opportunities for copyright infringement and also defamation. The law in this area is developing, and providers of Internet services are increasingly seen as having some degree of responsibility for material that is posted or published in their systems. This involves taking practical steps to prevent infringements, and dealing efficiently with any that occur. The JISC guidelines on Internet Service Providers Liability includes this useful checklist:

  • Has your Institution, in its capacity as an ISP, taken all reasonable steps and adequate measures to ensure that your network users are not making illegal use of their access?

  • Has your institution a system in place to fast-track the removal of obscene, illegal, infringing or defamatory content from your servers?

  • Has your institution configured the network to bar access to known sites that may be classified as defamatory, illegal, obscene, or infringing? Do the system administrators review this on a regular basis?

  • Is your institution operating its network in accordance with the JANET Acceptable Use Policy?

  • Following a hacking incident with one of your web pages, for example the defacement of your homepage, have you an emergency procedure in place to restore the site and to remove the un-vetted content? This may be especially relevant to institutions with a younger student population. Have you an appropriate legal disclaimer on your website? Have you specified the applicable jurisdiction in the event of a dispute?

Another JISC paper, 'FE/HE Institutions and Liability for Third Party Provided Content' suggests a number of strategies which FE/HE Institutions can use to reduce the risk of liability. These include

  • Formulating an Acceptable Use Policy, which

    • staff and students are required to agree to

    • incorporates a clear 'notice and take down' procedure for dealing with reports of infringements

  • is supported by a clear internal disciplinary system.

  • Restricting membership of bulletin boards and discussion groups to limited numbers of registered users.

It also recommends that institutions do not attempt to monitor all activity on their systems:

'What institutions must not do is to adopt a policy of general monitoring of their servers and/or user accounts. By adopting such editorial control an institution can open itself to liability as a publisher under the Defamation Act, or, in relation to content more broadly, may put itself in a position where it could be considered that due to a policy of active monitoring it should have been aware of certain illegal content which has 'slipped the net'.'

7.3.4. Special Needs and Disability Act 2001

The JISC's briefing paper on Disability Legislation and its Effect on Information Services in Further and Higher Education draws attention to the requirements of the Special Needs and Disability Act (SENDA):

'FE and HE institutions have two broad sweeping duties under the SENDA with effect from 01 September 2002. These are as follows:

  • A duty not to discriminate by treating disabled students less favourably, without justification, for a reason which relates to their disability

  • A duty to make reasonable adjustments to ensure that disabled people are not put at a substantial disadvantage in comparison with those people who are not disabled when accessing or trying to access Further and Higher education.'

The paper goes on to argue that these general requirements extend to an institution's Web-based systems:

'Is it a reasonable adjustment to modify or design a web site to make it accessible? Although not definitive, all the indications are that the answer to this question is yes.

When updating or redeveloping a website accessibility is a major issue and should form part of the specification.'

As with security, it is important that accessibility is 'designed in' to a web site at an early stage in its development. Also, many commentators on Web design make the point that there is a strong link between the requirements of accessible, disability-friendly Web sites and general principles of good design and usability.

Follow this link for key resources for this section (these open in a new window)

Bookmark and Share
Link to the JISC Website

© 2012 Northumbria University, on behalf of JISC Advance
JISC infoNet is a JISC Advance service
This website is powered by Plone

Creative Commons

 JISC Advance logo
If you can read this text, it means you are not experiencing the Plone design at its best. Plone makes heavy use of CSS, which means it is accessible to any internet browser, but the design needs a standards-compliant browser to look like we intended it. Just so you know ;)