Any views expressed within media held on this service are those of the contributors, should not be taken as approved or endorsed by the University, and do not necessarily reflect the views of the University in respect of any particular issue.

Respecting the privacy of University websites’ visitors across the estate

Since the introduction of the European Union (EU) cookie legislation in 2013, and after the General Data Protection Regulation (GDPR) implementation in 2018, the University has taken extensive measures within the central University Website (EdWeb) to reduce the risk of capturing and storing user privacy-invasive data. Additionally, platform-agnostic guidance and support has been available for the wider University web publishing community to ensure that the University web estate follows best practice in its entirety. Reflecting on the latest published guidelines by the Information Commissioner’s Office (ICO), a series of strategic activities has kicked off to ensure the University’s approaches are up to date and appropriate.

Guidance on the use of cookies and similar technologies

How can University websites be GDPR compliant?

The most fundamental element of GDPR compliance is no different to the most basic of website governance advice: all website owners need to make sure they ‘re on top of in all aspects their website. This does not only include structure, content and analytics but, even more fundamentally, its accessibility and the amount, and type, of visitor data stored. Ideally, this should be an activity undertaken during the design, development and update phases for each website.

Having said that, it’s totally appropriate, and necessary, to do a website audit at any time to ensure there’s a clear and accurate picture of how privacy guidelines are adhered. This audit should include capture of all user data capture points, e.g. web forms, how these are handled and, of course, its cookies. The University’s data protection office has published extensive guidelines in a series of privacy-related items.

GDPR Guidance – University Data Privacy Office website

More specifically, there are two main areas to pay attention to: Privacy notices and Cookie consent compliance.

Privacy notices

A privacy notice is a statement that describes how the University collects, uses, retains and discloses personal information. Different organisations use different terms and it can be referred to as a privacy statement, a fair processing notice or a privacy policy. To ensure that personal data is fairly and lawfully processed, users must be informed on what types of data the website is storing, why and for how long. This notice requires to include a clear statement on website user’s rights, and be written in clear and plain language. 

As each website’s data capture is different, thorough consideration and effort should be given to develop a bespoke privacy notice for each. Linking to another website’s privacy notice, e.g. at the University Website (EdWeb), is inaccurate and against best practice.

Extensive advice, and templates, on how to develop a privacy notice for a University website is available in our website support and record management pages.

Privacy notice guidance and templates – University Data Privacy Office website

Cookie consent compliance

The University’s approach in cookie compliance and consent has always being focussing in protecting website visitors’ privacy. An options appraisal exercise during autumn of 2019 has highlighted that the previous approach was not fully compliant with ICO’s updated guidance and, thus, it was required to be revisited. Having being approved by the University’s Web Governance Group, this new cookie consent approach requires a clear distinction between necessary and non-necessary cookies, offering clear information and appropriate opt-in consent, set in any website:

  • Necessary cookies are non-privacy invasive and required to delivery the website properly. The University Web Governance Group has currently agreed that this list can include anonymised web analytics (Google Analytics, in the case of the central University Website), as understanding our audiences’ needs and behaviours is a business requirement to deliver a proper, user-centred website.
  • Non-necessary cookies are, essentially, everything else. All of these require explicit consent from the website visitor to allow us to set them. This consent needs to be an active check of a box (no pre-checked boxes are allowed) or a click on a button with clear implications in setting the cookies. The University Web Governance Group has currently agreed that cookies set for marketing or advertising reasons are non-necessary and must not be set until the website visitor has given explicit consent to do so.

University Website (EdWeb)

A global cookie consent mechanism has been added to the University Website, covering all websites hosted in the platform. Additional features ensure compliance for 3rd party content embedded in University Website pages.

EdWeb cookie banner is changing – Blog post by Bruce Darby

EdWeb’s global cookie consent – Wiki support pages

Using third party embeds in EdWeb – Wiki support page

Non-EdWeb University websites

All non-EdWeb website will need to audit, categorise the cookies set within their domain, only serve necessary cookies upon load and ensure there is a clear opt-in mechanism for non-necessary cookies. In similar fashion to privacy notices, using University Website’s cookie consent mechanism without a complete cookie audit is not recommended. This is due to the difference in cookies set between separate website implementations.

Guidance is available and reviewed often

This blog post summarises the University’s current approach to ensure privacy in its website estate. Full guidance on compliance, including templates, examples and further links is available in the website support pages.

GDPR compliance guidance for websites – Website support pages

Additionally, a new GDPR Cookie Consent Working Group has been established. This group has University-wide representation with a focus to:

  • Review the release of relevant legislation, regulations and guidance.
  • Monitor evolution of cookie consent approaches and solutions in and outside the Higher Education sector.

A regular schedule to convene every 6 months has been put in place. All new developments are discussed online and, if required, additional meetings will be held.

If you want to provide feedback, interested to be involved or just seek further clarifications on GDPR compliance for your website, contact the Website & Communications support team at website.support@ed.ac.uk.

Leave a reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

css.php

Report this page

To report inappropriate content on this page, please use the form below. Upon receiving your report, we will be in touch as per the Take Down Policy of the service.

Please note that personal data collected through this form is used and stored for the purposes of processing this report and communication with you.

If you are unable to report a concern about content via this form please contact the Service Owner.

Please enter an email address you wish to be contacted on. Please describe the unacceptable content in sufficient detail to allow us to locate it, and why you consider it to be unacceptable.
By submitting this report, you accept that it is accurate and that fraudulent or nuisance complaints may result in action by the University.

  Cancel