Respecting the privacy of University websites’ visitors across the estate
Since the introduction of the European Union (EU) cookie legislation in 2013, and after the General Data Protection Regulation (GDPR) implementation in 2018, the University has taken extensive measures within the central University Website (EdWeb) to reduce the risk of capturing and storing user privacy-invasive data. Additionally, platform-agnostic guidance and support has been available for the wider University web publishing community to ensure that the University web estate follows best practice in its entirety. Reflecting on the latest published guidelines by the Information Commissioner’s Office (ICO), a series of strategic activities has kicked off to ensure the University’s approaches are up to date and appropriate.
How can University websites be GDPR compliant?
The most fundamental element of GDPR compliance is no different to the most basic of website governance advice: all website owners need to make sure they ‘re on top of in all aspects their website. This does not only include structure, content and analytics but, even more fundamentally, its accessibility and the amount, and type, of visitor data stored. Ideally, this should be an activity undertaken during the design, development and update phases for each website.
Having said that, it’s totally appropriate, and necessary, to do a website audit at any time to ensure there’s a clear and accurate picture of how privacy guidelines are adhered. This audit should include capture of all user data capture points, e.g. web forms, how these are handled and, of course, its cookies. The University’s data protection office has published extensive guidelines in a series of privacy-related items.
GDPR Guidance – University Data Privacy Office website
More specifically, there are two main areas to pay attention to: Privacy notices and Cookie consent compliance.
As each website’s data capture is different, thorough consideration and effort should be given to develop a bespoke privacy notice for each. Linking to another website’s privacy notice, e.g. at the University Website (EdWeb), is inaccurate and against best practice.
Extensive advice, and templates, on how to develop a privacy notice for a University website is available in our website support and record management pages.
Privacy notice guidance and templates – University Data Privacy Office website
Cookie consent compliance
The University’s approach in cookie compliance and consent has always being focussing in protecting website visitors’ privacy. An options appraisal exercise during autumn of 2019 has highlighted that the previous approach was not fully compliant with ICO’s updated guidance and, thus, it was required to be revisited. Having being approved by the University’s Web Governance Group, this new cookie consent approach requires a clear distinction between necessary and non-necessary cookies, offering clear information and appropriate opt-in consent, set in any website:
- Necessary cookies are non-privacy invasive and required to delivery the website properly. The University Web Governance Group has currently agreed that this list can include anonymised web analytics (Google Analytics, in the case of the central University Website), as understanding our audiences’ needs and behaviours is a business requirement to deliver a proper, user-centred website.
- Non-necessary cookies are, essentially, everything else. All of these require explicit consent from the website visitor to allow us to set them. This consent needs to be an active check of a box (no pre-checked boxes are allowed) or a click on a button with clear implications in setting the cookies. The University Web Governance Group has currently agreed that cookies set for marketing or advertising reasons are non-necessary and must not be set until the website visitor has given explicit consent to do so.
University Website (EdWeb)
A global cookie consent mechanism has been added to the University Website, covering all websites hosted in the platform. Additional features ensure compliance for 3rd party content embedded in University Website pages.
EdWeb cookie banner is changing – Blog post by Bruce Darby
EdWeb’s global cookie consent – Wiki support pages
Using third party embeds in EdWeb – Wiki support page
Non-EdWeb University websites
All non-EdWeb website will need to audit, categorise the cookies set within their domain, only serve necessary cookies upon load and ensure there is a clear opt-in mechanism for non-necessary cookies. In similar fashion to privacy notices, using University Website’s cookie consent mechanism without a complete cookie audit is not recommended. This is due to the difference in cookies set between separate website implementations.
Guidance is available and reviewed often
This blog post summarises the University’s current approach to ensure privacy in its website estate. Full guidance on compliance, including templates, examples and further links is available in the website support pages.
GDPR compliance guidance for websites – Website support pages
Additionally, a new GDPR Cookie Consent Working Group has been established. This group has University-wide representation with a focus to:
- Review the release of relevant legislation, regulations and guidance.
- Monitor evolution of cookie consent approaches and solutions in and outside the Higher Education sector.
A regular schedule to convene every 6 months has been put in place. All new developments are discussed online and, if required, additional meetings will be held.
If you want to provide feedback, interested to be involved or just seek further clarifications on GDPR compliance for your website, contact the Website & Communications support team at email@example.com.