Universities say they can’t reveal details of investigations due to privacy rules – how should this be handled when two pieces of legislation collide

September 7, 2022
Tim Heywood


View profile

Universities UK (UUK) have published new guidance designed to help universities navigate the sometimes choppy waters where two different sets of legal and governance obligations converge.

For some time, many universities have felt constrained from releasing details of harassment investigations even to the parties involved. The difficulty they have faced has been the apparent need to respect the data privacy of the person being complained about. Faced with this choice, many have come down squarely in favour of respecting the privacy of respondent.

Harassment claims and allegations of sexual misconduct by staff have to be investigated, of course. And in order to maintain confidence in the process, universities want to ensure they have an effective process; one which ensures confidentiality (of course) but one which is also demonstrably effective, fair and transparent.

Too often it seems universities have erred on the side of data privacy. This has often meant that the outcome of their investigation and details of any sanctions imposed on an individual have remained secret even from the complainant.

This can hardly be a recipe for building confidence in the investigatory process, however, or for giving students, in particular, a sense that they can bring their complaints of sexual, racial or other types of harassment to the university authorities safe in the knowledge that a fair and transparent process will follow. The process must surely form part of the university’s recipe for creating a safe and inclusive community (thereby meeting another set of its obligations).

Happily, as the new guidance makes clear, universities need not feel they cannot disclose the outcome to the complainant. Certainly, the Data Protection Act and UK GDPR do not impose any blanket ban. Far from it.

As DPOs and others operating in the data protection arena will know, data protection is all about risk management. Deciding whether a disclosure may lawfully be made requires an assessment of the facts of the case and of the competing interests of data privacy on the one hand and the need to fulfill other legal and operational obligations on the other. In other words, data protection law is pretty pragmatic.

The new guidance goes into some detail about the practical steps universities should take. What it boils down to is a case by case analysis of what types of personal information are involved; what needs to be disclosed, to whom and why, and an overall risk assessment (or impact assessment) of what damage any disclosure might inflict on an affected party and whether such damage can be justified. Such impact assessments are par for the course in the data protection world, of course. Data protection law does not impose a blanket ban on disclosure.

In summary, the new guidance gives universities more clarity and, importantly perhaps, the confidence to design their investigation processes in a way that ensures they will be effective in winning the confidence of students and staff alike.  

The outcome of any investigation should almost always be conveyed to the complainant. How else will can the university demonstrate that justice has been done? For the same reason, any penalty (or “sanction”)  imposed will also, in the majority of cases, need to be disclosed to the complainant (although this element will need greater scrutiny in every case). There may be a second reason to disclose the penalty to the complainant– where the penalty requires the respondent to stay away from them.

It may be timely to revisit the university’s privacy policies and notices, as part of a wider plan to ensure these provide enough transparency about how, why, and when data might be disclosed and to manage the expectations of students and staff alike. 

Tim Heywood, Solicitor, FRSA is a Partner at gunnercooke llp specialising in data protection law and governance.