IMPORTANT NOTE: This Q&A assumes an understanding on the part of the reader of the purpose and intended use of a Maxient system, i.e., a hosted database system specifically designed for the management of records and processes related to student conduct and behavior at institutions of higher education. Furthermore, while this explores a topic of law, it is not and should not be construed or relied upon as legal advice. Readers and institutions reviewing this information are advised to consult with their own legal counsel regarding the applicability and impact of the topics discussed herein.
What is GDPR?
GDPR stands for “General Data Protection Regulation,” the informal title of Regulation (EU) 2016/679 (hereinafter “GDPR”), which is a privacy law established by the European Union (“E.U.”), set to go into effect on May 25, 2018. It “lays down rules relating to the protection of natural persons with regard to the processing of personal data,” which it broadly defines as “any information relating to an identified or identifiable natural person.” See, GDPR, Art. 1(1) and Art. 4(1).
How does GDPR impact institutions using Maxient? Does it even apply?
GDPR may not impact all colleges and universities using Maxient, and if it does, that impact may be unrelated to their use of Maxient.
GDPR regulates both “controllers” and “processors” of data. Controllers are those entities that “[determine] the purposes and means of the processing of personal data,” which in this context would be the individual colleges and universities using a Maxient system; and processors are those entities that “[process] personal data on behalf of the controller,” which would be Maxient. See, GDPR, Art. 4(7)-(8). In terms of material scope, Article 2(2)(a) of GDPR states that it “does not apply to the processing of personal data… in the course of an activity which falls outside the scope of [E.U.] law.” Specific to territorial scope, the law explains that it “applies to the processing of personal data in the context of the activities of an establishment of a controller or a processer in the [E.U.], regardless of whether the processing takes place in the [E.U.] or not.” See, GDPR, Art. 3(1). Moreover, it further specifies that even when neither the controller or processor are in the E.U., the law nevertheless “applies to the processing of personal data of [individuals] who are in the [E.U.]… where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the [individual] is required, to such [individuals] in the E.U.; or (b) the monitoring of their behaviour as far as their behaviour takes place within the [E.U.].” See, GDPR, Art. 3(2).
Maxient’s entire operation – headquarters, staff, and physical server sites – is based in the United States. Nearly all of Maxient’s 800+ college and university clients are based in the United States or Canada. For the most part, as Maxient and its clients are outside of the E.U., their work together is largely outside the scope of GDPR. That said, many if not most institutions of higher education recruit students and maintain networks of alumni from around the world, including Europe. From those examples alone, it is likely that GDPR will have some applicability to and impact on the overall data maintenance strategies of colleges and universities in North America, including Maxient clients, but that will not relate specifically to their use of a Maxient system. However, for the numerous colleges and universities using Maxient that also utilize it in relation to any campuses and/or programs they operate in the E.U., GDPR presumably applies.
Let’s say it does apply. What does that mean for Maxient’s work with its clients and what is Maxient doing to ensure compliance?
There is little doubt that GDPR will inspire some considerable assessment (and worry), at the least, for those colleges and universities to which it applies. However, their use of Maxient should be comparatively low on the list of concerns.
Article 28 of GDPR lays out the primary obligations of processors, which are mainly established through stipulations via written agreement with the controller. Maxient has written service agreements in place with all of its clients and the requirements of Article 28 are likely met through Maxient’s contractual obligations to the client institution. Because all Maxient service agreements can be negotiated and may read differently between one another, the precise location of the applicable terms in the agreement may vary. For questions about your institution’s service agreement with Maxient, please reach out to our support team. Our legal counsel will either point you toward the applicable language, or if needed, work with your institution to craft an amendment to bring its contractual language into full compliance.
In addition to the above, the following are some key truths of every working relationship between Maxient and a client institution that meet or exceed the expectations for processors under GDPR:
- The institution exercises complete control over the data it stores in a Maxient system.
- Maxient never shares any institution’s data with any third parties, or otherwise uses the data for any purpose, other than that which is specified under the service agreement.
- In the event of a termination of services for any reason, Maxient ensures that the institution takes full possession of the data and Maxient does not retain any copies whatsoever.
- All data in a Maxient system is encrypted both in transit and at rest.
- All data in a Maxient system is backed up on a rolling, thirty-day basis to a geographically separate server site to better ensure the continuity and availability of the data in the event of catastrophe. See, GDPR, Art. 32(1)(c).
- In the event of a data breach, Maxient would notify any impacted institution as immediately as is practicable, but in no event later than 24 hours following discovery.
Is it all really that simple?
Of course not. If an institution determines that it is subject to GDPR, it will likely have to rethink many of its practices related to the data is collects, how it uses it, and how it informs the individuals to whom that data belongs. Among other unanswered questions, colleges and universities will have to wrestle with the intersection between legal mandates to maintain certain information and the potential rights of individuals under GDPR to seek that same data’s destruction. These are complicated questions that are not likely to be answered any time soon, as that may necessitate a case and controversy, the determination of a court of competent jurisdiction to hear it, and the stamina of the parties to endure such a process. The only thing we can say with reasonable certainty is that Maxient has made and is continuing to make every effort to ensure that nothing about its work for its clients will be the cause for addressing any of GDPR’s unanswered questions.
Let’s keep in touch.
This is still relatively new to all of us, and we’re all trying to learn more. If you have questions or concerns, let us know; and if you learn more information relevant to our work together, please share it. We’ll do the same.
Additional Resources:
The full text of GDPR: http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN
“The General Data Protection Regulation Explained” – a helpful article in Educause Review: https://er.educause.edu/articles/2017/8/the-general-data-protection-regulation-explained