Consultation: Assessing the impact of (re-)using campus data

Our university and college buildings already contain a surprising number of sensors that could collect information about those who occupy them. At a recent event I spotted at least half a dozen different systems in a normal lecture room, including motion detectors, swipe card readers, wireless access points, the camera and microphone being used to stream the event, and Bluetooth and other transmissions from the many laptops and devices we were all carrying.

There is increasing interest in using data from these sensors – and new ones installed for specific purposes – to make our campuses "better" in many different ways. A paper by Aion et al groups these possibilities into six categories: those that directly affect students' learning; those involved in managing campus infrastructure; those that facilitate collaboration; those that provide institutional accountability; those that protect the environment, for example by improving energy efficiency; and those that create a healthy environment for learning and living.

With such a wide range of sensors and data to process and combine, and such a wide range of purposes, we need some way to assess the risks and benefits our plans will create for those who use the campus. Some possible uses of data will provide high benefit at very low risk: others will involve such high risks that, even with all possible mitigations used, they cannot be justified for the likely benefit.

To guide universities and colleges through this complex area, we’ve written a draft Data Protection Impact Assessment Toolkit, inspired by a Toolkit approved by European Regulators for RFID applications back in 2011. It is designed to help you work out how intrusive a particular application might be, what risks might arise, and what mitigations might be available to reduce these to an acceptable level. We'd very much welcome feedback on the toolkit: please send your comments to <Andrew.Cormack@jisc.ac.uk> by the end of April.