Hostname: page-component-848d4c4894-ndmmz Total loading time: 0 Render date: 2024-05-25T00:41:07.065Z Has data issue: false hasContentIssue false
  • English
  • Français

Data, disclosure and duties: balancing privacy and safeguarding in the context of UK university student sexual misconduct complaints

Published online by Cambridge University Press:  03 May 2024

Sharon Cowan Open the ORCID record for Sharon Cowan [Opens in a new window] ,
Vanessa E Munro ,
Anna Bull Open the ORCID record for Anna Bull [Opens in a new window] ,
Clarissa J DiSantis  and
Kelly Prince
Sharon Cowan*
Affiliation:
The University of Edinburgh School of Law, York, United Kingdom of Great Britain and Northern Ireland
Vanessa E Munro
Affiliation:
University of Warwick, Durham, United Kingdom of Great Britain and Northern Ireland
Anna Bull
Affiliation:
University of York, York, United Kingdom of Great Britain and Northern Ireland
Clarissa J DiSantis
Affiliation:
University of Durham, Coventry, United Kingdom of Great Britain and Northern Ireland
Kelly Prince
Affiliation:
University of York, Edinburgh, United Kingdom of Great Britain and Northern Ireland
*
*Corresponding author: Sharon Cowan; Email: s.cowan@ed.ac.uk
Rights & Permissions [Opens in a new window]

Abstract

The past decade has seen a marked shift in the regulatory landscape of UK higher education. Institutions are increasingly assuming responsibility for preventing campus sexual misconduct, and are responding to its occurrence through – amongst other things – codes of (mis)conduct, consent and/or active bystander training, and improved safety and security measures. They are also required to support victim-survivors in continuing with their education, and to implement fair and robust procedures through which complaints of sexual misconduct are investigated, with sanctions available that respond proportionately to the seriousness of the behaviour and its harms. This paper examines the challenges and prospects for the success of university disciplinary processes for sexual misconduct. It focuses in particular on how to balance the potentially conflicting rights to privacy held by reporting and responding parties within proceedings, while respecting parties’ rights to equality of access to education, protection from degrading treatment, due process, and the interests of the wider campus community. More specifically, we explore three key moments where private data is engaged: (1) in the fact and details of the complaint itself; (2) in information about the parties or circumstances of the complaint that arise during the process of an investigation and/or resultant university disciplinary process; and (3) in the retention and disclosure (to reporting parties or the university community) of information regarding the outcomes of, and sanctions applied as part of, a disciplinary process. We consider whether current data protection processes – and their interpretation – are compatible with trauma-informed practice and a wider commitment to safety, equality and dignity, and reflect on the ramifications for all parties where that balance between rights or interests is not struck.

Keywords

sexual misconductcampus justicedata protectionuniversity disciplinary processesdata privacydue process
Type
Research Article
Information
Legal Studies , First View , pp. 1 - 20
Creative Commons
Creative Common License - CCCreative Common License - BY
This is an Open Access article, distributed under the terms of the Creative Commons Attribution licence (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted re-use, distribution and reproduction, provided the original article is properly cited.
Copyright
Copyright © The Author(s), 2024. Published by Cambridge University Press on behalf of The Society of Legal Scholars

Introduction

Prompted by a series of high-profile studies that documented the significant scale of sexual violence and harassment (hereafter sexual misconduct) perpetrated by students against fellow students, the past decade has seen a marked shift in the regulatory landscape of UK higher education. From a position in the 1990s where sexual misconduct was considered to fall squarely within the remit of criminal justice, with universities advised to steer clear of any intervention, there has now been a radical change of direction. Since 2016, Universities UK (UUK), a lobby group for higher education institutions (HEIs), has recommended that universities adopt a ‘zero-tolerance’ approach.Footnote 1 This entails that institutions assume a responsibility for preventing campus sexual misconduct, and that they respond to its occurrence through – amongst other things – clear codes of (mis)conduct, effective consent and/or active bystander training, and improved safety and security measures. It also requires institutions to support victim-survivors in continuing with their education, and to implement fair and robust procedures through which sexual misconduct complaints are investigated, with proportionate sanctions available to respond to the seriousness of the behaviour and its resultant harms.

Though there are some commentators who have been less enthusiastic,Footnote 2 many have welcomed this shift towards requiring universities to take seriously their legal and ethical obligations in this respect.Footnote 3 At the same time, while organisations such as UUK and the Office for Students (OfS) have produced sector-wide guidance on responding to sexual misconduct (discussed below), guidance typically focuses on what should be done, with much less detail as to how it can or should be achieved; this is particularly so in relation to delivering ‘demonstrably fair’Footnote 4 investigation and adjudication procedures, where the concept of fair is contestable – and indeed has been contested – often on the grounds of the competing interests of the parties involved. The imprecision of such guidance has contributed to non-existent, inconsistent or problematic institutional processes, with significant consequences for the students involved, as well as the wider university community.Footnote 5 Universities have often filled this gap by falling back on familiar criminal justice paradigms, but these can be ill-suited to the disciplinary environment and have been shown, across decades of research, to serve victim-survivors poorly, often increasing their trauma with limited prospects of effective redress.Footnote 6

The consequence of this is a situation in which it is far from certain what constitutes ‘fair process’ in the context of HEI investigative and disciplinary procedures for addressing complaints of sexual misconduct. In an increasingly commercialised and competitive higher education sector, there are incentives for the neoliberal university to oscillate between ‘quiet’ interventions that veil the problem of sexual misconduct and crisis-led, ‘noisy’ moments of confrontation that reassure others of its robust zero-tolerance approach. In both modes, the risk of institutional reputational damage seems to be a paramount consideration, and may be mitigated in different ways, but it is far from clear that either response well-serves the complex interests of those making complaints, those alleged to or established to have perpetrated misconduct, or the wider campus community. In this paper, we consider this dilemma specifically through the lens of private data collection, use and disclosure, which provides a window to wider concerns regarding current practice, and the extent to which a sufficiently trauma-informed and transparent process has been designed and implemented.

Ensuring appropriate and effective institutional responses is crucial to building confidence to report, and this is particularly urgent in light of the low levels of reporting to HEIs, despite high levels of victimisation. While in some countries there exists extensive data on prevalence of sexual misconduct in higher education, in the UK, no robust national datasets exist yet.Footnote 7 Nevertheless, comparing formal reports of sexual misconduct with a prevalence survey at one university where such data exists (Oxford) shows a huge number of unreported experiences.Footnote 8 There are, of course, many reasons why students may not report, and in light of an apparently vast difference between incidence of victimisation and reporting, measures that will increase students’ trust – individually and collectively – in their HEIs in this regard are urgently needed. However, recent guidance in England from the OfSFootnote 9 has amounted largely to a vague set of aspirations, with significant scope for continued divergent interpretation and application across institutions.

The aim of this paper is not to fully address all the complexities that are undoubtedly raised in respect of designing a more tailored and effective response to sexual misconduct from HEIs in the UK.Footnote 10 Instead, we focus here on one particular issue that we consider core to the question of what ‘fair process’ looks like, and which has ramifications that permeate across institutional responses – namely, how to balance the potentially conflicting rights to privacy (including data privacy) held by reporting and responding parties within proceedings,Footnote 11 while respecting parties’ rights to equality of access to education, protection from degrading treatment, due process (ie procedural fairness in decision-making), and the interests of the wider campus community. We take as our central focus cases of student-student misconduct, though much of our analysis applies also to staff-student misconduct. In so doing, we advocate for a trauma-informed approach, which Humphreys and Towl have articulated as requiring that leaders within HEIs ‘have an understanding of the impact of trauma, promote safety, avoid re-traumatisation of victim-survivors, and empower victim-survivors to make their own choices’.Footnote 12 Amongst other things, this entails, first, a recognition that trauma can impact on memory encoding and recall, and thereby victim-survivors’ ability to provide the kind of coherent and linear narrative of events that is often presumed to support their credibility; and secondly, that being required to provide repeated disclosures as part of an investigative process can in itself be re-traumatising. It also requires an appreciation of the ways in which processes for investigating and evaluating complaints can be experienced as disempowering and judgemental by victim-survivors, and an understanding that decisions to withhold information as part of such processes can impact reporting parties’ sense of safety, further heighten their perception of threat and impede their recovery and reintegration. Amongst the six key principles of trauma-informed practice that are of particular relevance for our current purposes, then, are those tied to ensuring a commitment by leadership to ‘safety’, ‘trustworthiness and transparency’ and ‘empowerment, voice and choice’.

In what follows, after briefly setting out the data privacy landscape in the UK, we explore three key moments where private data is engaged in university sexual misconduct cases : (1) in the fact and details of the complaint itself, and in particular the question of the status and handling of anonymous allegations or allegations that reporting parties do not wish to pursue; (2) in private information about the parties or circumstances of the complaint that arise during the process of an investigation and/or resultant university disciplinary process; and (3) in the retention and disclosure (to reporting parties or the university community) of information regarding the outcomes of, and sanctions applied as part of, a disciplinary process. We consider at each of these moments whether current data protection processes – and their interpretation – are compatible with trauma-informed practice and a wider commitment to safety, equality and dignity. We also reflect on the ramifications for the HEI, individual parties and campus community where that balance between competing rights or interests is not struck appropriately. We conclude that current practice across the sector too often does not appropriately balance competing interests, and indeed risks serious injustice for both reporting parties and the campus community more generally. In the remainder of this paper, we will use the terminology of ‘reporting parties’ to refer to those who have disclosed or reported an experience of sexual misconduct to their university, but when speaking more broadly about the impacts of sexual violence, or where it is formally established that such abuse has occurred, in line with many other researchers, we will use the language of ‘victim-survivors’. This better acknowledges the effects of that violence and the continuing individual and structural legacies of navigating those effects.Footnote 13

1. Data privacy and balancing rights

The law on privacy, and personal data in particular, has been developing apace in the last two decades, culminating at the domestic level in the Data Protection Act 2018 (hereafter the 2018 Act). This legislation implements seven key General Data Protection Regulation (GDPR) principles: fair, lawful, and transparent processing; purpose limitation; data minimisation; data accuracy; data retention periods; data security; and accountability.Footnote 14 Cumulatively, this gives individuals – or ‘data subjects’ – increased control and rights with respect to their data. It obliges those who process ‘personal’ data (data controllers) to keep that data secure, with relevant guidance on what constitutes ‘personal’ data being provided by the Information Commissioner's Office (ICO),Footnote 15 and data that relates to ‘sensitive’ information, such as race, religion, ethnicity, political opinions, trade union membership, health, genetics, biometrics, and ‘sex life’ or sexual orientation and criminal record data, being entitled to enhanced protections (section 35(8)).

Though the 2018 Act does not use the language of privacy directly, it has been recognised to be implicit in all its provisions,Footnote 16 underpinned by an acknowledgement that the robust protection of personal data matters both to the individual and to the wider public. At the same time, it is clear that such protection is not an absolute right but, rather, one that can be legally interfered with where necessary and proportionate to do so. It is also clear that where the legislation (and accompanying ICO guidance) refers to personal data as ‘yours’ and/or ‘mine’, this is to be distinguished from the common understanding of ownership in the sense of an exclusive right to use or alienate; sometimes the state – or institutions – can use what we might call ‘my’ data for the public good, and can do so without ‘my’ consent.

In the UK higher education sector, GDPR compliance has become a staple of institutional training, with universities encountering, collecting and managing personal information across their operations in myriad ways. The extent to which universities have a lawful basis to share such data gained attention in 2018 when a statutory instrument (The Higher Education and Research Act 2017 (Cooperation and Information Sharing) Regulations 2018) gave the OfS wide powers to share student data with third parties – including private commercial companies – as long as it did not breach the Data Protection Act 1998 (now replaced by the 2018 Act). This was controversial, with critics suggesting that universities should be seen to have a ‘fiduciary duty’ with respect to their students’ personal data, becoming a ‘trusted holder’ and thus only allowed to use, process or share it for the (individual) student's benefit.Footnote 17 This specific controversy reflects a wider (and ongoing) uncertainty across UK HEIs regarding the scope and nature of their responsibilities with respect to data privacy, and the circumstances under which personal data can legitimately be held, used or disclosed. In relation to misconduct complaints specifically, there have been two recent documents that have sought to assist institutions in navigating this terrain. First, guidance was published by UUK in July 2022 on ‘Sharing Personal Data in Harassment Cases’.Footnote 18 This aimed to support HEIs in moving beyond the ‘risk-averse approach’ to a framework for data-sharing that had previously been identified as operative in this context by the Equality and Human Rights Commission (EHRC).Footnote 19 In particular, it encouraged a move ‘away from blanket policies to either always refuse or always allow the sharing of personal data … so that each case can be handled appropriately on its specific facts’.Footnote 20 Though it underscored that it would be for HEIs to ‘decide how best to implement this guidance’,Footnote 21 the guidance provided a 40-question ‘data-sharing impact and risk assessment’ that UUK suggested should be worked through in relation to individual cases.Footnote 22 Secondly, alongside this, in September 2022, the law firm Eversheds Sutherland also published guidance (commissioned by UUK) on handling staff-student sexual misconduct complaints, which contained discussion of data-sharing principles that may potentially also be relevant to student-student cases.Footnote 23

What is clear across both these documents is that data-sharing in harassment cases by HEIs is a complex and still-developing area of practice. Notwithstanding indications from the ICO of a shift away from using large fines for public sector organisations found to have breached the GDPR,Footnote 24 we suggest in this paper that universities dealing with sexual misconduct are (over)cautious in respect of disclosure of responding parties’ data, whilst being insufficiently aware of the appropriate parameters within which they should obtain, hold and disclose the data of reporting parties. In particular, anxieties remain regarding the potential for pecuniary or reputational damage as a consequence of complaints from the responding party regarding breaches of data privacy. This has recently been supported by the Office of the Independent Adjudicator for Higher Education (OIA) who, in a case study provided in its 2022 Annual Report, confirmed – notably, without giving any account of the reasoning and balancing exercise that may have underpinned it – that it was reasonable for the HEI to refuse to disclose the outcome of a disciplinary process to a student who was found to have been coerced into a sexual relationship by a staff member (and who was concerned, as a result, about the safety of future students) due to confidentiality and data protection duties.Footnote 25

It has been suggested elsewhere that this caution reflects ‘deep tensions created by the legal landscape of incompatible human rights laws and privacy obligations held by universities’.Footnote 26 Such tensions are not unique to the higher education context: indeed, difficult questions arise in many other arenas regarding the appropriate boundaries for seeking, retaining and disclosing personal information as part of the process of investigating, adjudicating and disposing of complaints of harassment or abuse, and implementing learning as a result of that process to increase the prospects for future safety. In recent years, in England and Wales, there has been a renewed focus on the need to ensure proportionality in requests made for personal data (for example, phone and social media records or third-party material from medical notes or social services files) in the context of criminal justice investigations.Footnote 27 Meanwhile, in the domestic abuse context, a bespoke disclosure regime has been implemented to allow individuals at risk from perpetrators to ask, or be told by, police about previous conduct.Footnote 28 And a long-standing system of sharing information amongst sex workers (called National Ugly Mugs) has, since 2012, received Home Office funding to – amongst other things – ‘take reports of incidents of harm to sex workers and process alerts to warn others’.Footnote 29 In this paper, however, we focus exclusively on how these tensions are navigated in the UK HEI context, where we are specifically concerned that the mechanisms by which the balancing of risks, rights and interests is undertaken can often be skewed in ways that robustly protect the rights of responding parties, but with insufficient regard for the rights (and experiences) of reporting parties, from the point of disclosure through to the outcomes of disciplinary processes. Not only does this jeopardise reporting parties’ wellbeing and recovery, it can infringe on their rights to education, and diminish the confidence of the campus community in institutions’ ‘zero-tolerance’ approach. This is significant in a UK context in which section 149 of the Equality Act 2010 specifically requires institutions that perform a public function, including HEIs, to have due regard in their execution of this function to the need to eliminate discrimination and harassment of those with a protected characteristic (including women), to advance equality of opportunity for people with particular protected characteristics (including those related to sex), and to foster good relations between different groups (including between men and women).Footnote 30 Thus, while bearing in mind Brodsky's caution,Footnote 31 grounded in the politicised experience of Title IX in the US,Footnote 32 to avoid uncritical subscription to narratives of ‘warring factions’ that require a choice to be made between responding with concern to the harms of campus sexual misconduct and ensuring fair treatment of those against whom such complaints are made, in the remaining sections, we explore current UK HEI approaches to three key stages in the complaints process in order to highlight the bases of our concerns regarding how the boundaries of data privacy are often being navigated.

2. Reporting sexual misconduct: initial reports, anonymity and community complaints

At this initial stage of the process, we have identified two inter-related challenges that might arise for institutions seeking to comply with the demands of data protection: first, how to record or store data in order to enable reporting parties to access support when they do not want to proceed further with a complaints process; and secondly, how to respond where there are multiple non-proceeding reports made against the same person.

(a) Recording and storing data

In its 2022 strategic guidance, UUK distinguishes between fully anonymous data, where the institution does not know the name of the reporting party and information is gathered solely for the purposes of ‘recording trends’,Footnote 33 and the situation where the reporting party is known to the institution but does ‘not wish to make a formal complaint’.Footnote 34 A detailed discussion of how to handle fully anonymous reports is taking place elsewhereFootnote 35 and so we restrict our focus here to the latter situation.

UUK practical guidance raises the question of retention of such reports, noting:

A university may be unable to keep a record of the report, naming a responding party, for a length of time if the reporting party wishes to remain anonymous or does not wish to make a formal complaint, and an investigation cannot take place. A lawful basis will need to be established for keeping a copy of the report.Footnote 36

Further bolstering the case against retention, the guidance goes on to say that ‘universities are obliged by the data protection principles to ensure the accuracy of the personal data held, which may not be possible if the report cannot be investigated’.Footnote 37 This appears to imply that the accuracy – ie veracity – of a complaint hinges on the outcome of an adjudicative process, but this is an approach discredited by critics of the persistent ‘justice gaps’ on sexual violence in other contexts.Footnote 38 Moreover, it is notable that Eversheds Sutherland in their subsequent legal briefing around staff/student complaints argue for a more pragmatic approach. They note:

Providers cannot guarantee that information provided to them is always accurate in an objective sense, especially when it forms part of an opinion presented by those involved in a matter involving alleged sexual misconduct and investigation of the allegations; however, care should be taken to ensure that such opinions are collected and recorded accurately, and that objective information is accurate.Footnote 39

This suggests that the duty on HEIs is to accurately record the opinion, or account provided by the parties, rather than to attempt to formally establish the objective merit of what has been disclosed. This, we would argue, is by far the more appropriate interpretation of institutions’ responsibilities. After all, HEIs receive information in relation to students’ welfare and conduct every day; not only would it be impractical to be required to delete all such information which cannot be independently verified, but it would also present serious challenges in terms of managing campus safety and community wellbeing. Moreover, it is clearly not the case that other statutory or third sector organisations to whom victim-survivors might turn for support (for example, Independent Sexual Violence Advocate (ISVA) services) would be expected to verify the accounts provided before recording them, and it is unclear why university practice should differ here. The difference between the UUK guidance and Eversheds Sutherland guidance on this matter highlights the fact that much data protection legislation is subject to interpretation, and its implementation is contestable.

UUK also identify a risk that the responding party may make a Data Subject Access Request (DSAR), which would normally include all data that an organisation holds about the individual, including the source. In this respect, however, the UUK guidance notes that ‘in many cases it is likely that reports could be withheld from disclosure as part of a DSAR if there was a risk that the reporting party could be identified, and if it was unreasonable to disclose the report in the circumstances’.Footnote 40 This is a welcome acknowledgement of the limitations that can be imposed on DSARs in this context: providing such information to a person who has reportedly harassed, abused or violated another exposes the reporting party to a considerable risk of further harm, as discussed below.

The discussion in this section demonstrates the need to carefully consider the impact of data-sharing on individual parties and, in a context in which barriers to such reporting are well-established, the effect that over-sharing could have on the willingness of students who have experienced harm to disclose.Footnote 41 It also highlights the importance of HEIs providing appropriate and trauma-informed training to data controllers, to enable them to evaluate risk in the range of scenarios that they will face, where ill-informed sharing, including in response to responding parties’ DSARs, could have life-changing consequences.

Multiple reports

A further considerable complexity that arises is how institutions should respond where they receive multiple reports from different parties, none of whom wish to proceed to a formal complaint and investigation, and those reports pertain to the same person. Serial perpetration is a common factor in sexual violence, including in a university setting.Footnote 42 Nonetheless, current views of data protection appear to suggest that HEIs may be unable to safeguard students (and staff) from serial perpetrators, as the legality of recording and storing disclosure information provided anonymously or confidentially is unclear.Footnote 43 While multiple disclosures about the conduct of the same person leaves HEIs with a significant safeguarding risk, it is difficult to address this risk directly with the responding party through disciplinary action, in part because of the potential to undermine due process, but also because such action could run the risk of inadvertently identifying the anonymous or confidential reporting parties. This challenge is illustrated in the following case study, drawn from the authors’ experiences of researching and advocating for students in such contexts:

Student A discloses they were subject to sexual assault by Student B. Both are members of the same student society, of which Student B is currently president. Student A worries that reporting Student B will provoke retaliation by Student B and others. Student A discloses her experience to the institution and asks them to take action based on it while keeping her identity confidential. The case manager states the university cannot hold Student B's name without informing him and cannot take action from an anonymous report. Student A chooses not to make a formal report. Two weeks later, Student C discloses to the institution they were raped by Student B. The case manager remembers the name of Student B in relation to Student A's disclosure. However, she has no formal report. Student C says they are very scared of Student B and would not be willing to make a formal report. They want to access support, but do not want any action taken against Student B. Six months later, Students D, E and F come forward and disclose that Student B has been touching them sexually without their consent, making sexual comments and sending them unsolicited nudes. They want the university to do something, but are unwilling to be named in a formal report for fear of retaliation by Student B.

Where the HEI has no process to connect the existence of these reports as all pertaining to the same person, and no mechanism for responding to the safeguarding risk this prima facie represents to the campus community, we would argue that this reflects a failure to properly balance GDPR obligations against other competing legal duties, as well as to make use of the relevant exemptions under GDPR. In particular, there are two separate issues the university must address here: first, the legality of storing the data; and secondly, what action can be taken with the data, if it is stored. Both issues have been discussed by The 1752 Group and McAllister Olivarius in their recommendations for good practice in handling staff-student sexual misconduct. They recommend that ‘reports must be acted on and centrally recorded, regardless of formal complaint’.Footnote 44 In relation to the storing the data, they suggest that:

with the student's permission, the disclosure of sexual misconduct should be recorded on a central register, including records of any informal actions taken … In maintaining a carefully controlled central register, we believe HEIs reconcile their data protection obligations with those arising under other statutes and common law since they require such registers to protect their students and staff from a reasonably foreseeable risk of sexual misconduct and/ or to comply with their duties under the Equality Act, and so for reasons of substantial public interest and to prevent or detect unlawful acts. They must, however, maintain an appropriate policy document, compliant with the Data Protection Act 2018.

UUK's position on this now appears to be similar, but not identical. The most recent guidance states that disclosures that name a responding party may be kept on file if ‘the harm reported is so serious that it may be necessary to keep the report to allow for future investigation if more evidence comes to light’.Footnote 45 While UUK do not detail the balancing of duties that are relevant here, the ICO outlines a list of exemptions under GDPR for ‘functions designed to protect the public’ which might be apposite. These include to protect the public against seriously improper conduct, secure workers’ health, safety and welfare, or protect others against health and safety risks in connection with (or arising from) someone at work.Footnote 46 But the extent to which these public-protection functions would be pertinent to student-student complaints is unclear, with much likely to hinge on the interpretation of ‘serious’ harm in the UUK guidance and ‘seriously improper conduct’ within the ICO exemptions.

By contrast, in the guidance from The 1752 Group and McAllister Olivarius, the seriousness of the harm is not specified as a relevant consideration: rather, all confidential reports can and should be stored. This, we would argue, is the preferred approach since external assessments of what counts as ‘serious’ harm in the context of sexual violence have long – and rightly – been argued to be problematic,Footnote 47 with apparently low-level ‘grooming’ behaviours escalating if left unchecked.Footnote 48 Regardless of the ‘seriousness’ of their experience, moreover, victim-survivors might change their mind as to whether they want to make a formal complaint, and retention of information about their disclosure may be significant.

In respect of the purpose of storing this data, the UUK guidance does now envisage a scenario where it may be possible – in limited circumstances and subject to a relevant risk assessment – to share with a disclosing party the existence (though not source) of other relevant disclosures, for example to reassure them that the weight of evidence will not fall on them alone and increase their confidence to submit a named formal report as a result.Footnote 49 This may be important for HEIs facing multiple credible disclosures which represent a high risk of serial perpetration. But this potential can only be realised where there is an appropriate system in place for retention of those disclosures, a robust mechanism for identifying common patterns, and a careful and trauma-informed approach to victim-engagement. It is far from clear that this applies consistently across the HE sector currently. The point to emphasise here, however, is that – subject to the university's will and processes to do so – it is possible, and sometimes legitimate, to store data relating to multiple reports.

Once stored, however, what happens to this data? If the existence of these potentially corroborative prior disclosures is made known to a reporting party who remains reluctant to pursue a formal complaint, is this the end of universities’ obligations? Arguably, if an HEI receives multiple disclosures relating to the same individual, or group of individuals, it should proactively conduct some form of investigation to ascertain if there is evidence to support disciplinary action. The OIA states that, in line with the principles of ‘natural justice’:

It is not normally appropriate to keep the identity of witnesses secret during disciplinary proceedings. To do so may undermine the student's ability to defend themselves. If the witness does not agree to the student knowing their identity it may not be appropriate to rely on their evidence.Footnote 50

However, the phrasing here of ‘not normally appropriate’ is significant, and described as ‘doing some heavy lifting’ by the OIA, which agrees that it should not rule out the possibility of opening an investigation from exclusively confidential or anonymous reports of sexual harm.Footnote 51 Indeed, some institutions in the UK HE sector are already doing this.Footnote 52 For instance, UCL's Duty of Care guidance states that on receiving an allegation – including anonymous or informal disclosures – UCL may need to report the matter to the police or may:

investigate the matter further in accordance with its internal policies. In deciding whether to investigate in such circumstances, UCL will consider, for example, the seriousness of the incident or where multiple allegations have been made against an individual.Footnote 53

UCL also has a policy that allows ‘environmental investigations’ to be carried out ‘where there are a number of reports concerning unacceptable behaviour’. Footnote 54 Though this does not address meaningfully the safeguarding risks attached to a specific individual, such a policy can lead to evidence being uncovered that could ultimately lead to disciplinary action.Footnote 55 It may also build community confidence by demonstrating the HEI's commitment to addressing sexual misconduct, thus strengthening the potential for formal reports and witness statements.

Another tool for evidence-gathering in ‘multiple report’ cases, and one that can lead to disciplinary action in the absence of formal reports, is described in The 1752 Group and McAllister Olivarius (2020b) briefing note on ‘proactive investigations’: in situations ‘where members of a university community are aware of behaviour that seems to contravene university policies and is having a harmful effect on students or the workplace’ but have not received a formal complaint,

universities have been put on notice of a risk to their students or staff, and given that they owe a duty of care to their staff and students to protect them from foreseeable risk, we believe they would be liable for any injury or damage caused by this risk if they take no action.Footnote 56

In such circumstances, it is argued that a proactive investigation should be carried out which, if it reveals ‘a credible risk (that policies are being breached and/or that staff or students are being placed in harm's way)’, should lead to the commencement of a formal investigation. The need for, and value of, this proactive approach was recently underscored by Gemma White KC's report into the handling of a series of sexual misconduct disclosures by Trinity Hall, University of Cambridge.Footnote 57 She concluded that HEIs must take some form of action on receiving disclosures, rather than waiting for someone willing to pursue a formal complaint; and while the appropriate form of that action is likely to depend on the circumstances and severity of the conduct, observed that ‘many (if not all) higher education institutions have much work to do in this field’.Footnote 58

There is no question that this terrain is difficult to navigate, but we hope our discussion in this section demonstrates that blanket deployment of data protection rules can blind institutions to the potential risks to their community that they are alerted to by those who make disclosures, anonymous or otherwise, and that there is a clear need for more careful processes for handling and responding to anonymous reports. The Equality Act 2010 Public Sector Equality Duty, health and safety regulations, and common law duties of care require that competent discharge of duties entail consideration of structural and collective effects alongside individual dimensions.Footnote 59 Recent judicial authority has confirmed, moreover, that at least where HEIs hold themselves out as providing campus communities with values that include protecting the safety and wellbeing of students, and put in place processes to respond to and prevent sexual misconduct, they assume a duty of care that requires them to discharge these functions competently.Footnote 60

At the same time, it is necessary to tread a careful line here if we are to resist the imposition of a full mandatory reporting system, as occurs under Title IX in the US, which has been shown to be counterproductive, impeding disclosure and leading to reporting parties losing even more control over the process.Footnote 61 Without imposing that, we have suggested above that there are a number of further steps that could be taken by HEIs in the UK to increase the safety of campus communities. The UUK guidance is right – at least to some extent – to phrase this as a question of balancing competing rights,Footnote 62 but what this framing risks eclipsing in its focus primarily on the rights of the reporting and responding parties is the duties that HEIs owe to their wider staff and student populations. We have pointed to alternative solutions – in particular those enabled through environmental investigations and mechanisms to proactively launch investigations where necessary – which might better support empowerment and safety whilst still affording parties appropriate due process.

3. Investigations: handling ‘private’ information

Where a report is made and the reporting party is content both to be named and to formally pursue the complaint, there is currently no consistent approach across institutions in the UK regarding the procedures to be applied. In some universities, an investigation will first be undertaken by an external contractor or internal investigator under a complaints procedure where both parties have parity in the process. Only where a complaint is deemed to be founded, will a disciplinary process be commenced against the responding party, whereupon the reporting party formally becomes a witness to proceedings between the HEI and responding student. Meanwhile, in other universities, all reports that are formally made to the institution proceed automatically to an internal investigation as part of a disciplinary process, with reporting parties having to navigate that process without status as a participant throughout.Footnote 63 Either way, what is clear is that universities will, in this process, seek and elicit a wide range of evidence in the form of personal and private information about the parties involved, including witnesses, tied both to the specific incident(s) but potentially also to wider considerations that might be viewed as relevant to questions of credibility and evidence.

Given the current paucity of guidance in relation to how to assess the relevance of such evidence, the inconsistency of training in relation to investigation techniques, and the general lack of procedural support for the parties,Footnote 64 these processes are apt to seek and/or elicit personal information that may not be necessary, which in itself risks breach of the data protection principle of data minimisation. Sensitive but irrelevant contextual information may be asked about or shared by the reporting party as they attempt to distil and articulate their often complex and traumatic experiences into a statement or interview. In the authors’ experience – from both research and practice – there is a clear risk that some of this information, such as a reporting party's past experience of abuse or previous sexual history, is irrelevant as to whether the incident is more likely than not to have taken place, and can be distressing to share and potentially prejudicial to processes and outcomes. Moreover, as we discuss below, once this information has been obtained, it is at risk of being too readily shared by institutions with the responding party, often in the mistaken belief that this is required to protect their natural justice rights, and specifically their ability to know the case against them so that they may counter allegations. As in other adjudicative contexts, only relevant information that assists the responding party or undermines the credibility of either party should be obtained. Thereafter, the extent of what should be disclosed requires careful consideration, especially given the harmful impacts that disclosure might have on individual victim-survivors and on the confidence of the whole campus community. The complexity but importance – both to substantive and procedural justice outcomes – of adopting a robust and transparent approach to this has been well-illustrated, for example, in recent criminal justice developments around sexual assault investigation in England and Wales. After a period in which it was recognised that an abundance of caution provoked police and prosecutors to request overly-expansive disclosure of private data, particularly where the credibility of complainants was questioned, there has been a deliberate retraction towards ensuring more targeted, proportionate and justifiable lines of reasonable inquiry that recognise the rights to privacy and dignity of all parties.Footnote 65 The Law Commission has recently highlighted that there is work yet to be done on ensuring the appropriate balance is struck, both during the investigation and at any subsequent criminal trial,Footnote 66 and renewed guidance from the Attorney-General's Office, together with a systematic regime of disclosure management processes and ‘rape shield’ legislative protectionsFootnote 67 have been designed to assist in reducing unnecessary, collateral intrusion.

Amidst this complexity, there are important – and currently insufficiently addressed or answered – questions about how investigating officers in the HEI context are to ascertain the difference between information that is relevant, and that which is not. But even where the information at issue may be relevant, there is a legitimate basis for exercising caution in relation to sharing information, and/or the forms that such sharing might take. For example, in the authors’ experience, some institutions have shared reporting parties’ witness statements directly, and in their entirety, with responding parties as part of the process, without the reporting party's knowledge or consent. In cases relating to intimate partner violence and sexual harassment or violence, this can obviously put reporting parties at increased risk of victimisation or retaliation, and raises questions of whether a more proportionate response might entail alternative mechanisms to mitigate this risk whilst still ensuring respect for responding parties’ need to be made aware of the case against them.

The implications of this are well illustrated in the following case study, drawn from the research of one of the authors, which involved an anonymised, interview-based account of a reporting process, initiated by Student A, that took place at a UK university in 2021:

Student A was a student living in university accommodation who reported Student B for sexual violence. Student B had allegedly also targeted other women, some of whom gave witness statements. Student A made the decision to make a formal report, and following this, others in her accommodation gave witness statements. Student A was aware that this would mean Student B would know her identity. However, she hadn't been informed before she wrote it that her entire 10,000-word statement detailing his campaign of coercive control would be shared with him. This alarmed her greatly. She was concerned that Student B would tell others in their accommodation that she had reported him. She and her fellow witnesses also had serious concerns about their safety as they felt Student B was likely to retaliate against them. In addition, due to Student B's previous controlling behaviour towards her, Student A felt that reading her statement would give him a level of insight about her suffering (including her associated feelings of shame and humiliation) which he would have welcomed and would, in effect, constitute a continuation of the abuse.

This case study effectively highlights the nexus between poor investigation techniques and insufficiently considered yet highly impactful data-sharing. In their most recent guidance, UUK do comment on the scope of disclosure in the context of investigations. They state that while ‘it will almost always be necessary to share comprehensive details of the allegations made with the responding party so that they are able to fully respond’, ‘the responding party does not need to be made aware of personal information relating to the reporting party that is not connected to the allegations’.Footnote 68 The guidance cites as particular examples of information that the responding party does not need to be made aware of the reporting party's past unrelated experiences of abuse, suicide attempts, or health and wellbeing.

Again, there is a balance to be struck here, but the challenge is that the guidance – and some university processes – appear to assume that it will be obvious to the investigator which aspects of a reporting party's statement are relevant, and which are not. As discussed above, this is not always an uncomplicated matter, and information that appears to be peripheral to the complaint, if disclosed, can have substantial and sometimes prejudicial effects. In the scenario above, for example, though the claims of coercive control as providing the context in which Student A alleged the sexual violence took place may be sufficiently connected to require disclosure to Student B, it was unlikely to have been necessary, and therefore lawful, to disclose her statement in its entirety. Practice in this respect remains inconsistent, meaning that reporting parties currently have little clarity through the investigation process as to when, why and in what format their personal information will be shared with the respondent. Moreover, while there are acute considerations regarding the appropriate protection of both parties’ personal data and dignity in this context, to date concern on this matter has been predominantly one-sided, focused on the extent to which the responding party's data can be shared.

For example, though it goes against guidance issued by The 1752 Group and McAllister Olivarius, it seems that several UK HEIs continue to interpret data protection legislation to mean that the reporting party does not have any right to see statements or evidence provided by the responding party during the investigative process.Footnote 69 This forecloses the possibility of testing the evidence provided by the responding party, particularly where the facts relating to the incident are contested. It may render the investigation and its findings at best unreliable and at worst misleading, where relevant features of the responding party's account are taken as fact.Footnote 70 In this context, the recent observation by the court in Feder and McCamish is particularly welcome. The court was clear in that case that while ‘it is unfair for a person complained of not to know the allegations against them and to be able to respond’, ‘when credibility matters’ (as it often does in sexual misconduct complaints) so too it is unfair for the responding parties’ ‘response to be withheld from the complainant, depriving them of the opportunity to comment’.Footnote 71 Given the reporting party typically lacks a formal status in investigative and disciplinary proceedings, the need for parity in the assessment and disclosure of relevant information that this decision highlights – and that is missing in key guidance – is important. So too is the court's stark condemnation of the HEI's remarkable lack of care for the reporting parties’ confidentiality, demonstrated most acutely in the HEI assisting the responding party in making a public response to the allegations in front of the entirety of his academic cohort (including the reporting party). Importantly, the court also emphasised that a significant breach of confidence of one of the parties in an investigation constitutes a mishandling of the process that could reasonably foreseeably cause psychiatric harm.

Nonetheless, further questions remain regarding the boundaries of parity, and the navigation of disclosures within the investigative process. Another key site of contestation in this respect relates to an HEI's precautionary or interim measures to address safety, risk and the potential for retaliation during an ongoing investigation, whereby temporary measures can be put in place, usually with the aim of enabling both parties to continue to access their education and shared campus spaces as safely as possible (though in some cases suspension of the responding party will be necessary, pending resolution of the complaint). These interim measures can be embarked on with some hesitation by universities because they are put in place prior to any determination of wrongdoing, but they are often highly valued by reporting parties – assuming reporting parties are appropriately informed and updated about such interim measures. Student B above was quickly required by the university to leave the accommodation that he had shared with Student A upon her complaint. However, neither she nor the other reporting parties knew, for example, whether he was in a different flat, a different block, different halls of residence, or whether he would be absent from campus entirely. This information was clearly material to Student A's ability to accurately assess the risk she faced on campus, but her safety interests were not considered sufficient to outweigh the privacy interests of the responding party. A trauma-informed approach – most notably, centring the principles of safety and transparency – might have better illustrated the additional harm that the HEI's process was imposing here, beyond the conduct complained of, since this lack of knowledge was apt to leave Student A with an exaggerated (or conversely, understated) sense of threat. So too, it might have considerably sharpened that institution's focus regarding implementing and enforcing the precautionary measures put in place. The consequences of failing to do so have recently been illustrated in Feder and McCamish where the HEI was found to fall below a reasonable standard in its efforts to separate the parties whilst they remained on campus together: countering what appeared to have been the HEI's belief that ‘it had no right to prevent the male student attending’ because denying admission would be discriminatory, the judge here emphasised, at paragraph 621, that ‘there is no absolute right for a student to be anywhere at any time of their choosing’ and arrangements could have been implemented without compromise to his own education.

One mechanism by which reporting parties might be able to agitate for greater disclosure of such information would be via a DSAR, as noted earlier. This can be challenging, however, since some of the data sought will likely relate to both parties in a way that is ‘inextricably linked’, ie it is what has been called ‘mixed data’.Footnote 72 In a mixed data case falling for consideration under the 2018 Act, Schedule 2, paragraph 16, a data controller will be obliged to disclose relevant information if it is reasonable in all the circumstances to do so. Where the responding party, whose data is mixed with the applicant's, objects to disclosure, practice has until recently strongly pointed towards withholding disclosure.Footnote 73 However, it was held in B v General Medical Council that there is no presumption of withholding disclosure from the requesting applicant in ‘mixed data’ cases, the majority being clear that the disclosure regime under the DPA 1998 ‘sought to strike a balance between the requester's and the objector's competing interests, both of which were anchored in the right to respect for family life in Article 8 of the ECHR as reflected in Directive 95/46/EC’ (the Data Protection Directive).Footnote 74

Although making a DSAR may thus force institutions to explicitly and carefully consider the balancing of competing rights and interests, and recent case law suggests there might now be more of an even playing field in this process, HEIs may do little other than grant a reporting party an almost entirely redacted file. Moreover, arguably it should not require a reporting party to make a formal DSAR, given the practical and emotional burdens of doing so in a process where they are often already disempowered by their lack of formal standing. Instead, if greater attention were paid to the rights and interests of reporting parties, and wider campus communities, in effective, transparent and proportionate institutional responses to sexual misconduct, the balancing act that underpins the question of data privacy versus disclosure would be weighed out differently, reducing substantially the need for DSARs to be utilised as a mechanism for disclosure of data at all.

4. Outcomes, sanctions and redress

We turn now to the end of the disciplinary process and consider data-sharing in relation to outcomes and sanctions. This is also an arena in which practice is evolving in the UK, but against a backdrop of anxiety regarding the risks and ramifications of data breach. Busby and Birenbaum's analysis of institutional policies amongst 25 Canadian HEIs found that – though the researchers considered it often appropriate to do so – none clearly permitted full disclosure of findings to reporting parties; and while a few permitted some level of disclosure, the more common approach was restrictive.Footnote 75 In the UK context, the OIA has indicated in its guidance that, while HEIs should offer a remedy to reporting students where sexual misconduct has been found to have affected their studies, health or wellbeing, this remedy is a separate matter from any sanction applied upon the responding party at the end of a disciplinary process, in respect of which the outcome will ‘normally be confidential to the individual staff member or student, although they may consent to information being shared with the student who made the complaint’.Footnote 76 Indeed, as noted above, that position was recently re-affirmed by the OIA in its 2022 Annual Report.

Many of the challenges discussed above in relation to interim measures are mirrored, and potentially amplified, in relation to the final outcomes of disciplinary processes. Though institutions may inform reporting parties of whether their complaint was upheld or not, they will often apply a blanket refusal to share details of the specific outcome of the disciplinary process and any sanctions resulting. The basis for this is questionable given that correspondence to the respondent outlining sanctions is likely to constitute mixed personal data to which the reporting party might have a compelling interest in accessing under any DSAR (as above). It is also at odds with the recommendation made in 2020 by the EHRC that:

wherever appropriate and possible, if a complaint is upheld then the complainant should be told what action has been taken to address this, including action taken to address the specific complaint and any measures taken to prevent a similar event happening again in the future. If the complainant is not told what action has been taken, this may leave them feeling that their complaint has not been taken seriously or addressed adequately.Footnote 77

While this EHRC guidance is aimed at an employment context, data-sharing issues in student-student misconduct cases can be seen to involve several parallel considerations. The EHRC goes on to state that employers ‘should not assume that disclosure of the harasser's personal data will amount to a breach of the GDPR. It often will not if the employer has been clear that outcomes may be disclosed, considered what grounds it has for disclosure and acts proportionately in disclosing personal data’ (paragraph 5.67). The term proportionately is key here, again implying balance rather than outright refusal to share data or a blanket approach towards tight restriction.

Meanwhile, the UUK 2022 strategic guidance states one of its purposes as being to enable institutions ‘to have the confidence to share more information on outcomes and sanctions with reporting parties where it is appropriate and reasonable to do so’.Footnote 78 The approach to be taken to such sharing is discussed at length in the UUK's accompanying ‘Practical Guide’ – it indicates that data sharing should be assessed on a case-by-case basis, balancing duties towards the reporting and responding parties, and noting that ‘it might be possible to share limited information about the outcome of the disciplinary process to achieve the objective of the sharing, without revealing the full sanction imposed’.Footnote 79 In respect of the reasons why disclosure to the reporting party might be appropriate, the guidance notes that it may enable victim-survivors to feel safe enough to return to campus armed with the knowledge of whether the responding party will have access, and more generally that it may benefit their health and wellbeing. However, there is a limited recognition of the justice needs and interests of reporting parties, which entails that any balancing exercise undertaken may be skewed from the outset in favour of protecting the privacy rights of responding parties.

Moreover, while the guidance notes that a more transparent approach could increase trust in the university's reporting process, the balancing envisaged operates only on the basis of the rights and interests of individual parties to the complaint, with no standing to the wider campus community. This can be contrasted with the approach taken in the Eversheds Sutherland briefing, which explores arguments in favour of sharing sanctions from the perspective of those with ‘legitimate interests’.Footnote 80 This includes, of course, the reporting party but also the HEI itself in terms of dealing transparently with reports or complaints, and ensuring that systems and processes are robust, effective and fit for purposes – as well as encouraging proactive preventive measures to promote campus safety. Indeed, the briefing suggests that, to the extent that an open and transparent process can be seen to be pivotal to their function as public institutions, with a duty of care to their members, disclosure of outcomes and sanctions by HEIs could be positioned firmly as lawful and proportionate.

Despite this, the general tone of the UUK guidance still errs markedly towards non-disclosure, with a focus on ‘the significant and damaging impact this might have on the responding party's personal life, health and wellbeing, and professional reputation’.Footnote 81 The concern here is at least partly driven by anxiety that the reporting party, if made aware of the sanction, would be motivated to make further public disclosures to others, which would generate additional harm and reputational damage for the responding party. It is legitimate in the wider context of GDPR principles, including accountability, to consider future use and control of data, and the UUK guidance makes it clear that HEIs could be liable for adverse consequences if they fail to mitigate this risk. At the same time, the empirical basis for this concern about universities’ (in)ability to ‘manage’ subsequent circulation after the point of disclosure to reporting parties is far from clear: after all, such wider disclosure would also involve identifying the reporting party as a victim-survivor of abuse with all the challenges that identification can bring, and the desire for information from reporting parties is more likely motivated by a desire for closure and recognition from the institution than by an interest in wider sharing of disciplinary outcomes.Footnote 82 To the extent that this concern is well-founded, however, there are mechanisms – acknowledged in the UUK guidance – that might mitigate risk, for example, asking the reporting party to limit onward disclosure. The court in B v General Medical Council recognised this, stating that:

[I]t might be reasonable (within the meaning of section 7(4)(b)) [of the Data Protection Act 1988] to make disclosure of the information to the requester if there can be appropriate assurance that no wider inappropriate dissemination of the information will occur, whilst it might not be reasonable to make disclosure in the absence of such assurance. In my view, it would be open to the data controller in such a case to invite the requester to consider giving a binding contractual undertaking to the data controller or the objector or both, to restrict the use to which the information might be put.Footnote 83

However, and importantly for our argument, the wider (mis)use of non-disclosure agreements in misconduct and harassment cases has been heavily criticised, with several HEIs undertaking public pledges against their use.Footnote 84 In a recent review of a Canadian university's response to sexual misconduct, the use of confidentiality agreements to ‘maintain the integrity of the investigation, prevent retaliation or ostracism or other social dysfunction in the learning and living environment while the investigation is underway’ is contrasted with what the review's authors consider appropriate at the end of the process where victim-survivors’ experiences ‘are their own to tell or maintain in confidence’ and thus ‘where immediate measures are imposed on respondent students, the affected complainant should not be prevented from discussing these measures as necessary to protect her/their own safety’.Footnote 85 For several reasons, then, mitigating the risk of data spread through absolute limits on reporting parties’ freedom to discuss outcomes are unlikely to be appropriate. Equally, it is important to bear in mind, when balancing the risks involved, that the concern expressed by UUK regarding prospects for onward disclosure is speculative, and while the guidance intimates that the sanctions at issue may be misunderstood by others as involving criminality, they are categorically not convictions, so the possibility of others’ confusion ought not to justify a higher threshold for disclosure. It is also worth noting that this emphasis in the current guidance on the risk to a responding party in disclosing sanctions where a complaint is upheld is not afforded equal treatment to the converse risk of a responding party disclosing that a report was made against them by the reporting party but not upheld indeed, this scenario, and whether or how an HEI should mitigate the risk of being stigmatised (often incorrectly) as a false accuser, is given no attention by UUK at all.

Of course, there are some types of sanction that require to be shared in order to bring them into effect – for example, sanctions that limit or remove access to campus spaces, or clubs/societies, or the imposition of a no contact requirement in relation to the reporting party, which would need to be disclosed so that they knew to report any breach. This too is acknowledged by the UUK guidance.Footnote 86 Even here, however, it is noted that:

in many cases it may not be necessary to share full details of the sanction imposed…[and] sharing details of the outcome instead will be sufficient. For example, it may be sufficient to tell the reporting party that their complaint was upheld and that the responding party is no longer on campus

but it may not be necessary to disclose further detail regarding the nature of that removal.Footnote 87 This under-delivers in that it does not provide the reporting party with the full picture as to, for example, the duration and conditions of exclusion; but it also over-delivers in that, with campuses being open and public places, it is misleading to assert that the responding party will no longer be on campus when, more accurately, the point is that the university has temporarily or permanently excluded them, a condition that they may or may not comply with. In response, the reporting party might legitimately wish to seek further information from the university regarding options in the event that there is a breach, such as reporting to campus security services who, having been informed of the exclusion, are able to take appropriate action. The implications of handling this poorly were again demonstrated in Feder and McCamish. Here the court considered that a HEI's failure to communicate the outcome of the investigation to the reporting party – which was explained with reference to an assumption that she would have already known the outcome through other means, or the presumption that she had no right to know given her witness status – could not be justified, and in fact constituted a breach of the HEI's duties to protect her welfare, especially in circumstances where the respondent party would still be around campus. Moreover, where the sanctions fall short of exclusion and are not understood to ‘directly affect’ the reporting student, for example, that a responding party has been required to complete consent training and/or pay a fine, even institutions who allow for partial disclosure would be unlikely to deem these outcomes disclosable.

This will leave many reporting parties without effective resolution at the end of a difficult process and may impact in myriad ways on their ability to continue with their education. A refusal to provide reporting parties with an account of the sanctions issued also precludes the possibility of them being able to appeal ‘clearly unreasonable’ outcomes, which is an avenue of redress available in some HEIs in other jurisdictions,Footnote 88 and that arguably ought to be extended here. In England and Wales, though reporting parties may make a complaint under the student complaints procedure if they have concerns about how the matter was handled, the OIA has confirmed that it cannot appeal the outcome of a disciplinary process.Footnote 89 This is because they are considered a witness (at best) in proceedings and have no formal standing once the complaint is transitioned into a disciplinary procedure.

Conclusion

In this paper, we have argued that, due to an unduly narrow interpretation of GDPR legislation or at least a privileging of data protection considerations over other obligations owed to students, HEIs in the UK are often being overly circumspect in terms of what information they share, with whom and how, during sexual misconduct complaints and disciplinary processes. Three key stages in such processes where private data is engaged were examined – the disclosure of misconduct, the investigation of the complaint and the sharing of information about outcomes with individuals and campus communities. We argued that, at each stage, universities are often overly cautious in their application of privacy law and fail to conduct the balancing exercise recommended by sector guidance and the GDPR regime. This balancing of interests is necessary for any meaningful engagement with notions of a ‘demonstrably fair’ investigatory process.Footnote 90 But it must also be trauma-informed in its operation and cognisant of the communities of interest beyond the individuals most immediately involved. And, as Brodsky reminds us, it can be unproductive here to presume that ‘a single axis of justice exists on which every gain for one side is a loss for the other’.Footnote 91

What constitutes a ‘fair and balanced’ approach in this context is yet to be fully unpacked and articulated by either regulatory or quasi-regulatory bodies in the context of UK higher education. In the absence of a more concerted commitment to doing so, we have argued that there is a danger that individual university responses will focus myopically on the risk of reputational damage, and drift towards adversarial procedures that protect the rights of the person who has been accused of misconduct and that can rapidly find themselves deployed in ways that limit or inhibit engagement with the interests and rights of the reporting party.

HEIs rely on individual victim-survivors to report their experiences in order to address campus safety for the community as a whole. When universities fail to fully consider and include the rights and interests of reporting parties, or fail to implement trauma-informed processes that aim to reduce harm, this can amount to an ‘institutional betrayal’,Footnote 92 and sends a message to the wider campus community that reporting or disclosing sexual misconduct to the university is likely to re-traumatise. Though the instinct for HEIs to err on the side of non-transparency is sometimes understandable given the seriousness of the issue and the paucity of clear guidance, this risks a serious injustice both to individual complainants and to the wider student communities over which universities have a duty of care and a fundamental responsibility to ensure equal and safe access to education. While much of our focus in this paper has been on HEI's obligations within a data privacy framework, the recent decision in Feder and McCamish v RWCMD has provided additional urgency to these concerns by holding the HEI in question liable for damages in negligence as a consequence of its multiple breaches of its duty of care. Though the parameters of that duty of care extend beyond questions of retention and use of private data, the failures of the HEI in that case to protect the confidentiality of the reporting parties whilst refusing to disclose information that would have supported the victim-survivors’ sense of safety and ability to avail themselves of educational opportunities were clearly actionable.

This case indicates the potential for law to provide a mechanism of accountability that encourages more holistic and complex analyses of the interests at stake. However, a current lack of clarity in relation to information sharing and protection of reporting parties’ rights allows a reproduction – and even magnification – of gendered and other inequalities that are both a cause and a consequence of sexual violence and harassment.Footnote 93 The implementation of legal obligations by HEIs in this context requires careful scrutiny to avoid enabling minimisation of sexual violence in higher education and dereliction of duties of equality and care. In this respect, Klein's observations in the US context also seem apposite: they conclude the ‘current legislative environment has created a narrow focus among universities on technical and procedural compliance to avoid institutional liability, while fundamental change towards gender equality and violence prevention have yet to happen’.Footnote 94

Footnotes

We are very grateful for the excellent research assistance of Darío-Karim Pomar Azar; and thanks also to Sean Morris for advice on sections of a previous draft of this paper, and to the anonymous reviewers for helpful comments.

References

1 Cowan, S and Munro, VESeeking campus justice: challenging the “criminal justice drift” in United Kingdom university responses to student sexual violence and misconduct’ (2021) 48 Journal of Law and Society 308CrossRefGoogle Scholar.

2 See for example Freer, E and Johnson, AOvercrowding under the disciplinary umbrella: challenges of investigating and punishing sexual misconduct cases in universities’ (2018) 14 International Journal of Law in Context 1CrossRefGoogle Scholar.

3 See Anitha, S and Lewis, R (eds) Gender based Violence in University Communities (Policy Press, 2018)Google Scholar; H Ghani and G Towl ‘Students are still afraid to report sexual assault’ Times Higher Education (7 August 2017), available at https://www.timeshighereducation.com/blog/students-are-still-afraid-report-sexual-assault; Universities UK Changing the Culture – Tackling Gender-Based Violence, Harassment and Hate Crime: Two Years On (2019) at pp 4–5.

4 Office for Students ‘Statement of Expectations’ (2021), see expectation 6c, available at https://www.officeforstudents.org.uk/media/85a9239c-b0ea-4549-b676-66d59f3bddef/ofs-statement-of-expectations_harassment-and-sexual-misconduct.pdf. See also Office of the Independent Adjudicator OIA Briefing Note: Complaints Involving Sexual Misconduct and Harassment (2018).

5 In the context of staff-student misconduct, see Bull, A and Rye, R Silencing Students: Institutional Responses to Staff Sexual Misconduct in Higher Education (The 1752 Group/University of Portsmouth, 2018)Google Scholar; Bull, A et alDiscrimination in the complaints process: introducing the sector guidance to address staff sexual misconduct in UK higher education’ (2021) 25 Perspectives: Policy and Practice in Higher Education 72Google Scholar; Bull, A and Page, TThe governance of complaints in UK higher education: critically examining “remedies” for staff sexual misconduct’ (2022) 31 Social & Legal Studies 27CrossRefGoogle Scholar; A Bull and E Shannon ‘Higher education after #MeToo: institutional responses to reports of gender-based violence and harassment’ (The 1752 Group/University of York, 12 June 2023), available at https://1752group.com/higher-education-after-metoo/.

6 See further Cowan and Munro, above n 1.

7 For discussion see Bull, A et alResearching students’ experiences of sexual and gender-based violence and harassment: reflections and recommendations from surveys of three UK HEIs’ (2022) 11 Social Sciences 373Google Scholar. The most comprehensive data on reporting comes from Freedom of Information requests, which have found that, between 2017 and 2020, across the 125 UK HEIs who provided data, there were 1,403 recorded reports of sexual misconduct from students, of which 487 were investigated and 213 resulted in disciplinary proceedings. See A Howlett and D Davies ‘Degrees of abuse’ (Al Jazeera, 2021), available at https://interactive.aljazeera.com/aje/2021/degrees-of-abuse/index.html.

8 Steele, B et alSexual violence among higher education students in the United Kingdom: results from the Oxford Understanding Relationships, Sex, Power, Abuse and Consent Experiences Study’ (2023) 39 Journal of Interpersonal Violence 1926Google ScholarPubMed. This can be compared with Howlett and Davies, above n 7.

9 Above n 4. Note that this operates only in England and Wales.

10 In previous work, the authors have – in different ways – drawn out dimensions of this complexity and offered reflections and recommendations on ways forward. See for example: Bull et al, above n 5; Bull and Page, above n 5; Bull and Shannon, above n 5; Cowan and Munro, above n 1; Humphreys, CJ and Towl, GJ Addressing Student Sexual Violence in Higher Education: A Good Practice Guide (Bingley: Emerald Publishing Ltd, 2020)CrossRefGoogle Scholar; Humphreys, CJ and Towl, GJ (eds) Stopping Gender-based Violence in Higher Education: Policy, Practice, and Partnerships (London: Routledge, 2022)CrossRefGoogle Scholar; K Prince and P Franklin-Corben ‘Case management as a dedicated role responding to gender-based violence in higher education’ in Humphreys and Towl (2022), ibid.

11 Reporting party refers to the person reporting they were subjected to sexual misconduct and responding party refers to the person accused of perpetrating the sexual misconduct.

12 Humphreys and Towl (2020), above n 10, at p 45.

13 See further Downes, J et alEthics in violence and abuse research – a positive empowerment approach’ (2013) 18(4) Sociological Research Online 17Google Scholar.

14 The 2018 Act expresses these as six principles, as it combines data minimisation and data accuracy.

15 The UK's independent information rights watchdog: see https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/what-is-personal-data/.

16 E Politou et al ‘Forgetting personal data and revoking consent under the GDPR: challenges and proposed solutions’ (2018) 4 Journal of Cybersecurity 1.

17 K Jones et al ‘Questions of data ownership’ EDUCAUSE Review (25 August 2014), available at https://er.educause.edu/articles/2014/8/questions-of-data-ownership-on-campus.

18 Universities UK Changing the Culture: Sharing Personal Data in Harassment Cases: Strategic Guide (2022a); Universities UK Changing the Culture: Sharing Personal Data in Harassment Cases: Practical Guide (2022b). This guidance was prompted by an EHRC report on racial harassment in universities: EHRC Tackling Racial Harassment: Universities Challenged (2019), recommendation 4 of which stated, at p 15: ‘Higher education providers must enable students and staff to report harassment and ensure their complaints procedures are fit for purpose and offer effective redress.’

19 Tackling Racial Harassment: Universities Challenged, ibid at p 79.

20 Universities UK (2022a), above n 18, at p 6.

21 Ibid, at p 8.

22 Universities UK (2022b), above n 18, at pp 5–34.

23 Eversheds Sutherland Legal Briefing: Staff to Student Sexual Misconduct (2022), available at https://www.universitiesuk.ac.uk/sites/default/files/field/downloads/2022-09/uuk-eversheds-sutherland-staff-to-student-sexual-misconduct-legal-briefing.pdf.

24 J Edwards ‘Open letter from UK Information Commissioner John Edwards to public authorities’ (Information Commissioner's Office, 30 June 2022), available at https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2022/06/open-letter-from-uk-information-commissioner-john-edwards-to-public-authorities/.

25 OIA Annual Report (2022) p 26, available at https://www.oiahe.org.uk/media/2832/oia-annual-report-2022.pdf.

26 S Shariff et al ‘Privacy and protection vs accountability and transparency: navigating sexual violence claims in university contexts’ in D Crocker et al (eds) Sexual Violence at Canadian Universities: Activism, Institutional Responses & Strategies for Change (Ontario: Wilfrid Laurier University Press, 2020) p 211; MM Carleton ‘Confidentiality throughout the investigation, hearing, and disciplinary process for campus adjudication of sexual misconduct’ in CM Renzetti and DR Follingstad (eds) Adjudicating Campus Sexual Misconduct and Assault: Controversies and Challenges (San Diego: Cognella Academic Publishing, 2019) pp 71–113; K Busby and J Birenbaum Achieving Fairness: A Guide to Campus Sexual Violence Complaints (Toronto: Thomson Reuters Canada, 2020).

27 See, further, for example, Attorney General's Office Attorney General's Guidelines on Disclosure (2024), at https://www.gov.uk/government/publications/attorney-generals-guidelines-on-disclosure; and in relation to phone and media data, R v Bater-James [2020] EWCA Crim 790.

28 See further Home Office Domestic Violence Disclosure Scheme (DVDS) Statutory Guidance (2023) at https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/1162788/Domestic_Violence_Disclosure_Scheme.pdf.

29 NUM website, https://nationaluglymugs.org/about-num/.

30 L Whitfield ‘Using law to challenge gender based violence in university communities’ in S Anitha and R Lewis (eds) Gender Based Violence in University Communities: Policy, Prevention and Educational Initiatives (Policy Press, 2018) pp 149–167.

31 A Brodsky ‘A rising tide: learning about fair disciplinary process from Title IX’ (2017) 66(4) Journal of Legal Education 822.

32 Title IX prohibits sex discrimination in all federally funded education programmes and activities, and under it students can sue HEIs for damages for failing to provide equal access to education opportunities, including as a consequence of ‘deliberate indifference’ to known instances of sexual harassment: Gebser v Lago Independent School District, 524 US 274, 209 (1988). For further discussion see R Klein ‘Sexual violence on US college campuses: history and challenges’ in Anitha and Lewis, above n 30, pp 63–82; Brodsky, above n 31.

33 Universities UK (2022a), above n 18, at p 24.

34 Universities UK (2022b), above n 18, at p 40.

35 See for example: ‘How to use the insight from anonymous reports with UCL’ (Culture Shift, 2019), available at https://www.culture-shift.co.uk/resources/higher-education/how-to-use-insights-from-anonymous-reports-effectively/; Busby and Birenbaum, above n 26, at p 278.

36 Universities UK (2022b), above n 18, at p 40.

37 Ibid.

38 See for example B Krahé and J Temkin Sexual Assault and the Justice Gap: A Question of Attitude (Hart Publishing, 2008); S Cowan ‘Mind the gap: implementing “rape shield” laws in Scottish sexual offences trials’ in K Gleeson and Y Russell (eds) New Directions In Sexual Violence Scholarship (Taylor and Francis, 2023) pp 151–172.

39 Legal Briefing: Staff to Student Sexual Misconduct, above n 23, at p 10 (emphasis added).

40 Universities UK (2022b), above n 18, at p 40.

41 Humphreys and Towl (2020), above n 10, at p 110.

42 NC Cantalupo and W Kidder ‘Mapping the Title IX iceberg: sexual harassment (mostly) in graduate school by college faculty’ (2017) 66 Journal of Legal Education 850; Bull and Rye, above n 5; ST Hales and TA Gannon ‘Understanding sexual aggression in UK male university students: an empirical assessment of prevalence and psychological risk factors’ (2022) 34 Sexual Abuse 744.

43 Busby and Birenbaum, above n 26, at p 265.

44 The 1752 Group and McAllister Olivarius ‘Sector guidance to address staff sexual misconduct in UK higher education: recommendations for reporting, investigation and decision-making procedures relating to student complaints of staff sexual misconduct’ (2020), at p 13, available at https://1752group.files.wordpress.com/2021/09/5ed32-the-1752-group-and-mcallister-olivarius-sector-guidance-to-address-staff-sexual-misconduct-in-uk-he.pdf.

45 Universities UK (2022b), above n 18, at p 40.

46 ‘A guide to the data protection exemptions’ (Information Commissioner's Office, 19 May 2023), available at https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/exemptions/a-guide-to-the-data-protection-exemptions/#ib2.

47 L Kelly Surviving Sexual Violence (Polity Press, 1988).

48 A Bull and T Page ‘Students’ accounts of grooming and boundary-blurring behaviours by academic staff in UK higher education’ (2021) 33 Gender and Education 1057.

49 Universities UK (2022b), above n 18, at p 42.

50 Office of the Independent Adjudicator The Good Practice Framework: Disciplinary Procedures (2018) at p 16 (emphasis added).

51 A Bull ‘Higher education after #MeToo – there's still work to be done on case handling’ (Wonkhe, 1 August 2023), available at https://wonkhe.com/blogs/higher-education-after-metoo.

52 For example, see Bull and Shannon, above n 5, at pp 33–36.

53 UCL Bullying, Harassment and Sexual Misconduct Policy (2019), available at https://www.ucl.ac.uk/human-resources/sites/human-resources/files/report_support_duty_of_care_guidance.pdf.

54 Ibid.

55 See for example ‘UCL apologises and takes action following investigation into the Bartlett School of Architecture’ (9 June 2022), available at https://www.ucl.ac.uk/news/2022/jun/ucl-apologises-and-takes-action-following-investigation-bartlett-school-architecture.

56 The 1752 Group and McAllister Olivarius ‘Briefing no 1: In cases of suspected sexual misconduct can a university pro-actively investigate and speak to potential witnesses in the absence of any formal complaint or complainant?’ (2020), available at https://1752group.files.wordpress.com/2020/03/the-1752-group-and-mcallister-olivarius_briefing-note-1.pdf.

57 G White ‘Report for publication and college response’ (Trinity Hall, Cambridge, 2022), available at (2024), at https://www.gov.uk/government/publications/attorney-generals-guidelines-on-disclosure.

58 Ibid, at p 49.

59 Cowan and Munro, above n 1; J Dickinson ‘Is it time for a Support Excellence Framework?’ (Wonkhe, 27 May 2023).

60 Feder and McCamish v Royal Welsh College of Music and Drama (County Court, 5 October 2023), available at https://wonkhe.com/wp-content/wonkhe-uploads/2023/10/5-10-23-Feder-and-McCamish-v-RWCMD-FINAL.pdf.

61 AR Newins et al ‘Title IX mandated reporting: the views of university employees and students’ (2018) 8 Behavioural Science 106. For a comparison of UK and US approaches to tackling this issue up until 2012, see A Phipps and G Smith ‘Violence against women students in the UK: time to take action’ (2012) 24(4) Gender and Education 357.

62 Universities UK (2022b), above n 18, at p 45.

63 Bull and Shannon, above n 5, at p 48.

64 Bull and Shannon, above n 5.

65 See further A King et al ‘Operation Soteria: improving CPS responses to rape complaints and complainants – interim findings report’ (2023), available at https://www.cps.gov.uk/sites/default/files/documents/publications/Soteria%20Interim%20Findings%20Report%20FINAL%20-%2004.07.23%20-%20accessible.pdf.

66 Law Commission for England and Wales ‘Evidence in sexual offences prosecutions – a consultation paper’ (2023).

67 Youth Justice and Criminal Evidence Act 1999, s 41.

68 Universities UK (2022b), above n 18, at p 36 (emphasis added).

69 The 1752 Group and McAllister Olivarius, above n 44; Bull and Shannon, above n 5, at pp 31–32.

70 Of course, if there is a disciplinary hearing, evidence is tested more publicly and robustly – and, it appears, likely more litigiously, given the recent decision of AB v XYZ [2023] EWHC 1162 (KB), which upheld the decision of the High Court that parties can be legally represented, and questioned on their evidence by the disciplinary panel's Chair. For discussion of the High Court decision see Cowan and Munro, above n 1.

71 Feder and McCamish, above n 60, at para 655.

72 B v General Medical Council [2018] EWCA Civ 1497.

73 R Paines ‘Mixed data in the Court of Appeal’ (Panopticon, 2 July 2018), available at https://panopticonblog.com/2018/07/02/mixed-data-in-the-court-of-appeal/.

74 B v General Medical Council [2018] EWCA Civ 1497 para 69 (emphasis added) – see also para 70: ‘Both sets of rights and interests are important and there is no simple or obvious priority as between them which emerges from consideration of their nature or their place in the legislative regime.’ The majority accepted that if the interests were found to be balanced equally, at that stage there would be a weak, ‘tie-breaker’ presumption in favour of withholding the data [para 71]. This case was decided under the Data Protection Act 1998 but the legislation currently in force – the 2018 Act – has, under para 16(2)(b) of Sch 2, a similar ‘reasonableness’ test for sharing data so this case will, it is thought, remain applicable under the new regime. See Paines, above n 73.

75 Busby and Birenbaum, above n 26, at p 254; 262.

76 OIA Briefing Note, above n 5. For examples of remedies that the authors are aware of see Bull and Page, above n 5, at 37–40.

77 Equality and Human Rights Commission Sexual Harassment and Harassment at Work: Technical Guidance (2020) at para 5.66, available at https://www.equalityhumanrights.com/sites/default/files/2021/sexual-harassment-and-harassment-at-work.pdf.

78 Universities UK (2022a), above n 18, at p 6.

79 Universities UK (2022b), above n 18, at p 31.

80 Legal Briefing: Staff to Student Sexual Misconduct, above n 23, at p 59.

81 Universities UK (2022b), above n 18, at p 20.

82 Many people within the HEI will learn of the intimate details of the reporting party's assault, including members of the discipline panel which often include at least one student representative, and will also know the outcome of the process, while the reporting party will not. This does not appear to us to be a ‘balanced’ approach.

83 B v General Medical Council [2018] EWCA Civ 1497 para 83. Again, this reasoning should apply under the new GDPR regime embedded in the 2018 Act, despite the case being decided under the 1998 Act. See Paines, above n 73.

84 See also the Higher Education (Freedom of Speech) Act 2023.

85 CCLISAR Independent Review of Mount Allison University's Practices and Policies Related to Sexualized Violence (2021) at p 38, available at https://mta.ca/sites/default/files/2021-07/CCLISAR-IRP-Report-on-Mount-Allison-University-June-30-2021.pdf.

86 Universities UK (2022b), above n 18, at p 21.

87 Ibid.

88 Busby and Birenbaum, above n 26, at p 269.

89 The Good Practice Framework: Disciplinary Procedures, above n 50, at p 33.

90 OfS ‘Statement of Expectations’, above n 4, expectation 6c.

91 Brodsky, above n 31, at 825.

92 Smith, CP and Freyd, JJDangerous safe havens: Institutional betrayal exacerbates sexual trauma’ (2013) 26 Journal of Traumatic Stress 119CrossRefGoogle ScholarPubMed.

93 Jackson, C and Sundaram, V Lad Culture in Higher Education: Sexism, Sexual Harassment and Violence (Routledge, 2020)CrossRefGoogle Scholar.

94 Klein, above n 32, at p 73.