When a student is accused of committing gender-based violence or harassment, it is usual to keep any investigation confidential.
However, in the increasing number of sexual misconduct investigation and disciplinary processes that UK higher education institutions (HEIs) are undertaking, similar care and concern has not always been paid to the privacy rights of victim-survivors.
In England, the Office for Students has asked HEIs to deliver a “demonstrably fair” investigation and adjudication procedure. What does that look like in relation to data sharing and confidentiality?
As we outline in a new article in Legal Studies, it is not only necessary to balance the potentially conflicting rights to privacy of the alleged perpetrator and victim-survivors (respectively, the responding and reporting parties in the language used in the sector). Universities also have to keep in mind the parties’ rights to equality of access to education, protection from degrading treatment and due process. They also need to respect their own institutional obligations to their wider campus communities.
Two pieces of guidance, published in 2022 – from Universities UK (UUK) and law firm Eversheds Sutherland (commissioned by UUK) – suggest ways forward. What they perhaps demonstrate most clearly, though, is that data-sharing in harassment cases is a complex and still-developing area of practice. There remain various points of contention that, we suggest, risk serious injustice for both victim-survivors and the campus community more generally.
One issue is how institutions should respond when they receive multiple reports about the same person from different victim-survivors, none of whom want to make a formal complaint. Serial perpetration is a common factor in sexual violence, so this is a very live issue. Should universities act on such complaints?
The Information Commissioners’ Office outlines a list of exemptions under GDPR for “functions designed to protect the public”, which could cover informal disclosures that name an alleged perpetrator. Existing guidance is clear that this data therefore can be retained and acted upon. Nevertheless, UUK’s guidance calls for this mechanism to be used only in cases of “serious” harm, while saying little about how severity is to be determined.
We suggest instead that all disclosures about the same person should be recorded and linked where possible. But this requires the existence of an appropriate system for retention of those disclosures, a robust mechanism for identifying common patterns, and a careful and trauma-informed approach to victim-engagement. Currently, UK HEIs have much work to do in these regards.
Further complex issues arise regarding data-sharing during the investigation process. Universities may gather a wide range of evidence, in the form of personal and private information, about the parties involved. However, the relevance and probative value of such information often requires robust assessment to avoid breach of the data protection principle of data minimisation.
Institutions are also at risk of too readily sharing this information with the student against whom the complaint has been made, often in the mistaken belief that this is required to protect their natural justice rights. Victim-survivors may write long statements – 10,000 words is not uncommon – to evidence their experience, including details of impacts and sensitive personal information about mental or physical health. In one example from our research, a victim-survivor’s statement was shared in full with the student alleged to have perpetrated sexual violence and coercive control against her. This horrified her, becuase she felt that reading her statement would give him a level of insight about her suffering (including her associated feelings of shame and humiliation) that, in effect, continued the abuse.
But this oversharing does not appear to go the other way. Our research has shown that some UK HEIs continue to interpret data protection legislation to mean that the victim-survivor does not have any right to see statements provided by the perpetrator.
Moreover, at the end of a complaint or disciplinary process, HEIs will often refuse to share details of the outcome, including any resulting sanctions, with the victim-survivor. This is at odds with the Equality and Human Rights Commission’s 2020 recommendation that “wherever appropriate and possible”, complaints should be told “what action has been taken to […] address the specific complaint and any measures taken to prevent a similar event happening again in the future”. But it is in line with the UUK guidance, which overemphasises the risks to the alleged perpetrator of disclosing sanctions (for example, to their professional reputation).
Little attention is given in this to any risk to the victim-survivor from non-disclosure of outcomes. For instance, it may leave them unable to defend themselves against claims that they made a false accusation. The lack of effective resolution at the end of a difficult process may also erode their sense of physical and psychological safety and impact in myriad ways on their ability to continue with their education. They may feel that reporting was a waste of time and lose confidence in their university. Or they may feel unsafe on campus while being unable to defend themselves against retaliatory actions from the perpetrator and/or their allies.
The same goes for the wider student communities, for which universities have a duty of care and a responsibility to ensure equal and safe access to education.
While there is scope for universities to interpret data privacy laws in divergent ways, robust guidance from regulatory bodies – such as the Office for Students in England – is needed to clarify how to balance the privacy of everyone involved in such investigations. The instinct for HEIs to err on the side of non-transparency may be understandable given the paucity of clear guidance, and anxiety about the potential consequences of a breach of data privacy. But, at the very least, HEIs should consistently apply this same concern to victim-survivors.
HEIs’ data controllers need to make sure they understand enough about the specific context of gender-based violence to enable them to properly evaluate risk in the range of scenarios that they will face – where ill-informed sharing or non-sharing could have life-changing consequences.
Clarissa DiSantis is sexual misconduct prevention and response manager at Durham University. Kelly Prince is training development advisor at the University of York. Vanessa Munro is professor in the School of Law at the University of Warwick; Sharon Cowan is professor of feminist and queer legal studies at the University of Edinburgh. Anna Bull is senior lecturer in education and social justice at the University of York. Their article, “Data, disclosure and duties: balancing privacy and safeguarding in the context of UK university student sexual misconduct complaints”, is published in Legal Studies.
