Embedding information rights into higher education in the UK

Estimates suggest that a data breach costs an organisation over $4 million and that the total global cost of breaches will soon exceed $2 trillion. Hacking is part of the problem but errors in processing by individuals are still the most reported reasons for data breaches in the UK. With predictions of more jobs involving data processing in the future and the exponential growth in accessible personal data, it is increasingly important that this problem is taken more seriously. This Information Commissioner’s Office (ICO) sponsored research constitutes stage one of a study into the teaching of Information Rights (IR) in HE across the UK including depth interviews with professional bodies and Pro Vice-Chancellors, and an online survey aimed at Heads of Departments. Though not widespread, the research found instances of IR being taught but some barriers to embedding it across relevant subjects do exist, including:


This Information Commissioner's Office (ICO) sponsored research constitutes stage one of a study into the teaching of Information Rights (IR) in HE across the UK including depth interviews with professional bodies and Pro Vice-Chancellors, and an online survey aimed at Heads of Departments.
Though not widespread, the research found instances of IR being taught but some barriers to embedding it across relevant subjects do exist, including: • tutor expertise; • development and consistency of materials; and • competing curriculum development drivers.
Most respondents recognised the increasing importance of IR and welcomed ICO support with this but also felt that to improve the situation buy-in would be more likely if it was part of overall management strategy.

Background and Context
A 2016 global study by the Ponemon Institute (2016) found the average cost of a data breach to an organisation is increasing yearly; the latest calculations showed an increase of 5% surpassing $4 million.In a press release promoting their research entitled "The Future of Cybercrime & Security: Financial and Corporate Threats & Mitigation", Juniper Research (cited by Smith 2015) estimates that "the rapid digitisation of consumers' lives and enterprise records" will cause the cost of global data breaches to exceed $2 trillion by 2019; up four-fold on estimated costs in 2015.Whilst hacking by skilled cybercriminals is credited by them with much of the damage done, errors in processing by individuals are still one of the most reported reasons for data breaches in the UK according to the regulatory body, the Information Commissioner's Office (ICO).The latest data published (December 2016) by the ICO show a total of 453 incidents reported (Q2 only).Of these, only 53 were classed as "Cyber incidents" and 88 as "Other principle 7 failure", which comprise those security incidents that do not easily fit into the other categories (see Figure 1.).The other 312 incidents were due to some form of human error or inadequate action.There are significant changes on the horizon to data protection legislation in the EU, including a substantial increase of up to £20 million or 4% of global turnover in the penalties that can be imposed on offending organisations.Whilst much of the new legislation will seem familiar to anyone conversant with current EU laws, there is a fundamental shift in the underlying principle away from what many see as a tickbox attitude to compliance towards one of accountability, where organisations will be required to prove that all foreseeable risks were mitigated against prior to any breach occuring.
As the world embraces SMART technologies and the Internet of Things, the amount of personal data being produced and processed continues to increase at a phenomenal pace.According to the World Economic Forum (WEF) (2015) the "fourth industrial revolution", brought about by the convergence of technologies such as 3D, artificial intelligence, machine learning, nanotech and biotech advances, will have a highly disruptive effect on jobs and skills in the next decade (see Figure 2.).As well as predicting a greater reliance on a highly educated population to fill the roles these new technologies will create, in its "Future of Jobs Survey" the WEF also reports concerns over ethical and privacy issues as the key driver of change for 16% of the companies taking part in the research with many companies changing its processes to stay on top of this growing trend for consumers to question who has access to their data and how is it being used.Whilst the study does not attempt to quantify the percentage of the future workforce likely to be processing personal data in their employment, it can be implied by the overall findings that a greater number will be working with technologies that involve some form of personal data processing.In order to minimise the risk of a rise in the number of data breaches occuring alongside this growth in interconnected devices, it is important that those able to access personal data do so responsibly and are cognisant of the consequences of mishandling it.

Research Aims and Objectives
This research constitutes phase one of a study commissioned by the ICO to assess the extent to which HE and FE is providing students with the knowledge, theory and practice of Information Rights (IR), and to consider where the ICO may be able to provide support.
The lead research organisation for the research is Quadrant Consultants, supported by Marketwise Strategies and Zeun Digital.In order to allow for maximum disclosure of information participants in the study were assured full anonymity to ensure that responses could not be used by a competing institution.The research carried out by Marketwise Strategies employees followed the Market Research Society Code of Conduct and nothing that was divulged in interviews was reported back as having come from a specific interviewee or organisations.All raw data produced remains the property of the ICO and only summary findings were shared with partners involved in the project.As such data is not available to analyse the findings further.
Information Rights, for the purposes of this study, encompass data protection and Freedom of Information (FOI) legislation.It was acknowledged however that only a cursory understanding of FOI legislation would be necessary for most employees as public sector organisations, who are currently the only ones falling into the category required to respond to FOI requests, would likely employ someone with specialist knowledge of the legislation to respond to such requests.Conversely, as all students are data subjects in their own right, it was equally recognised that they could all benefit from an understanding of data protection legislation irrespective of where future employment might lead.It was therefore agreed that most emphasis during this research would be placed on the teaching of data protection.
One of the aims of the research was to identify which undergraduate and postgraduate degrees are currently teaching IR and to determine which were the highest priority areas for the ICO to focus its efforts on.Another of the aims was to identify and describe the most effective methods and delivery approaches to embed IR into the relevant courses, including the types of support materials tutors might be inclined to use if provided.
A key objective of the research was to establish what barriers, if any, might exist to the project moving forward, should it be decided at the end of stage one to do so, and ways to overcome them.

Research Methods
An initial desktop research was undertaken involving reviewing course information on institutions' websites to obtain an assessment of the evidence of the inclusion of IR in undergraduate and postgraduate courses across the UK.At the same time a database was compiled of all HE and degree-awarding FE institutions comprising contact details obtained from online public sources of Pro Vice-Chancellors and Heads of Departments.
Semi-structured interviews lasting 30 minutes were conducted by telephone with representatives of 10 professional development bodies, from across a number of identified subject areas, to obtain a better understanding of the relationship between the bodies and the institutions and any influence these bodies may have over curriculum content.It was also important to gauge support from these organisations for the ICO's efforts to improve the situation in the institutions.A number of those contacted were regulatory bodies and others, with a voluntary membership having no statutory influence over curriculum development.
A further series of semi-structured telephone depth interviews was conducted with 10 Pro Vice-Chancellors from different universities to obtain the views of decision-makers on the likelihood of the institution supporting such an initiative by the ICO.These interviews lasted between 30 minutes to one hour.All interviewees were provided with some contextual information prior to the interview to ensure they were able if needed to seek out information about the current situation in their own institution prior to the interview taking place.
Using the database compiled during the desktop research activity, an electronic survey comprising qualitative and quantitative questions was distributed to over 1300 Heads of Departments, and other individuals assumed to have some form of academic leadership role, across different institutions.The views of the Heads of Departments were important to assess the current situation in individual institutions in more detail and to identify opportunities and means of influencing curriculum development.

Findings and Recommendations
A list of 9 subject areas was compiled to focus attention on where students were more likely in the future to be accessing personal information: Business and Marketing; Law; IT and Computer Science; Library and Information Management; Politics and Social Science; Finance and Accountancy; Health and Social Care; Medicine; Media Studies.
The findings of the two interviews and the survey are discussed below.

Interview with Professional Development Bodies
The representative of the professional bodies were asked questions to determine the type of relationship the organisation has with the institutions and its educational responsibility.The representatives were questioned on the current situation regarding standards and monitoring of degree programmes, the importance the organisation placed on IR and on any possible barriers to embedding the topic in degree programmes under its remit.They were also asked whether there would be any support for any potential ICO accreditation programme.
All the representatives agreed that the topic of IR was of increasing importance and were supportive of the efforts of the ICO to educate the future workforce and remained open to further discussions on this with the ICO.However there were mixed views on whether the bodies themselves could influence the institutions to embed IR more firmly in courses, or indeed for some whether they should, feeling this decision was best left to individual institutions.In the main, there was a belief that IR is covered to some degree within general standards of conduct or ethics, or within a code for a particular profession, some to a greater degree than others.One of the barriers identified by the professional bodies was the technical knowledge of the legislation required to deliver the subject to an acceptable standard.However, the key barrier the representatives identified was the space in the curriculum to include another topic, if it isn't already included.When questioned about the possibility of introducing accreditation for IR the bodies were less enthusiastic stating it would likely be difficult to monitor and be a further regulatory burden on itself and on whoever was overseeing its delivery and assuring the quality.

Interview with Pro-Vice Chancellors
Pro-Vice Chancellors (Pro-VCs) were interviewed to assess the importance of IR at the strategic level of the institutions and to determine the level of support the ICO could possibly expect from the institution if it decides to move forward with a proposal.It was also important to ascertain the most effective way of influencing the curriculum across a number of subject areas.Some of the interviewees noted that some discussion had taken place regarding IR at management level within the institutions, however all respondents stated there were other curriculum development drivers that are seen as priority to include in management strategy, such as employability, enterprise, social responsibility and internationalisation.It was clear from the responses that there was agreement on the importance of the topic and some acknowledgement that generally not enough IR was currently being taught across many of the disciplines mentioned, although there is evidence in some institutions, mainly in disciplines such as law and health and social care, that IR is included explicitly within the subject curriculum.Some of the barriers to expanding the teaching of IR from the Pro-VCs perspectives tended towards issues with the time and expense needed to do so.It would be necessary to develop subject expertise amongst tutors and materials of a sufficient quality to ensure the same level of core knowledge was imparted across the institution.
The support of the ICO was welcomed to assist teaching by producing materials and offering training to staff, however there would also need to be buy-in from students and individual tutors alike.Some form of accreditation that could be offered to students was seen as a potential way of selling the benefits of understanding the legislation to students.
Tying the subject into a strategic driver such as employability would ensure the topic was taken seriously by tutors at course and module level.

Online Survey with Heads of Departments
Over 1300 invitations were disseminated resulting in a total of 170 responses, with a response rate of 13%, across the disciplines identified.All of the respondents stated they had some responsibility over curriculum design and 85% said that it was either likely or very likely students graduating from degrees in their discipline would in future work in roles that require an understanding of data protection legislation.
Nearly half of the respondents stated they have already embedded IR into their teaching and a further quarter were already committed to changing teaching to do so.Of these 73% of respondents however, three quarters said that it currently constituted a relatively small part of a module.When asked to consider if IR had to be embedded within a course 59% favoured it being subject specific and taught within a module compared to 15% preferring a cross-curricular approach; a quarter of respondents thought a hybrid approach would work best.When asked if the ICO were to provide high quality materials to support teaching of IR 73% said they would be likely or very likely to use them.All types of materials suggested, including case studies, videos, information sheets and interactive materials available via a virtual learning platform, received favourable responses.
Only 45% of respondents said they would be likely or very likely to use an ICO certified assessment tool if one was produced.However, 58% thought that if the ICO offered some form of accreditation for courses that embedded IR firmly within its structure this would act as a motivator to do so.

Conclusions
The growing importance of IR, is generally accepted by all participants in this study.The continuing growth in the volume of personal data in existence and the changing nature of the workplace, fueled by the "fourth industrial revolution", means it is increasingly likely that students today will end up in roles tomorrow that necessitate greater care being taken over processing of that data.
In an effort to improve the current state of affairs the ICO commissioned this study to assess the situation in HE and FE and found that whilst there are examples of IR being taught it is not widespread nor done in depth in many instances.Many barriers were identified, most notably the lack of expertise in the subject matter and access to good quality materials suitable to each subject area identified.However most respondents reacted favourably to the offer of ICO support in this regard and professional bodies in particular were on the whole open to working closer with the ICO although this with the understanding that there is little room or enthusiasm to add to the regulatory frameworks already in place.
Whether Phase 2 of the project will be completed and if so, where the effort will be concentrated is dependent on the findings of Phase 1 and has yet to be decided by the ICO.
Most institutions reacted favourably to support by the ICO with materials and training, and around half would welcome some form of accreditation by the ICO for courses that make a concerted effort to cover IR.However, initiatives such as these were not seen by most as enough of a motivator to encourage all curriculum developers to make the widespread changes needed.One effective way recognised by many to implement wide scale changes to curriculum would be through management strategy and embedding the teaching of IR into a current driver such as employability.

Figure 1 .
Figure 1.Q2 Incident Types Reported to ICO.Source:Adapted from data published on ICO website (2016).

Figure 2 .
Figure 2. Drivers of Change, industries overall.Source:Future of Jobs Survey.World Economic Forum (2016).