13 August 2025

Who is the Data Controller?

Opening a Can of Worms in Higher Education

By Sue White, Information Governance Manager

‘Research students process substantial amounts of personal data (often special category data) during their studies. Who is the data controller? Is it the university or is it the student themselves?’

Years ago, I was asked the above question and, as with many data protection questions, there is no clear answer.

I considered:

• For academic research, if the university sets the protocol, approves the ethics, and has oversight over the methodology, would it be fair to argue they are the data controller?
• Outside of academic research, if a student independently conceives and designs a project which includes personal data, especially one not dictated by institutional requirements, then do they become a data controller?
• If a student is the data controller, do they need to register with the ICO? Do they have obligations such as managing data rights requests, setting up retention schedules, and dealing with data breaches? That’s a lot of pressure for a student!
• If a student submits a paper, which contains personal data, to their university for grading purposes, does the university then become the data controller? Or is the university a processor of that data?
• If a student is processing personal data using university resources or infrastructure, such as email and cloud drives, is the university a data processor?

I trawled through university privacy notices, consulted my peers, and reached out to the ICO for guidance. It soon became apparent that there was no conclusive stance, (none that convinced me anyway)! Universities varied widely in how they interpreted the role of the data controller when it came to student research and coursework.

Let’s open the can and deal with the worms.

Let’s start at the beginning, and ask, ‘what is a Data Controller?’

Under the UK GDPR, a data controller is the organisation or individual that determines the purposes and means of processing personal data.

So, being a data controller means you are making the decisions about what personal data will be processed and how. Those words underlined are vital!

This can be straightforward but, where multiple parties are involved, can become murky. For example, academic research involves students, supervisors, departments, ethics committees, stakeholders, sponsors etc, all who have a hand in shaping a project. How do you ascertain which party is the data controller?

What makes data protection legislation interesting is that it is based on principles rather than hard rules. This leaves many grey areas for data protection professionals to explore and form their own opinions, based on those principles, interpretations of the law and, (usually) common sense. They then need to justify and document why they have reached those conclusions.

The key point for me, with this particular can of worms, was whether a university is determining, steering, or merely facilitating the use of personal data.

Key questions…

• Who decides what personal data to collect and how it is used?
• If someone wanted to use the data differently, who would have the final say?
• If protocols are pre-written or require approval, who signed them off?
• If there was a data breach, would the student or the university be ultimately responsible?

My considerations  

Research projects progressing through ethical approval:

If personal data is processed in a project that requires ethics approval and the university has final oversight, then the university is the data controller. This means:

• The university must govern the project.
• Students must act under institutional instruction.
• Responsibilities should be clearly set out in policies.

Other use of university resources or infrastructure (outside formal research):

If students are processing other personal data on university platforms (email, shared drives) but without institutional oversight, this likely falls outside UK GDPR under the “purely personal or household activity” exemption. Meaning there is no data controller (although there will be some policies around usage of systems in general).

Students choosing to include personal data in their studies:

Where personal data is used by students, for example, a student including photographs in a portfolio of work or writing about their life experiences and including data about other living people, etc, in a self-directed manner, this is likely to be exempt, as above.

However, the moment the work is submitted to the university, it could be argued that the university becomes the data controller. However, the university’s obligations are limited to what is ‘practical.’ It would be ludicrous and impractical for the university to inform any data subjects, to check the accuracy of the personal data, to determine a retention period or anonymise the data – but it would be responsible for the security of any personal data on any university systems The university could also be able to exempt any data rights requests under the examinations and scripts exemption.

Striking the balance

When opening this can of worms, I knew it would be complex. Data Protection legislation consists of principles which allows data protection professionals to explore the possibilities. They will usually make assessments, taking into account their organisation’s culture, context, practices, and risk profile. People need to know their responsibilities and obligations in order to meet them.

Be brave, open your cans, embrace the messiness, justify and document your conclusions, and justify how you have organised your worms!

Further help

If you found this useful and want to deepen your expertise in data protection, explore our Intermediate and Advanced Certificates in Data Protection, or contact our Training Manager at info@naomikorn.com.