Some of you have been asking about the changes to liability in the new Service Agreement, so I thought it was worth a blog post to highlight the main factors we had to bear in mind.
The new Service Agreement for Institutions marks the transition of Learning Analytics from a relatively small-scale R&D project to a national Jisc service with many customers. It also spans a change in data protection legislation from the Data Protection Act to the new General Data Protection Regulation (GDPR), which comes into force on 25 May 2018.
When defining the liability position in the new agreement we had to take into account the increase in the number of potential customers, the risks involved in delivering a major service, and the significant changes that GDPR introduces. Our goal was to ensure we offered a liability position that was reasonable and similar to that offered by other suppliers in the marketplace.
In the case of pathfinder institutions who have been helping us to develop our solutions over the past two years, we have also been able to offer them services for free for a period of up to 12 months. In addition, when fees become payable we’ve committed to keeping the early adopter price as low as possible. With this approach to pricing we’ve had to strike a balance between the fees we charge and a liability position that’s commercially sustainable for us.
In terms of the change in data protection legislation, the liability position addresses the new legal obligations that GDPR places on Data Processors (in this case Jisc). Under the Data Protection Act the Data Controller (in this case the Institution) was responsible for ensuring legal compliance.
Under GDPR the Data Processor (Jisc) will have a statutory obligation to implement appropriate security measures to protect the personal data made available to it by Institutions (the Data Controller). As such, under GDPR, Jisc (rather than the Data Controller) can be directly fined for a breach of these statutory obligations.
In the Service Agreement the liability position we set out is that each party’s aggregate liability to the other party for all claims arising in a given year will not exceed in aggregate a sum equal to 100% of the charges paid in that year or £10,000, whichever is the greater.
In summary, the new liability position reflects:
- A commercial approach based on the fees paid by an Institution for the service.
- The change in GDPR where Jisc has new obligations and liabilities as a Data Processor.
- A level that is sustainable over the longer term.
Mark Harrington, Jisc Learning Analytics Service