The short answer is yes, you are required to obtain consent from students before you pass their details to a third party.
"Consent" is not defined in the Data Protection Act 1988 (DPA). However, the Directive 95/46/EC (the Data Protection Directive on which the DPA is based) defines ‘the data subject’s consent’ as:
"Any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed".
Therefore, there must be some form of communication where the individual knowingly indicates consent. This may involve clicking an icon, sending an email or subscribing to a service. The crucial consideration is that the individual must fully understand that by performing the action in question, they will be giving consent.
The data subject should know what they are consenting to. As a data controller, the institution is required by the DPA to process personal data only where it has a clear and legitimate purpose for doing so, and then only as necessitated by that purpose. The purposes you propose for the personal data should be clearly set out in advance and should be easily understood and readily available to data subjects (in this case, learners and potential learners).
How you obtain consent is a matter for the institution; it may well be that you send details out to all prospective students advising them that your email facility is outsourced to a third party and as a result a small amount of their personal data will be passed on by the institution to Microsoft. You can indicate that this will be kept to a minimum and in accordance with the requirements of the DPA. Potential students could be given the opportunity to opt out at this stage if they are not happy with such terms. You should also provide details of a person that they can contact should they have any other queries. The accounts of prospective students that do not become registered should be suspended once it is clear they will not be registered. The accounts should then be deleted.
It is worth noting that Microsoft or Google would be the Data Controller in terms of personal data it collects from students independently of the institution. It is obliged to comply with the DPA requirements of fairness and lawfullness in its relationship with the learners and potential learners. This will include obtaining consent to process personal data provided by the learners and potential learners over and above data provided by the insititution. For the specific data provided by the insitution to Microsoft, the institution remains the data controller and Microsoft is the data processor. The data processer must act only in accordance with the terms of a Data Processor Agreement that you have arranged with them. This agreement could, for example, provide for Microsoft inviting the potential students to avail of additional services provided by them. However, it would need to be made clear to the students and potential students that these services are optional and that the third party undertake to comply with DPA requirements with regard to this additionally collected data.
Diligence is required by the institution in order to establish that the data processor (Microsoft/Google) is adhering to the terms of the data processing agreement. This could take the form of audits or other inspection procedures designed to demonstrate compliance by Microsoft with the data processing agreement.
Keep up-to-date with our latest FAQs by subscribing to our free newsletter and following us on Twitter.