23/10/2024
Welcome to the autumn edition of Higher Education Today, looking at current topics and questions facing higher education institutions.
In each edition we feature content from key members of our Higher Education legal and regulatory team. If you would like further details about these individuals or information about the wider Higher Education team please see our Higher Education brochure.
We are delighted that in this edition, the presenters from our recent Higher Education autumn webinar series share their thoughts following their respective presentations on:
- ‘The impact of a new government on employment and immigration law in higher education’
- ‘Higher Education finances: opportunities to pivot’
- ‘Cybersecurity, data protection and IP for higher education institutions – practical tips to mitigate risk in Higher Education’.
If you have missed any of our webinars you can view them OnDemand here.
We hope you find the newsletter interesting and helpful.
Department Head for Higher Education
Say hello to us
Our Higher Education team is attending and speaking at a number of in-person and online events over the next few months, please follow the link for details. If you are also at these events, please come and say hello to us.
- University & healthcare estate & Innovation (UHEI) – in person conference – 13-14 November, Mark Paget Skelin
- Independent Higher Education – Immigration Launchpad event – 14 November, Tijen Ahmet
- Independent Higher Education – Annual Conference – 26 November – Virginia Cooper, Rachel Soundy, Ashley Norman, Helen Stead
Impact of a new government on employment law
In our recent webinar last month on the ‘Impact of a new government on employment and immigration law in higher education’ we discussed the Government’s proposed Employment Law reform, as well as the new duty to prevent sexual harassment in the workplace. On 10 October 2024, the eagerly awaited Employment Rights Bill (and the Next Steps to Make Work Pay policy paper) was published. The Bill is 158 pages long and certainly covers a vast array of employment law provisions (28 reforms in total). One of the hot topics in the Bill is definitely unfair dismissal, and for Higher Education Institutions (HEIs), the Bill’s provisions regarding trade union activity certainly provide a fascinating read.
Below are a few of the key proposals from the Bill that will be of interest to HEIs.
Unfair Dismissal
The two year qualifying period will be removed and employees will have the right to claim ordinary unfair dismissal from day one (if they have actually started work, as opposed to just having accepted the offer of employment). However, the government has said that it recognises the importance of ensuring that someone is suitable for the job, and to address this, the Bill incorporates a probationary period (referred to as the initial period of employment) where employers can dismiss for conduct, capability, statutory restrictions or for some other substantial reason relating to the employee.
The government has said that it will consult on the length of the statutory probationary period, but its preference is 9 months. There will also be a “lighter-touch” process for dismissals during the probationary period, which is likely to include a meeting to explain concerns (at which the employee could be accompanied). This change will not come into force until autumn 2026, but HEIs are encouraged to start thinking about their recruitment processes and their policies and procedures to ensure they will be in a position to make necessary changes when the legislation comes into force. In addition, contractual probationary periods will need to be looked at, particularly in light of the fact that Higher Education employment contracts often include lengthy probationary periods.
Trade Union Activity
The government wants trade union laws to be “fit for the modern economy”. The Bill proposes to remove unnecessary restrictions on trade union activity, with the aim of developing relations based on good faith so that more people are empowered in the workplace. The minimum service level legislation (Strikes (Minimum Service Levels) Act 2023) will be repealed, and the Bill will see employers being required to provide written statements notifying workers of the right to join a trade union.
There will also be new wider rights of access and transparent frameworks with clear rules for union officials to meet, represent, recruit and organise members. Recognition will be easier and the balloting process will be simplified (with talk of electronic balloting). In addition to all of this, there will be protection from detriment for participating in lawful industrial action. We await further details to see how this will operate in practice, but HEIs may need to be prepared to increase trade union involvement and negotiation.
Sexual Harassment
The Bill seeks to expand the obligation for employers to take “reasonable steps” to prevent sexual harassment in the workplace, as set out in the Worker Protection (Amendment of Equality Act 2010) Act 2023, which is due to come in to force on 26 October 2024. The Bill states that employers will be required to take “all reasonable steps” to prevent sexual harassment, which is a higher threshold. In addition, the Bill expressly extends the obligation to include liability for third party harassment. HEIs will therefore need to think about appropriate risk assessments (which will need to include staff interactions with third parties) and staff training.
On 26 September 2024, the Equality and Human Rights Commission (EHRC) published its updated technical guidance for employers to help ensure they are taking the necessary steps to prevent sexual harassment in the workplace. This guidance already refers to third party harassment, and highlights the fact that employers should not wait until sexual harassment happens before taking action. The guidance is not legally binding, but employment tribunals are likely to take it into consideration when assessing employer actions and considering compensation uplifts. In addition to the updated guidance, the EHRC has also published an eight-step practical guide so that employers can ensure they are complying with their obligations. These documents are an essential read and will certainly help HEIs prepare for the changes.
Zero hours contracts
For HEIs that operate zero-hours contracts, the Bill’s proposals in this area may be concerning. The Bill introduces the right to a guaranteed hours, and this change will see employers being required to offer guaranteed hours to qualifying workers at the end of each reference period, although the worker will not be required to accept the offer. The reference period is yet to be defined, and this will be picked up within the forthcoming regulations, although 12 weeks has been mentioned. There will also be a consultation on reference and review periods. The government say the changes “will ensure that jobs provide a baseline of security and predictability so workers can better plan their lives and finances”.
The government expects to start consulting on the reforms in 2025, meaning that the majority of changes will not take effect until 2026. The government has said that it understands that adjusting to these new reforms will take time and is committed to ensuring that all stakeholders receive appropriate time to prepare for these changes ahead of their commencement.
You can watch our webinar OnDemand here: HE Spring Webinar Series: Impact of a new government on employment law in higher education
For more information on this topic, please contact Anne Palmer, Naomi Compton or Kelly Simpson who will be more than happy to help.
Opportunities to diversify University revenue streams
Our October webinar about Higher Education finances: opportunities to pivot, was hosted by Ashley Norman, (Head of Higher Education at Bevan Brittan), Mark Jaynes, partner at CIL Management Consultants and Rachel Soundy, partner in our higher education team specialising in corporate and commercial matters. We discussed the challenges and opportunities HEIs are facing at present and the initiatives that they are seeing HEIs taking in relation to: (a) delivery models, (b) structural change and (c) the diversification of income streams.
An audience poll at the webinar asked participants to respond to the following question: What initiatives are being pursued at your University in response to the ongoing challenges? The results from the participants (ranked highest to lowest were as follows)
- Diversifying revenue streams: 88% of participants
- Cutting costs (e.g. staff redundancies; closing courses): 82% of participants
- Targeting an increasing number of international students: 59% of participants
- Exploring new campus locations in the UK and/or overseas: 29% of participants
- Exploring merger opportunities: 6% of participants
Based on these results, HE Today has asked Mark and Rachel to take a deeper dive in this edition into the initiatives they are seeing HEIs taking in relation to diversifying revenue streams.
Short courses: an opportunity to pivot
All higher education providers will be already familiar with the concept of microcredentials or ‘stackable degrees’. Microcredentials are short courses that are typically taught over a period of 8-12 weeks with courses typically including content from modules that form part of existing degree programmes. They are designed to support both undergraduate and postgraduate students looking to upskill or reskill in rapidly-growing industries, without the time and financial commitment of a full degree. Microcredentials can be a stand alone course and offer an independent credential whilst other courses offer academic credit to use towards a full undergraduate or postgraduate degree. For example, at the time of writing, the University of Birmingham offers around 83 microcredential courses ranging from Advanced Clinical Decision Making to Strategic Management.
From both a legal and strategic perspective, we are seeing strong growth in the short course market where opportunities exist for Universities to work with online career accelerators and programme management companies or OPMs. An example of this type of collaboration is found in FourthRev which currently offers courses co-designed by the London School of Economics and Political Science, King’s College London and Cambridge University. Another example is iheed, which is part of Cambridge Education Group, and has HEI partners including the University of Warwick and London Southbank University.
University fees for these types of arrangements are often % based, but bearing in mind that many of these courses are increasingly containing bespoke elements (from employer involvement to specialist content) the fees charged for these types of courses can be priced accordingly.
Subcontracted provision: an opportunity to pivot
We are also seeing a growth in partnership arrangements amongst a significant number of Universities. According to the Office for Students’ Insight 22 brief into “Subcontractual arrangements in higher education” published in September 2024 the number of students taught in subcontracted arrangements doubled from 2019/20 to 2022/23 to account for over 5% of students in the sector. There are a small number of Universities who have more students studying elsewhere (i.e. off campus) than they do on campus.
Whilst there are financial and widening participation benefits for HEIs in operating subcontractual arrangements, questions have been raised in the HE sector over the last year or so about academic quality and the need for some Universities to ensure that they maintain robust management and oversight of franchise provision. As there are many Universities who operate exemplary subcontracted provision this commentary seems to be more around ensuring consistency across providers and ensuring that University stakeholders are alive to and can manage the risks associated with these types of arrangements. To support stakeholders in this regard Universities UK recently published a governance framework in partnership with GuildHE and the Committee of University Chairs (CUC).
To hear more from Mark and Rachel about opportunities including local partnerships and campus opportunities as well as lessons learnt, please listen to the webinar. For more information about the matters discussed in this article please contact Mark Jeynes and Rachel Soundy.
Cybersecurity for higher education institutions
Cybersecurity is one of those topics that can leave a whole room silent if you mention it at a dinner party! However, the risks of an attack are real, and the consequences can be devastating. Even a small attack can leave you with a time/resource cost in restoring systems, re-training staff, investigating the extent of any damage, and taking steps to protect your reputation.
HEIs sit in a more unique place risk-wise, as you are reliant on information and systems to operate, and hold sensitive data about students, staff, and potentially also research participants. The way that HEIs operate also means that there are likely to be numerous systems and applications used in different departments, with the risk of standalone apps being downloaded on your systems by students and staff being much higher than in a standard commercial business.
In this article, Vicki Bowles (Head of Information Law and Privacy here at Bevan Brittan) looks at some common myths around cybersecurity, and offers some practical, non-technical tips to lower the risk of an attack and/or mitigate against the consequences when you are hit.
1. It’s not a real threat – only big organisations get hit
Whilst it is true that cyberattacks on larger organisations are the ones that hit the headlines, it’s not the case that they are the only organisations that threat actors care about. (Threat actors being the individuals responsible for cyber-attacks).
The government carries out an annual survey on cybersecurity, (available here), and this shows that 50% of organisations surveyed admitted to having experienced a cybersecurity breach or attack in the last year, with micro and small businesses at 47% and 58% respectively. This shows that it’s not just a “large organisation” issue.
Your risk of being attacked depends to an extent upon the motivation of the threat actor. If they are simply looking for a ransom pay out, then any organisation that is likely to have funds and is reliant on data for their day to day operation could be a target. Sometimes the purpose is merely to disrupt, and therefore anything that might grab a headline will be a target. It’s also the case that you might be a target because of where you are in a supply chain. If, for example, you have government contracts, then there may be a way into a government department through your systems, where they link to others. Occasionally, you may even just be unlucky, and be using a piece of software or application that gets hit because of other potential targets.
My top tip here is to take the time to understand your own organisation’s risk profile. Once you understand this, it makes taking steps to mitigate those risks much easier because you can focus on the significant risks, and the ones where you can take steps, which makes your organisation much safer overall.
2. It’s an IT issue
This is one of the most common myths about cybersecurity, because of its technical nature. However, whilst there are undoubtedly IT issues at play here, it’s not the case that you can buy in an IT solution to mitigate all your risks in this area.
Key to a successful cybersecurity strategy will be an interplay between IT systems and specialists, and the rest of the organisation. For example, when assessing your risk profile, you need someone who understands your particular systems and applications, as well as someone who understands the possible consequences of a loss of part or all of your systems, where you are in supply chains, and the sensitivity of information held.
When you understand your risk profile, you can work with IT specialists to understand what technical solutions are available, but technical solutions alone cannot prevent/mitigate all the risks, and they will only work if they operate practically. As an example, you can block individuals logging in from anywhere outside of the UK. This makes your system more secure because log in attempts from outside of the UK are more likely to be fraudulent. However, this only works if your workforce is always UK based – if individuals may be working abroad, or working whilst on holiday, on a regular basis, this would not be a practical solution.
It’s therefore helpful if your non-IT specialists can understand what potential solutions exist, and your IT team understand the context in which you are working to assist with those solutions that are the most useful.
Top tip here is make sure that you work with your IT team so that they understand what you want out of your technical assistance, and you understand what the options are.
3. There’s nothing we, as individuals, can do to prevent an attack
In most organisations, people will be your biggest risk, and there are limits to the availability of technical solutions to mitigate this!
In the DCMS survey referenced above, over 80% of attacks reported were classed as “phishing” – where staff receive a fraudulent email or arrive at a fraudulent website. Email filtering software is a means to mitigate this risk, but it is not infallible. As with the example above, a very strict monitoring policy will prevent more fraudulent emails coming through, but you also risk missing legitimate emails too, so this needs to be factored in when thinking about the appropriate level of protection.
The best mitigation you have here is training, so that individuals are aware of the risks, can recognise a suspicious email, and take steps to verify that email before clicking. This also isn’t 100% infallible (we are all human, and we have bad days), but not clicking the link is one of the most effective preventions you can implement!
Top tip – have suitable training set up, that is accessible to anyone who needs to receive it, and chase those who don’t attend!
There are lots of other, non-technical, steps that individuals can take to assist with the mitigation of risk. Updating software as and when updates are released is something that is annoying – but vital to ensure that known security issues are fixed. Not updating quickly leaves your devices open to attack because the weaknesses remain, and can be exploited by individuals. (That goes for your personal devices too…)
4. We have policies in place for what to do in the event of a breach – isn’t that enough?
Policies and procedures can be a significant help when something happens, and you’re in panic mode! However, they don’t help mitigate the risks of an event, and prevent needing the policy in the first place.
If you do have these policies and procedures in place, make sure that they are checked and tested regularly, and if you have to use them, update them with any lessons learned from an actual event.
Also make sure that everyone who might need to be involved in the event of a cyber attack knows where these policies are, and how to access them.
In conclusion
Cybersecurity risks are unique to each organisation, and the risk profile of HEIs will also vary between institutions. By taking a collaborative approach to understanding and mitigating risk, you can take some simple yet effective steps to mitigate your actual risks, and help to keep your data safer, and the costs associated with dealing with a breach to a minimum.
Hear more from Vicki Bowles by watching back OnDemand the third and last session of our Higher Education autumn webinar series. Vicki, alongside Elizabeth Dunford and Alex Potts, Chief Privacy Officer at UCL, covered practical actions and processes you can put in place to help protect your data, systems, IP, and knowledge from:
- Cyber Attacks
- Joint partnerships and international collaborations
- International Data Transfer risk
Watch the webinar here HE Spring Webinar Series: Cyber security, data protection and IP for higher education institutions – practical tips to mitigate risk.
Vicki is also happy to chat through any specific concerns or issues you may have around cybersecurity, and how we might be able to help.