UK Web Focus (Brian Kelly)

Innovation and best practices for the Web

  • Email Subscription (Feedburner)

  • Twitter

    Posts on this blog cover ideas often discussed on Twitter. Feel free to follow @briankelly.

    Brian Kelly on Twitter Counter

  • Syndicate This Page

    RSS Feed for this page


    Creative Commons License
    This work is licensed under a Creative Commons Attribution 2.0 UK: England & Wales License. As described in a blog post this licence applies to textual content published by the author and (unless stated otherwise) guest bloggers. Also note that on 24 October 2011 the licence was changed from CC-BY-SA to CC-BY. Comments posted on this blog will also be deemed to have been published with this licence. Please note though, that images and other resources embedded in the blog may not be covered by this licence.

    Contact Details

    Brian's email address is You can also follow him on Twitter using the ID briankelly. Also note that the @ukwebfocus Twitter ID provides automated alerts of new blog posts.

  • Contact Details

    My LinkedIn profile provides details of my professional activities.

    View Brian Kelly's profile on LinkedIn

    Also see my profile.

  • Top Posts & Pages

  • Privacy


    This blog is hosted by which uses Google Analytics (which makes use of 'cookie' technologies) to provide the blog owner with information on usage of this blog.

    Other Privacy Issues

    If you wish to make a comment on this blog you must provide an email address. This is required in order to minimise comment spamming. The email address will not be made public.

How is the Higher Education Sector Responding to the Forthcoming Cookie Legislation?

Posted by Brian Kelly on 16 Apr 2012

A post published in February recommended Next Steps In Addressing Forthcoming Cookie Legislation and described how the sector can benefit by sharing approaches on how institutions are responding to the cookie legislation, which comes into force on 26 May.

In order to help identify the ways in which institutions are advising visitors to their web sites on institutional policies on cookie usage a summary of interesting highlights from privacy policies provided by Russell Group Universities (which were surveyed in a post on Privacy Settings For UK Russell Group University Home Pages published in May 2011) together with a number of other universities who provided institutional details to a Google Spreadsheet on UK HEI Privacy Policies is given in the following table.

Note that the information provided in this table given below was collected on 13-16 April 2012.

Ref. No. Institution Privacy Policy Linked from
Home page?
1 University of Aberdeen Privacy statement Y Introduced by stating “This policy explains what information is gathered from web clients visiting the University of Aberdeen’s central web server, and how that information is used.
2 University of Aberystwyth Cookie Policy Via link to Terms and Conditions Explains cookies in plain language and describes use of cookies for “(1) To retain the language choice and user type as defined on the Preferences page and (2) To collect detailed web site usage data
3 University of Bath Privacy statement  Y Covers collection of personal data and use of email and online forms as well as use of cookies.
4 Bath Spa University Website terms and conditions of use  Y Provides detailed information on specific cookies. Explains why Google Analytics is used and how users can opt out.
5 University of Birmingham Privacy Y Has sections on What information is collected? and What we do with the information?
6 University of Bristol Privacy and cookie policy Y Has sections on Information that we collect from you and your use of this website; How we use your information; How we handle the data submitted by you; Links to external web sites and How to contact us. with additional link to Use of cookies on the University’s website page.
7 University of Cambridge Privacy policies for services  Y Provides links to privacy policy for specific services.
8 Cardiff University Privacy policy Y Explains how “Cookies are also used to compile general (not personal) site usage statistics. Cookies are not used to capture or store personal information for any other purpose.” and explains that “Other pages that are linked to from the main Cardiff University sites may have a separate privacy policy, including some Academic School, Research Centre and project-orientated websites“.
9 Cranfield University Privacy Via Legal link Explains how “The “Cookie” allows us to track visitors through the website but does not include any personally identifiable information. With most Internet Browsers, you can erase “Cookies” from your computer hard drive, block all “Cookies”, or receive a warning before a “Cookie” is stored.“.
10 Edge Hill University Privacy statement  Y Address data protection issues rather than use of cookies.
11 University of Edinburgh Website privacy policy  Y Has sections on Information that we collect from you; Use of your information; Storage of your information; Disclosure of your information and IP addresses and cookies.
12 University of Glasgow  Privacy statement  Via link to  Disclaimer Provides an explanation of cookies and describes how they are used with Google Analytics.  Describes how Google may use the information collected and explains how cookie can be disabled.
13 Imperial College  –  N  –
14 King’s College London Privacy statement Via link to Terms and Conditions of Use Has sections on How do we collect information?; What information do we collect?; How do we use this information?; Do we use ‘Cookies’?; How do we protect personal information?; Will we disclose the information we collect to outside parties? and Your Consent. Has link to detailed page on Cookie use at King’s College London.
15 University of Leeds Privacy statement Y Has sections on Purpose of this statement; Automated collection of personal information; Non-automated collection; Third-party access; Cookies; Google Analytics and Changes to this statement.
16 University of Liverpool  Personal information on the web  Via link to Legal, Risk & Compliance Has sections on What information is collected, and how is it used?; Cookies (including link to All About Cookies); Security and Requests for Access.
17 London School of Economics Terms of use  Y Section on cookies explains what they are; describes how the “Website does not use cookies to store personal data. Cookies are used to store a unique reference number for each visitor to the Website, which allows one visitor to be distinguished from another“; provides links to All About Cookies and, and states that “if a User sets up his or her browser to reject the cookie, he or she may still use the Website, although functionality may be impaired“.
18 University of Manchester  Privacy  Y States that “Some parts of The University of Manchester website use cookies for security purposes (eg to save the user from having to re-enter their details for every page in a section of the site). Cookies are not used to capture or store personal information for any other purpose, and all cookies are deleted as soon as a session is ended. You may choose to refuse cookies by disabling them using your web browser.
19 Newcastle University  – N  –
20 University of Nottingham Privacy  Y Has sections on Information we collect; How we may use the information; Cookies; Security Access Requests and Security.
21 University of Oxford  Privacy Policy  N Has sections on Information collected and How the information collected is used.
22 Queen’s University Belfast N  –
23 University of Sheffield Privacy Policy Y Has sections on Information we collect as you browse our web site; About Cookies; About Spotlight tags; Use of optional information; Future developments and Security.
24 Sheffield Hallam University  Privacy Policy Y Has sections on Use of information provided by visitors; Security; Cookies and Inaccurate data.
25 Staffordshire University  Protecting Privacy on Data Transmission over the Internet Via link to Legal Has sections on What information is collected and What do we do with the information?
26 University of Southampton Privacy Policy  Via link to Terms and conditions Has sections on Information the University May Collect From You; IP Addresses and Cookies (including link to All About Cookies ); Storing your Personal Data; Uses made of the Information; Disclosure of your Information and Access to Information
27 University College London  Privacy  Y Has links to Data Protection but not use of cookies.
28 University of Warwick Website terms and conditions Y The privacy statement explains “what types of personal information will be gathered when you visit the University of Warwick’s web site and how this information will be used. Please note that although Warwick’s web site provides links to other web sites, this policy only applies to the University’s web pages (ie. those ending in
29 University of West of England Legal Statements
Y Has information on What are cookies?; Which type of cookie does UWE use?; UWE cookies and personal information; Blackboard; Web metrics; Can I turn off UWE cookies? and What happens if I switch off UWE cookies?.
30 University of York Legal Statements Y The Privacy section describes use of cookies with Google Analytics.

Moves Towards Pragmatism

The approaches which are being taken appear to reflect the pragmatic guidance which has been provided recently.

The post on The Half Term Report on Cookie Compliance drew attention to the ICO’s Guidelines on the Rules on use of Cookies and Similar Technologies (available in PDF format) which seemed to appreciate the difficulties which institutions may face in implementing policies and practices which conform with legal requirements (“The Information Commissioner will take a practical and proportionate approach to enforcing the rules on cookies. He has to enforce the law, but he does have some discretion in how he exercises his formal enforcement powers“). The guidelines made clear the importance of making web site visitors aware of reasons why personal information is being gathered and used: “A key point here is ensuring that the information you provide is not just clear and comprehensive but also readily available“.

The emphasis on providing appropriate information rather than implementing technical solutions was highlighted last week in a post on Enforcement of cookie consent rules for analytics not a priority, ICO says published on, a Web site which provides legal news and guidance from Pinsent Masons, an international law firm. This article began:

The UK’s data protection watchdog is not likely to take action against the users of data analytics cookies on websites even if they fall foul of new EU rules on cookie consent, it has said. 

A statement from the ICO said:

… it is highly unlikely that priority for any formal action would be given to focusing on uses of cookies where there is a low level of intrusiveness and risk of harm to individuals.

It should also be noted that the International Chamber of Commerce (ICC) UK has issued new guidance (15-page / 296KB PDF) on cookies. The guidance, which has been welcomed by the ICO, contains information on the different categories of cookies that website operators use and when consent to those cookies will be required to be obtained. From this document I learnt that:

The Government and the ICO have said that browsers will be an important part of giving users the increased access

It seems that the government does have an understanding of the need for technical privacy standards such as the W3C’s Tracking Protection Working Group which aims to “improve user privacy and user control by defining mechanisms for expressing user preferences around Web tracking and for blocking or allowing Web tracking elements“.

The ICC’s guidance document also helpfully defines four categories of cookies:

  1. strictly necessary cookies
  2. performance cookies
  3. functionality cookies
  4. targeting cookies or advertising cookies

The document adds that “we are keen to ensure that these categories do not become entrenched but rather evolve as industry discovers cookies that need more accurate categorisation” which again emphasis the realistic approaches which are being taken.

I might add that I suspect that concerns regarding privacy issues and c0okies will primarily focus on targeting cookies and advertising cookies, with cookies which are

  • strictly necessary “in order to enable you to move around the website and use its features, such as accessing secure areas of the website“;
  • performance cookies which “collect information about how visitors use a website, for instance which pages visitors go to most often, and if they get error messages from web pages” and
  • functionality cookies which “allow the website to remember choices you make (such as your user name, language or the region you are in) and provide enhanced, more personal features

will not be the prime area of concern for the ICO (although I should add that IANAL) .


Note click for enlarged view of University of Sheffield’s Privacy Policy

When I started writing this post I was intending to comment on the patterns which we can see starting to develop. These include:

  • The ways of addressing privacy policies in a very distributed environment, as can be seen in the approach taken at the University of Cambridge.
  • The detailed technical information about specific cookies which is being provided at institutions such as Bath Spa and King’s College London.
  • The commonly used sections provided in Privacy policy pages such as the Privacy Policy at the University of Sheffield, which is illustrated.
  • The ways in which use of Google Analytics is documented, such as can be seen at Bath Spa and the University of Leeds.
  • The ways in which users are advised to disable Google Analytics, such as can be seen at the University of Glasgow.
  • The popularity of the All About Cookies service for further information about cookies.

However in light of ICC’s guidance document and its endorsement by the ICO it does occur to me that it would be useful for institutional privacy policies to make use of the language provided in this document. This suggestion might be particularly relevant for those institutions which do not appear to provide a privacy policy which can be easily found from the institution’s home page!

At the IWMW 2012 event, to be held at the University of Edinburgh on 18-20 June, Claire Gibbons (University of Bradford) and John Kelly (JISC Legal) will be running a 90 minute session on Responding to the Cookie Monster. I wonder if the cookie monster will turn out to be not as scary as we first feared?

Twitter conversation from Topsy: [View]

10 Responses to “How is the Higher Education Sector Responding to the Forthcoming Cookie Legislation?”

  1. [The links to the first few institutions are wrong]

  2. […] post entitled How is the Higher Education Sector Responding to the Forthcoming Cookie Legislation? has been published on the UK Web Focus blog which summarises work in advising the UK’s […]

  3. Just wondered why you have The University of the West of England link as ‘legal statements’? There is no mention of this on the page or link

    There is Privacy : and Cookie policy (recently updated)

  4. katheross said

    You have some spam in here (see Gilets for Also the Bath Home page (revised perhaps?) does not appear to link directly to the Privacy policy as indicated but I did find it under About.

  5. […] taken advice from e-Consultancy (of which we are Silver members), BoagWorld, Brian Kelly (of course!), JISC Legal, Precedent, and colleagues around the sector who have been kind enough to […]

  6. […] I Welcome The Go… on How Should UK Universities Res…C Day – T minu… on How is the Higher Education Se…The art of discovery… on Guest Post: Web archives: more…Resume Companion on The […]

  7. […] taken advice from e-Consultancy (of which we are Silver members), BoagWorld, Brian Kelly (of course!), JISC Legal, Precedent, and colleagues around the sector who have been kind enough to […]

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: