Welcome to the spring 2023 edition of Higher Education Today, looking at current topics and questions facing higher education.

In each edition we feature content from key members of our Higher Education legal and regulatory team. If you would like further details about these individuals or information about the wider Higher Education team please see our Higher Education brochure.

Following on from our #WednesdayWebinar series in March 2023 we are delighted that in this edition some of the presenters have shared their thoughts and follow-ups with HE Today.

We hope you find the newsletter interesting and helpful.

Virginia and Ashley
Joint Department Heads for Higher Education

Battening down the hatches: Universities and cyber attacks

Higher Education institutions have increasingly become targets of cyber attacks in recent years, with attackers seeking to access sensitive data such as student and faculty personal information, research data, financial data, and intellectual property. These attacks can be costly in terms of time, money, and reputation, and can disrupt the normal functioning of the institution.

A survey published in 2022 by the DCMS government department of over 70 higher education colleges and institutions found that 88% of further education colleges and 92% of higher education colleges had identified cyber security breaches or attacks in the previous 12 months, with phishing attacks the most prevalent.[1] The scale and prevalence of cyber attacks within the higher education community reflects the high level of concern expressed by attendees at Bevan Brittan’s recent webinar on key data issues within higher education. In our snap poll taken during the session, nearly all attendees indicated that they were very concerned that their institution may be at risk of a cyber attack in the next 12 months.

During the session, presenters Lizzie Dunford, Senior Associate in our IP/IT Team, and Ben Pumphrey, Senior Associate in our Information Law Team, highlighted key steps for Higher Education institutions to take steps to prevent and protect their networks from cyber attacks, including:

  1. Keeping software and systems up to date: make sure that all of your systems, including your operating system, software applications, and antivirus software, are up to date with the latest security patches and updates.
  2. Use of strong passwords: ensure that your password policy requires all users to apply passwords that are difficult to guess, and to use two-factor authentication whenever possible.
  3. Training staff: educating staff and students about the risks of phishing attacks, malware, and other types of cyber threats, and provide regular training and awareness programs.
  4. Limiting access to sensitive data: restrict access to sensitive data to only those who need it, and make sure that everyone who does have access understands the importance of protecting it.
  5. Backing up your data: regularly back up all important data to a secure offsite location, and test your backups regularly to make sure that you can restore them in the event of a disaster.
  6. Developing an incident response plan: Develop an incident response plan that outlines how your institution will respond to a cyber attack, including who will be responsible for what, how you will communicate with stakeholders, and how you will recover from the attack.
  7. Getting to know your digital estate: ensuring that your institution has a clear idea of which systems play into its digital estate and, crucially, which are processing data (including personal data). This includes working with IT teams to put in place processes in place to restrict the purchase of shadow IT.

Ben and Lizzie also highlighted the role that your legal team and external legal counsel can provide in helping organisations respond to a cyber attack, including:

  1. Providing legal advice: Lawyers can provide legal advice on a range of issues related to the cyber attack, including data breach notification laws, regulatory compliance, and potential liability.
  2. Coordinating with law enforcement: Lawyers can coordinate with law enforcement agencies on behalf of your institution, including ICO, National Cyber Security Centre, police and other agencies.
  3. Conducting a legal review: Lawyers can review your institution's contracts, insurance policies, and other legal documents to identify any provisions that may be relevant to the cyber attack response.
  4. Managing communications: Lawyers can help manage communications with internal and external stakeholders, including students, faculty, staff, and the media.
  5. Conducting an investigation: Lawyers can conduct an internal investigation to determine the scope and impact of the cyber attack, identify the source of the attack, and assess the adequacy of your institution's security measures.
  6. Developing a response plan: Lawyers can work with your institution's leadership to develop a comprehensive cyber attack response plan that addresses legal, technical, and communication issues.

For more information about cybersecurity, data protection, and data breach response please contact Ben Pumphrey and Lizzie Dunford.

[1]              Educational institutions findings annex - Cyber Security Breaches Survey 2022 - GOV.UK (www.gov.uk)

Back to top

Building and fire safety in Higher Education – is your University compliant?

The Building Safety Act 2022

The Building Safety Act 2022 (“BSA”), published almost a year ago but most coming into force later in 2023, takes forward the Government’s commitment to fundamental reform of the building safety system, with the aim to improve structural safety and the risk of fire spread in and around buildings by ensuring there is greater accountability and responsibility for fire and structural safety issues throughout the lifecycle of buildings.

Some of the BSA applies to all buildings but the key parts causing most clients concern apply to any building above 18m / 7 storeys with at least 2 residential units, known as higher-risk buildings. This includes any student accommodation and other higher education accommodation meeting the height threshold. 

Starting from April this year, and with a deadline of October, higher-risk buildings need to be registered with the Building Safety Regulator. As part of the process, key building information will need to be provided to the Regulator, which is likely to include information about the materials and fixtures used in certain parts of the building (e.g. roof and external walls).

During construction of new higher-risk buildings or building work to existing higher-risk buildings, the BSA is bringing into force a new gateway system, where fire and structural safety must be evidence before planning permission is granted (this requirement is already in force), before construction and before occupation. There are also new requirements for a golden thread of building information to be collated and new duties on all parties involved in the construction to ensure fire spread and structural safety requirements are met, similar to the duties in the Construction (Design and Management) Regulations 2015.

For occupied buildings, the ‘Accountable Person’ (usually the person who owns the legal estate or has repair obligations for common parts) will have ultimate responsibility for ensuing the requirements of the BSA are complied with, including registering the building, identifying risks and required control measures, preparing a safety case, and providing a resident engagement strategy and complaints procedure.

The Regulatory Reform (Fire Safety) Order 2005

The BSA works alongside existing fire safety legislation, namely the Regulatory Reform (Fire Safety) Order 2005 (“FSO”). The FSO applies to commercial premises and the common parts of residential premises and places duties on the ‘Responsible Person’ in relation to the overall fire safety of buildings (not just the risk of fire spread). For workplaces, the Responsible Person is usually the employer, and for residential buildings, the person(s) in control and anyone with duties for repair, maintenance or safety of common parts.

The FSO was amended in 2021 to clarify that the common parts of residential buildings include the structure and external walls of the building, including cladding, balconies and windows; and entrance doors to individual flats that open into common parts.

It was updated again in 2022 by the Fire Safety (England) Regulations which came into force on 23 January 2023 and to require Responsible Persons in multi-occupied residential buildings to take specific additional actions depending on the height of the building.

What do you need to be doing?

It is important that all Higher Education providers assess their estates to identify 1) whether they have any building in scope of the BSA and if so, 2) who the Accountable Person and Responsible Person is and 3) how those building are constructed and whether they pose any risks in relation to structural safety or fire spread.

Identifying the Accountable Person / Responsible Person can be difficult in multiple-occupancy buildings (multiple faculties, or buildings shared by the University and other organisations) and there can often be more than one party that shares the role.

Dealing with combustible cladding and other fire safety defects

Where there is combustible cladding on a building, a fire engineer will need to be appointed to assess the risk, but in many cases it will need to be removed. Where there are other fire safety defects, they will need to be assessed as part of a fire risk assessment of the building under the FSO, but in most cases remediation will be required. Prior to remediation work, temporary fire protection measures may need to be implemented, such as installing sprinklers, reducing building occupancy, or a waking watch.

Where there is combustible cladding or other fire safety issues, how remediation is funded is a key concern. The first consideration should be the original construction contract or warranties and wherever possible bringing a legal claim for breach of contract against the original contractor, sub-contractor or design consultants.

Other options for cost recovery include claims under the Defective Premises Act, which will cover the most serious defects and for which the limitation period has now been extended to 30 years for existing buildings, as well as new options introduced by the BSA including Remediation Orders, Remediation Contribution Orders and Building Liability Orders. We are likely to see a lot more applications for these types of order, particularly where a claim against the original construction contractor is not viable (e.g. if they are insolvent) as it allows an organisation to look to the original developer, and to their wider group companies for recovery of costs, which in some cases can be into the millions.

Accommodation is a major source of revenue for many higher education providers and so closing such buildings may not be an attractive suggestion, but likewise there may well be pushback from stakeholders being asked to fund improved safety measures. It is key that this is carefully managed so that issues can be identified and proportionate measures implemented to control the risk.

If you have any queries about the Building Safety Act 2022 or about health and safety more broadly, please contact Louise Mansfield.

 Back to top

Green Ink Drafting: how University legal teams can support the green agenda

Green ink legal drafting is the idea that legal drafting can help address climate change.

This idea is at the heart of The Chancery Lane ‘Change Precedents, Change the World’ Project which provides lawyers with wording that can be incorporated into higher education contracts to have a positive impact now, and in the future on the environment and the fight against climate change.

What is the Chancery Lane Project?

It is a collaborative project amongst lawyers around the world to develop contract clauses that integrate climate change into the heart of transactions. It is a great way to deliver on the net zero and support the carbon cutting ambitions of your Higher Education institution.

How do I / my legal team get involved?

It’s easy. The clauses are practical, easy to use and ready to integrate into agreements in all disciplines. You can either use them as they are or tailor them to your needs.

Put sustainability front and centre in all the contracts you enter into.

Perhaps your driver is the reduction of emissions through your supply chain and in the next supply agreement you could include the clause to engage the supplier to ensure produce is not wasted throughout the food chain.

Or, for example, a property agreement within which you could use the clause requiring landlords to act reasonably when tenants propose alterations that have a positive climate impact.

The Chancery Lane Project breaks down 50 model clauses by sector and practice area, to make them easy to find and easy to use. This provides you with a menu of practical steps to help your partner organisations transition to net zero.

The Project also provides a Net Zero Tool Kit to help you understand the concepts and how you might integrate them into your legal drafting.

How can I find out more?

You can visit The Chancery Lane Project website.

Or pick up the phone to Harriet Murray Jones who would happily provide you with more information.

Back to top

Higher Education Webinar series

If you missed our higher education #WednesdayWebinar series in March, please find the recordings here:

Back to top

Say hello to us

Our Higher Education team is attending and speaking at a number of in-person and online events over the next few months, please follow the link for details. If you are also at these events, please come and say hello to us.

Back to top

If you would like to discuss any of these topics in more detail, or to find out how we can help your organisation, please contact our Higher Education team.

You can subscribe to receive this newsletter directly in your inbox via subscriptions@bevanbrittan.com

Our use of cookies

We use necessary cookies to make our site work. We'd also like to set optional analytics cookies to help us improve it. We won't set optional cookies unless you enable them. Using this tool will set a cookie on your device to remember your preferences. For more detailed information about the cookies we use, see our Cookies page.

Necessary cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytics cookies

We'd like to set Google Analytics cookies to help us to improve our website by collection and reporting information on how you use it. The cookies collect information in a way that does not directly identify anyone.
For more information on how these cookies work, please see our Cookies page.