The branch has received multiple concerns from members about the introduction of the MyEngagement student tracking software. Several of our colleagues have been trying to work with the team who are rolling it out, but the results have not been reassuring.

The university has established information governance processes which include the need to agree a Data Protection Impact Assessment with a panel the university has constituted for this purpose. It is our understanding that this panel has not yet received appropriate information about the MyEngagement project to be confident that the University is meeting its legal responsibilities regarding the handling of personal data. It is also important to conduct an equality impact assessment before rollout to ensure that we comply with the public sector equality duty; we have been unable to find evidence that any characteristics other than disability have been addressed.
[https://www.equalityhumanrights.com/en/advice-and-guidance/public-sector-equality-duty]

Advice for staff

The staff interface allows any member of staff who teaches or has tutees to view detailed information about every student in the university. Not only is this unwise, and likely of concern to students, it also puts colleagues at risk.

In a recent disciplinary case of alleged misconduct, one of the matters alleged was that our member “displayed his work emails/ Teams chat on the main screen in front of the students”. Even though no specific confidential items were alleged to have been shown, this was claimed to be a violation of the compulsory GDPR training he had received. Sadly, the situation with the MyEngagement staff interface is much worse; we understand it immediately displays personal student information when it is opened.

For now,  is essential that you only access the MyEngagement software in private and where you cannot be overlooked. Do not use the software during any sort of student contact. You should not risk trying to access the per-session codes (numeric or QR) during student contact.

We have been told that this problem will at some future time be addressed by the supplier.

The university has issued dangerous advice about this problem in the MyEngagement – Getting started guide for academics and administrative staff guidance at:
https://sotonproduction.service-now.com/serviceportal?id=kb_article_view&sysparm_article=KB0082925#mcetoc_1hbqnv88a6
It contains a section How to change the default home screen when you log into SEAtS. We have tested this advice and found that the system stores the new Landing Page preference in a local browser cookie; it is not saved to the underlying server. The consequence is that, when you next access SEAtS from a fresh browser instance with new cookies, it reverts to the old dangerous landing page.
Do not rely on this “fix”.
Since we first posted this warning, the knowledge base article has  been corrected by adding the phrase “Please note that changing this settings sets a cookie in your browser. This means that the filter may need to be set up again if that cookie expires or is not available on the computer you are using.”
Sadly, the article still contains the misleading phrase “This means that if you load up the SEAtS website in public, there is no danger of displaying that information to others” which is not true as the first indication most users will get that their cookie has gone is the display of the original landing page with student details. Users will not be able to restore the cookie without first visiting this page.

If you do accidentally find yourself showing personal information to students by using the software in front of them, you are required to report it using this form:
[https://sotonproduction.service-now.com/serviceportal?id=sc_cat_item&sys_id=c8b9f388db769b006f3df57eaf96193d]
You might want to consult a UCU caseworker before filling it out; UCU members can obtain a caseworker by emailing ucu@soton.ac.uk.

It is possible that you would be committing a data breach merely by viewing the MyEngagement landing page yourself. If you are worried about this, you should instead be able to request QR and numeric session codes by emailing aem2023@soton.ac.uk.

You should already be aware that, while you are enabled to access personal information about all our students, you are only permitted to do so on legitimate university business. The lack of role based access controls also makes the overall system vulnerable to accidental changes by individual colleagues; it seems that each of us can change, create, or delete any module in MyEngagement.

Please let the UCU Branch know if operating the MyEngagement system generates significant additional workload for you. There are manual “over-rides” that allow staff to add individual student attendances to the system; if this facility is used extensively, it is likely to create a considerable additional burden on colleagues.

We would also warn you not to offer students any assurances about the privacy of their data or the security of their devices in connection with MyEngagement.
Refer them to the student hub at studenthub@soton.ac.uk.

Advice for students

It is our understanding that participation in this system is optional for students who are not subject to Home Office visa monitoring. If you are not required to use MyEngagement, you might prefer not to do so.

Many of us are uncomfortable with the installation of tracking software on our personal devices. There is the risk that it might compromise the use of other personal software, it might leak information about us to third parties, or it might lead to financial loss through banking applications. As an example of what can happen, Android users who installed the Teams app. have had had difficulty making emergency calls.
[https://www.theregister.com/2021/12/09/android_911_teams/]

Our ideal choice would be to obtain a cheap Android device to use exclusively for MyEngagement. We are told that the version of SEAtS used at Southampton does not need an actual phone and will run on a basic internet-connected “tablet” running Android version 5 or later; there is no need for Bluetooth or GPS support. Once you have identified an appropriate device, confirm with the student hub that it is supported by emailing studenthub@soton.ac.uk. Keep it turned off when you are not using it to register your attendance, to discourage it from accumulating tracking data via GPS or local WiFi hot-spots.

It is possible that the university might be required to pay for this device. Many of the protections for students are matters of consumer law; this is one of the effects of “marketization”. It seems likely that it is unlawful for the university to force students to pay for an Android/Apple device for the purpose of installing the app:

other extra costs you are likely to incur, for example field trips, bench fees or studio hire. Universities should also indicate how much these extra costs are or are likely to be. Where they are unknown or uncertain, universities should set out how they will be calculated and whether they are optional or mandatory for undertaking or passing the course.
[https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/415732/Undergraduate_students_-_your_rights_under_consumer_law.pdf]

[This blog was updated on 2023-10-02 to accommodate recent changes in staff access.]
[It was further updated on 2023-10-04 to insert additional information.]
[Yet another update was on 2023-10-06, clarifying the risks of changing your default landing page.]