Just as Australia enters its antipodean winter months, the University of Sydney has received a frosty reception to its latest efforts to identify real or possible conflicts of interest within its research student body.

The university has taken a broad-brush approach by asking all master’s and PhD students to fill out a new form which requires them to declare any relationships or activities, whether financial or otherwise, with any organisations inside or outside of Australia which could be considered “broadly relevant” to their research. So far so normal; many universities, professional bodies and businesses check for conflicts of interest, and with Australia’s recent targeting of foreign interference and research links to overseas universities, it is understandable that the University of Sydney wishes to protect the integrity of its research.

The main issue being taken with this form is the further requirement for research students to also declare “personal relationships” which are relevant to their areas of study. Examples of relationships the university wants to be informed of include de facto partners, sexual partners and ex-partners, with the possibility of disciplinary action being taken against students who are found to have not made complete disclosures.

Part of the reason why Australian privacy campaigners are rallying against this form - as well as the possibility of putting prospective students off studying at the university - is because of the country’s lack of redress when it comes to breaches of privacy: should a person’s form be part of a data breach, there would be no avenue for the student to sue for this potentially embarrassing or damaging information getting out. As staff at the University of Sydney also complete a similar form, it would be interesting to hear the faculty’s thoughts on whether they feel that any disclosures they have made have impacted their professional advancement. Has the university’s questioning given rise to personal discrimination and favouritism outside of its official remit of identifying conflicts of interests? It would be difficult to ascertain a definitive answer, but it is certainly a risk for any body that requires such personal information.

The situation in Sydney is not unique: we have seen these broader conflict of interest questions being asked of employees here in the UK in an attempt to prevent conflicts and appearances of favouritism in a range of sectors, from who gets put forward to promotion to which organisations are chosen to supply goods and services.

From a data privacy perspective some of the data being processed as part of these checks will be “special personal data” according to the UK GDPR, with “data concerning a natural person’s sex life or sexual orientation” being labelled as such by Article 9. So where an organisation is asking for disclosures of this nature, it will need to identify an Article 9 basis for processing as well as one of the usual Article 6 bases. This would be very difficult to do without the organisation being subject to some kind of legal obligation or substantial public interest requirement to process this type of data.

This difficulty has not prevented some employers from asking these questions, with organisations putting in place risk mitigation measures in order to defend themselves should a data subject complain to the regulator that their data is being processed unlawfully. Crucially, recording these mitigation measures in a data protection impact assessment (“DPIA”) will provide evidence of thought to a regulator.

As well as data privacy concerns, this sort of invasive and possibly very personal questioning could cause friction with fundamental human rights (e.g. Article 12 of the Universal Declaration of Human Rights, that in the UK we know as Article 8 of the Human Rights Act 1998) i.e. the right to respect for a private and family life. Does demanding information of this sort for the avoidance of conflicts of interest breach such a right, especially when there is a risk of some sort of punitive action hanging over the head of someone who does not fully open up about any and all relationships which an organisation may link to their profession/research/work? Another risk to ponder.

If an organisation wishes to identify and protect itself from conflicts of interests, thought must be given to where lines in its questioning are drawn, as the more in-depth the checks are, the more likely it is that individuals will push back or not give full answers. For example, what kinds of relationship does the organisation want to be disclosed as potentially relevant? Does it wish to know about everything from family ties, to friendships to mere dalliances, or would a lighter touch approach suffice to limit the risk of exposure to conflicts, both of interest and with the individuals making the disclosures. As well as the who and the what, an organisation should also give thought to a time-based cut off for relevant relationships – e.g. those with whom the individual has held a relationship within the last 5 years, with all previous relationships being considered non-material regardless of their nature. Also, it will need to recognise that processing such information lawfully is a high hurdle to jump. However, the risk of severe action being taken (and your organisation featuring in the press!) can be reduced by documenting the need to process this information, and the steps taken to protect it.