A news report earlier this month that UCAS, the Universities and Colleges Admission Services, has been selling access to student data to advertisers such as Vodafone and O2 for £12 million drew widespread criticism in the UK – particularly from students. But the details about what UCAS’s activities amount to in practice, and whether they in fact warrant such concern, have been somewhat lost amid the fevered response, even if the story does raise wider questions about privacy and consent in the age of digital media.

The original Guardian article in which the claims about UCAS were made stated that the non-profit organisation makes money through “sales of the emails and addresses of subscribers”. However, a correction published on the paper’s website last week made an important clarification. It explained that: “Ucas does not sell that [email and address] data, but sends targeted advertising to subscribers who do not opt out.” Essentially, therefore, it would appear as though what UCAS is doing is the same as any other online business – namely, asking students’ permission to send them emails for products that are likely to appeal to them.

What expectation of privacy should we have online?

This still might not be desirable – especially if, as the UCAS website indicates, students forfeit their ability to receive education- or job-related emails if they do not also allow advertisers to contact them – but it’s rather different from “selling access to student data”. It seems as though, in reality, UCAS keeps a single copy of their student database (which more than a million students have consented to be a part of), and then forwards emails to certain sections of that database on behalf of advertisers.

Nevertheless, in the context of a growing international debate about online privacy, concerns about how companies access and use our data are to be expected. A spokesman for the Information Commissioner’s Office said it was crucial for people to be informed. “Where a company wants to use that information for marketing,” he said, “it should be clear from the outset, and ensure it has the individual’s consent, which must be freely given, specific and informed.”

Robert Sharp, Head of Campaigns at English PEN, a human rights charity campaigning against mass surveillance, says it becomes a problem we don’t have control, or even knowledge, of the information that’s held about us.

“The fact that people post reams of data to Facebook is often given as an excuse for companies trading in our personal data, our online activity and our commercial activity,” he says. “But there’s a huge conceptual difference between data we can control and delete, and data stored in a computer record we do not have access to.  Opting out of Facebook may be socially difficult, but anyone can do it in a matter of moments.  Likewise, opting out of the Nectar Card programme is as simple as cutting the purple card in half.  But opting out of a database that you do not even know you are on is a much harder proposition.”

It’s certainly true that, whether we like it or not, we give away personal information all the time online. But we’re never forced to do so, and have full responsibility for our own data. Going back to the UCAS story, critics have been quick to voice their concerns, and as Sharp explains, “if UCAS have explicitly violated their own terms and conditions (…) they must be held to account.”

“But is that what is happening?” he asks. “It may be that users have unwittingly consented to their data being sold by not reading the terms and conditions properly.  In this situation, it’s hard to blame UCAS for trying to make a bit of money to fund its charitable work! At least now the issue is in the open and everyone will be more careful.”

Although the UCAS scandal turned out to be less of a story than initially reported, it is joining tens of recent reports on privacy breaches and raises concerns about how much control we hold over our personal information. The fact that UCAS was ‘within the law’ does not necessarily make it right. Why does the law allow companies to sell access to some of our personal data? Should it be any different?