What information do students need about the use of their data for learning analytics? When should students be asked for their consent for this? How is it best to obtain that consent? What happens if a student wishes to opt out?
Consent continues to be one of the main concerns for universities and colleges when thinking about deploying learning analytics. We covered some of the issues in a podcast last year but it’s become clear that what institutions really need is concrete guidance on how to deal with these questions.
After talking to Andrew Cormack, Jisc Technologies’ Chief Regulatory Officer, I’ve put together the following guidance. This should not be taken as legal advice; we would welcome commentary from others who have been considering these issues.
The Data Protection Act
The UK Data Protection Act 1998 (DPA), based on the EU’s Data Protection Directive, has set the context for data collection and use from a legal perspective for nearly 20 years. Institutions should already have in place policies for processing the personal data of students, ensuring compliance with the DPA.
In order to process personal data one or more conditions must be met. Obtaining the free, informed, consent of the individual is one of these. However there are two other conditions which may be relevant in the case of learning analytics. Processing can also be justified on the basis that:
- It is necessary in relation to a contract that the student has entered into, or
- The processing is assessed as being in the “legitimate interests” of the organisation
Taking a course can be regarded as the student entering a contract. To fulfil this contract, the university or college needs to process certain data, such as the student’s name, date of birth, address, and the modules they are taking. Particularly where modules are delivered digitally, activity records may be a necessary part of providing the contracted service, or kept as part of the organisation’s legitimate interest in ensuring that systems and resources are not misused. If, in addition, students are invited to submit records of the hours they spend studying, for example, this could be based on their free, informed consent.
When processing using legitimate interest as justification, the law provides additional protection by requiring that the interests of the institution must be balanced against any risk to the interests of the individual. Individuals may request an individual assessment of this balance (and exclusion of their data from processing) if their circumstances involve an increased risk. To satisfy this balancing test, processing should be designed to minimise the impact on individuals. Learning analytics may, for example, help to identify improvements that can be made to a course. That could be regarded as being in the legitimate interests of the organisation and to benefit both current and future cohorts without impacting the rights or freedoms of any individual, thus satisfying the balancing test.
European data protection regulators have explained that a single transaction may involve processing under several different conditions, and that trying to squeeze these into any single condition may actually weaken the protection of the individuals concerned. The data and processing involved in learning analytics may require using different conditions for the stages of data collection, data analysis, and individual intervention.
Sensitive personal data
Data which is of a more sensitive nature is defined separately in the law and is subject to additional protections. This includes attributes such as a person’s religion, ethnicity, health, trade union membership or political beliefs. Some of these may be irrelevant for learning analytics and can be ignored (or perhaps should be ignored from an ethical perspective). However, if it is identified that people from a particular ethnic group, for example, are at greater academic risk, then there is a strong argument that it could be justified to use that characteristic in the predictive models in order to target additional support more effectively.
In the case of sensitive data, the legitimate interests of the organisation cannot be used as justification for its processing. It is likely that the only justification for processing this data will be if the individual has given their explicit consent. The student should also be told exactly what the data will be used for: they have the right not to provide this data, or to have it excluded from any particular type of processing.
The forthcoming EU General Data Protection Regulation
The Data Protection Act 1998 and other national legislation in EU member states will be replaced imminently by the General Data Protection Regulation (GDPR). This will apply across the whole EU and will not be customised for individual countries as with the previous legislation. The UK Government has stated that it expects organisations to comply with the GDPR when it comes into force on 25th May 2018, irrespective of the UK’s plans to leave the EU.
The GDPR will continue to allow data processing to be carried out, as at present, on the basis of the legitimate interests of the organisation, or if it is necessary for the performance of a contract with the data subject.
Using consent as the basis for processing under the GDPR
However if consent is used as the legal basis the GDPR attaches new conditions. It requires clear, affirmative action – pre-ticked boxes, for example, would not be sufficient. A record must also be kept of how and when the consent was provided. In addition, students will have the right to withdraw their consent at any time. The GDPR also strongly disapproves of attempts to obtain “consent” as a condition of providing a service.
One challenge with using consent as the legal basis for learning analytics is that the request must make explicit to the student all the consequences of either providing or withholding their consent. This is perhaps not really feasible or fair when asking students to sign a document on the first day of their course.
A second issue with using consent as your basis for data collection is that – because of the requirement to fully explain the consequences – at the moment you request consent you freeze the activities to which that consent can apply. New types of analysis or intervention cannot be added if they were not envisaged at the time consent was obtained. Given the rate of development of learning analytics, this may prevent both organisations and students obtaining its full benefits.
A hybrid approach: using “legitimate interest” for analysis and consent for intervention
Andrew has argued in his paper “Downstream Consent: A Better Legal Framework for Big Data” that a hybrid approach is the best way forward. This considers collection, analysis and intervention as distinct stages under data protection law. We don’t need to request additional consent for most of the data collection if it is “data debris” which is being collected lawfully anyway e.g. the log files in a VLE. We can use legitimate interest as the justification for further analysis of the data, provided students are aware of this and it is done in ways that minimise the impact on individuals. This might include identifying groups or patterns of experience or behaviour that might benefit from a specific intervention or different treatment.
What we will need, though, is consent from students to intervene on the basis of these analytics, since here the intention is to maximise the (beneficial) effect on the individual. By postponing this request to the time when specific interventions are known, we will be in a much better position to explain to the student the consequences of granting or refusing their consent.
Over time, it seems likely that learning analytics processes currently regarded as add-ons will become an integral, normal and expected part of how education is conducted. I have argued this in a blog post entitled extreme learning analytics. If (or when) students contract with universities or colleges for a personally-tailored education, much of this collection, analysis and intervention will change from a legitimate interest of the organisation to a necessary part of its contract with the individual.
Note: There have been some suggestions that the Information Commissioner’s Office (ICO) may class universities and colleges as “public authorities” for the purposes of the GDPR, in which case they may be prohibited from using legitimate interests for some activities. If this were to occur, the alternative justification that those activities are “necessary for a task in the public interest” could be used, though this requires no balance of interests test so provides less protection for individuals and their data.
Before any personal information is collected, organisations must inform individuals of all the purposes for which it will be used, who (if anyone) it may be disclosed to and the individual’s rights. These privacy notices (also known as fair processing notices) are required so that individuals know what processing will result from their decision, e.g. to become a student. The privacy notice is distinct from any request for consent – indeed it is required even when consent is not the basis for the processing. See the ICO Guide on privacy notices.
Institutions should already have a privacy notice, which will describe the data required for a student to study there. Text should be added to this which explains what additional purposes learning analytics may be used for – for example to improve the provision of education and to offer personalised recommendations – and declare these as secondary purposes of processing.
The notice may refer to more detailed policy documents such as an institutional learning analytics policy and student guide – see examples. These should explain the measures taken to protect students, staff and their data, and the circumstances in which consent will be sought.
Unlike the collection and processing of data, taking interventions with students on the basis of the analytics will require their explicit consent. A common example would be for a personal tutor to contact a student if it appears that they are unlikely to pass a module – in order to see if anything can be done to help. Students could be enabled to opt-in to such interventions via a web-based form, or to refuse interventions at the time they are offered. They will also need to have the opportunity of opting out subsequently if they change their minds. The consequences of opting in or out must be explained to them.
Institutions must inform students and staff of the personal information being collected about them and the purposes, including any results of learning analytics, for which it may be used. Provided data collection and analysis are done in ways that minimise the risk of impact on individuals, however, it may not be necessary to obtain individual consent for these stages. Indeed relying on consent risks leaving holes in the dataset and students missing out on the benefits of the analytics for their learning, thus potentially disadvantaging them.
Under both the DPA and the GDPR data collection and processing can often be justified, and the interests of institutions and students better protected, by other legal grounds, such as legitimate interest. Provided institutions ensure that any remaining risk is justified by the benefits to the organisation and its members, this will enable a range of learning analytics to take place, e.g. identifying problems with modules.
Using sensitive data or taking personalised interventions with learners on the basis of the analytics will require their explicit consent. The student should be enabled to opt in to the type of intervention(s) they would prefer, and subsequently to opt out again, or refuse individual interventions, if they wish.