Consent and the GDPR: what approaches are universities taking?

We’ve already published some practical guidance for institutions on how to interpret and apply the new EU legislation – the General Data Protection Regulation – with regards to requesting student consent for the use of their data for learning analytics. We suggested that institutions should:

• Not ask for consent for the use of non-sensitive data for analytics (our current understanding is that this can be considered as of legitimate interest or public interest)
• Ask for consent for use of sensitive data (which, under the GDPR, will be called “special category data”)
• Ask for consent to take interventions directly with students on the basis of the analytics

As this is an important topic, we asked seven of our pathfinder institutions – those which are moving forward fairly rapidly with implementing Jisc’s learning analytics architecture – how they are approaching the area of requesting consent for the collection and use of student data.

Are the institutions following our suggested approach?

6 of the 7 universities said that they were basically taking our suggested approach, outlined above. One is going to seek consent for the use of special category data e.g. ethnicity, for returning and newly enrolling students for the purposes of learning analytics. They will not yet be ready to implement alerts and interventions so will not at present be seeking consent for interventions based on risk calculations.

Another institution is drafting a new data collection notice which includes specific reference to using engagement data. They’re not yet using special category data for learning analytics but will seek consent if they do so in the future. Neither have they yet agreed a formal approach towards obtaining consent for interventions.

The seventh university is being “more conservative” (their words) by requesting consent from students taking part in a pilot for the use of any of their data, not just their special category data. This institution says that it interprets the law such that if use of the data is not contractual then it must be based on consent. They do not consider pilot projects to be part of the contract with students. With full-scale implementation of learning analytics however this university would be looking to tie its use to the learning and teaching contract instead – with consent being sought only for the use of special category data and interventions.

What wording are they using?

Our draft learning analytics policy and student guide, based on those developed for the University of Gloucestershire, are being used by several of the institutions. One of these recently requested a clarification on the sensitive data part of our model LA policy, which we propose to adapt by adding the final clause in the following:

Any use of such data for learning analytics will be fully justified, documented in the Student Guide to Learning Analytics and require the consent of the student concerned.

Another university is awaiting further advice from the Information Commissioner’s Office before coming up with a form of words on the enrolment form which would clarify what student data they are processing and why.

One of our other pathfinder institutions is planning to update their consent notice to include a note about attendance capture, also adding a line about learning analytics with links to their LA policy and student guide.

A further institution said that it’s in the process of finalising the wording of its consent notice, which is short and concise, and preceded by an email from their student union president, explaining what learning analytics is and why consent is being requested.

How are staff and students being informed?

The approach varies from one university providing a basic information webpage on what learning analytics is and what they’re planning to do with it – to another which is about to discuss four documents at its learning, teaching and assessment committee: LA policy, LA student guide, FAQs and data collection notice. A few institutions have already put such documents through their relevant committees.

The university mentioned earlier, which is carrying out a pilot and currently requesting consent for all data to be used for learning analytics, provides a consent pop-up box at point of enrolment for those students on the pilot. This includes a link to its learning analytics policy. A director of ethics has been appointed and has oversight of the policies and wording. Their staff are kept informed through face to face engagement.

Conclusion

There seems to be broad agreement among our pathfinder institutions that our suggested approach relating to GDPR and consent make sense for them. We will obviously keep this under review and will also be keeping a close eye on further guidance from the Information Commissioner’s Office.

My main concern here is that any student who does not opt-in to the inclusion of their data in learning analytics potentially disadvantages both themselves and their peers, by reducing the size and coverage of the data set – and hence its usefulness.

Our proposed approach gives learners control over whether the institution can use their special category (sensitive personal) data for learning analytics and whether they’re happy to be contacted in the event that they’re deemed to be at risk. But it still allows the rest of the data to be collected and analysed by the institution in order to enhance education for current and future students.

There’s a balance to be struck here between student privacy and what the institution regards as in the best academic interests of learners. Importantly, this approach helps to protect students and means that institutions can proceed with learning analytics while staying within the law.