Consent and the GDPR: what approaches are universities taking?

We’ve already published some practical guidance for institutions on how to interpret and apply the new EU legislation – the General Data Protection Regulation – with regards to requesting student consent for the use of their data for learning analytics. We suggested that institutions should:

  • Not ask for consent for the use of non-sensitive data for analytics (our current understanding is that this can be considered as of legitimate interest or public interest)
  • Ask for consent for use of sensitive data (which, under the GDPR, will be called “special category data”)
  • Ask for consent to take interventions directly with students on the basis of the analytics

As this is an important topic, we asked seven of our pathfinder institutions – those which are moving forward fairly rapidly with implementing Jisc’s learning analytics architecture – how they are approaching the area of requesting consent for the collection and use of student data.

Are the institutions following our suggested approach?

6 of the 7 universities said that they were basically taking our suggested approach, outlined above. One is going to seek consent for the use of special category data e.g. ethnicity, for returning and newly enrolling students for the purposes of learning analytics. They will not yet be ready to implement alerts and interventions so will not at present be seeking consent for interventions based on risk calculations.

Another institution is drafting a new data collection notice which includes specific reference to using engagement data. They’re not yet using special category data for learning analytics but will seek consent if they do so in the future. Neither have they yet agreed a formal approach towards obtaining consent for interventions.

The seventh university is being “more conservative” (their words) by requesting consent from students taking part in a pilot for the use of any of their data, not just their special category data. This institution says that it interprets the law such that if use of the data is not contractual then it must be based on consent. They do not consider pilot projects to be part of the contract with students. With full-scale implementation of learning analytics however this university would be looking to tie its use to the learning and teaching contract instead – with consent being sought only for the use of special category data and interventions.

What wording are they using?

Our draft learning analytics policy and student guide, based on those developed for the University of Gloucestershire, are being used by several of the institutions. One of these recently requested a clarification on the sensitive data part of our model LA policy, which we propose to adapt by adding the final clause in the following:

Any use of such data for learning analytics will be fully justified, documented in the Student Guide to Learning Analytics and require the consent of the student concerned.

Another university is awaiting further advice from the Information Commissioner’s Office before coming up with a form of words on the enrolment form which would clarify what student data they are processing and why.

One of our other pathfinder institutions is planning to update their consent notice to include a note about attendance capture, also adding a line about learning analytics with links to their LA policy and student guide.

A further institution said that it’s in the process of finalising the wording of its consent notice, which is short and concise, and preceded by an email from their student union president, explaining what learning analytics is and why consent is being requested.

How are staff and students being informed?

The approach varies from one university providing a basic information webpage on what learning analytics is and what they’re planning to do with it – to another which is about to discuss four documents at its learning, teaching and assessment committee: LA policy, LA student guide, FAQs and data collection notice. A few institutions have already put such documents through their relevant committees.

The university mentioned earlier, which is carrying out a pilot and currently requesting consent for all data to be used for learning analytics, provides a consent pop-up box at point of enrolment for those students on the pilot. This includes a link to its learning analytics policy. A director of ethics has been appointed and has oversight of the policies and wording. Their staff are kept informed through face to face engagement.

Conclusion

There seems to be broad agreement among our pathfinder institutions that our suggested approach relating to GDPR and consent make sense for them. We will obviously keep this under review and will also be keeping a close eye on further guidance from the Information Commissioner’s Office.

My main concern here is that any student who does not opt-in to the inclusion of their data in learning analytics potentially disadvantages both themselves and their peers, by reducing the size and coverage of the data set – and hence its usefulness.

Our proposed approach gives learners control over whether the institution can use their special category (sensitive personal) data for learning analytics and whether they’re happy to be contacted in the event that they’re deemed to be at risk. But it still allows the rest of the data to be collected and analysed by the institution in order to enhance education for current and future students.

There’s a balance to be struck here between student privacy and what the institution regards as in the best academic interests of learners. Importantly, this approach helps to protect students and means that institutions can proceed with learning analytics while staying within the law.

 

2 thoughts on “Consent and the GDPR: what approaches are universities taking?

  1. Rob

    “There seems to be broad agreement among our pathfinder institutions that our suggested approach relating to GDPR and consent make sense for them”
    So, as long as I’ve got ‘broad agreement’ among members of a special interest group to break the law, then that is OK?

    Get consent and know what to do if consent is withdrawn.

    Read the GDPR – it’s not hard to follow…Option B offers a fig-leaf…

    Article 6 – Lawfulness of Processing
    A. Processing shall be lawful only if and to the extent that at least one of the following applies:
    the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
    They clearly have not given consent – or you wouldn’t be worried about it
    So you need one of the conditions below…..B, C, D, E or F.

    B. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
    You might get away with this if you can show that the ‘analytics are vital to the delivery of learning’ but I think it’s thin ice – safeguards should ensure that the data subject is aware of the fact that and the extent to which consent is given

    C. processing is necessary for compliance with a legal obligation to which the controller is subject;
    This one won’t fly

    D. processing is necessary in order to protect the vital interests of the data subject or of another natural person; This won’t fly either.

    E. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
    Data Analytics – In the public interest ? I don’t think so!

    F. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
    Legitimate interests are hard to prove – they normally mean “because we want to or we’d like to” or “because we find it useful or valuable” This is likely to be overridden by the interests or fundamental rights and freedoms of the data subject.

    Reply
  2. Niall Sclater Post author

    Hi Rob

    As discussed in the practical – https://analytics.jiscinvolve.org/wp/2017/02/16/consent-for-learning-analytics-some-practical-guidance-for-institutions/ – and theoretical –
    https://journals.winchesteruniversitypress.org/index.php/jirpp/article/view/9 – papers we consider that Legitimate Interests, when used in accordance with Article 29 Working Party guidance, provides the best protection for the interests of both data subjects and institutions.

    Best wishes
    Niall

    Reply

Leave a Reply to Rob Cancel reply

Your email address will not be published. Required fields are marked *