Institutional Use Learning Analytics Service Legal Issues

Learning Analytics Service Agreement – Final

The  Jisc Learning Analytics Service Agreement  is available to download and we would like to thank everyone who provided feedback and comments. Here is a version showing the changes that have been made to the agreement.  Learning Analytics Service Agreement_Consultation-Final_Compared

Existing (pathfinder) institutions have already been contacted regarding the process for signing the new agreement. New institutions should contact if you are interested in the service.

The consultation process is now complete.

The table below shows a summary of feedback and the changes or responses to the suggestion.

Agreement, Section or Clause Query Jisc response / significant changes to the documentation
Data Processing Agreement (DPA) – Clauses 5.1.7, 7.7 and 11.2 If we don’t sign the new Service Agreement by 31 July 2017 is my data still securely stored in the learning records warehouse?

Will I have to instruct Jisc to stop processing my Institution’s data?

Will there be a gap between the Data Processing Agreement my institution has previously signed and the new Service Agreement?

Pathfinder institutions will be offered the chance to extend their current DPA to 31 Aug 2017 to allow time for the new Service Agreement to be reviewed and signed off.

This extension to the term of the DPA will ensure that the data provided under the agreement will remain with Jisc and the obligations under it will continue until the Service Agreement is entered into.

Service Agreement How will you ensure compliance with the new EU General Data Protection Regulation (GDPR)? A new Service Agreement has been produced to replace the Data Processing Agreement that pathfinder sites signed with Jisc during the R&D Learning Analytics Project. The new Service Agreement has been updated with clauses to ensure compliance with GDPR.

We have also ensured that our contracts with sub-contractors (eg HT2 Ltd, which provides the Learning Records Warehouse) are GDPR compliant.

Service Agreement Are there issues around obtaining consent to use student sensitive data, such as ethnicity, for learning analytics and for interventions? At this point we’re not processing sensitive personal data in the Jisc learning analytics service.

It’s worth remembering that an Institution, as the Data Controller, retains control over what data it passes into the Learning Records Warehouse (LRW).

We’re currently looking at the best approach to manage consent whether via new functionality in the LRW, or via some other mechanism.

We’re also continue to gather and share the different approaches institutions are using to gain student consent for learning analytics.

A recent post on the Jisc Effective Learning Analyitcs blog describes the work on consent that is currently underway at seven pathfinder sites, see

Service Agreement Some of the wording that describes arrangements during the initial term and pilot implementation period could be clearer. Jisc will produce a FAQ to clarify these points.
Service Agreement My institution’s current data processing agreement ends on 31 July 2017. What’s the process and timescale for signing the new Service Agreement? As a pathfinder site, Jisc will email a new Services Agreement to you in the week of 17 July 2017.

An Order Form has been added to the front of the Service Agreement so that pathfinders can easily see the Terms & Conditions and any costs associated with the service.

Pathfinders will need to confirm the components they wish to order for the year ahead. They have the option to continue with the Jisc components they began implementing during the R&D Learning Analytics Project, or they can add new ones if they wish.

Pathfinder sites currently implementing Tribal Student Insight can indicate that they wish to continue to receive this service during AY2017-18. There will be no charge for this service.

Please sign and return a scanned copy of the agreement to

Service Agreement – Order Form Why has the contracting authority been changed to Jisc Services Limited? As learning analyitcs is now being offered as a service the contracting authority needs to change to Jisc Services Limited, which is one of the Jisc group companies (see )
Service Agreement – Order Form What’s included in the Jisc service? The key components of the Jisc service are:
– Learning Records Warehouse Core
– Study Goal Core
– Data Explorer Core
– Student Success Plan
– Tribal Student Insight (existing pathfinder sites only)Additional information about the service will be available on the Jisc website.
Service Agreement – Order Form What will my Instituion pay for the Jisc service? Existing pathfinder sites (including those using Tribal Student Insight) will not pay for the service during AY2017-18.

All new customers will be able to pilot a selection of Jisc products for 6 months at no charge.

Charges after the free pilot period and 100% discount period for pathfinder sites are currently being finalised. In the coming months we’ll discuss service charges with each Institution.

Service Agreement – Definitions The agreement defines sensitive personal data but the information about the types of student personal data covered by the agreement needs clarification. Clause 7.2 Data Protection Particulars in the Services Agreement describes at a high level the types of personal data that are processed under the agreement.

Sensitive personal data is defined under GDPR (see ).

The GDPR equivalent of sensitive personal data is ‘special categories of personal data’ which includes data about a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, their sex life or sexual orientation.

Sensitive Personal data will not be processed in the Learning Analytics service.

Service Agreement – Definitions The agreement refers to information on the Jisc website. Our legal team find this rather vague. Will it be collected together into one place? Ultimately our aim is to have one area of the Jisc website that contains all of the information you’ll need about the Learning Analytics service.

Learning Analytics is a new service and we don’t have all the internal processes in place within Jisc to achieve this at the moment, but we are working towards it now.

Service Agreement – Clause 2 Could auto-renewal after the initial 12 months be changed to a rolling 30 day agreement with 3 months notice? Given that we received only one request about changing the renewal terms, we decided to retain the original wording.
Service Agreement – Order Form and Clause 2 What is my financial commitment during the Initial Term and what termination options do I have? The Initial Term of the Service Agreement covers one year (1 August 2017 to 31 July 2018).

Within the Initial Term there are two points at which a customer can terminate their service, the first is at any point during the 6-month Pilot Implementation Period. The second is during the remainder of the Initial Term when a customer can terminate their contract with 3 months notice.

In practice, this means:
– Pathfinder sites have no financial commitment to Jisc during the Initial Term.
– New customers commit to the charges payable in the 6 months following the Pilot Implementation Period.

Service Agreement – Clause 3.1 What SLAs will be in place for the Jisc Learning Analytics Service? We are now in a position to define a set of SLAs for Learning Analytics as it transitions from an R&D project into a Jisc service.

We’ll share our approach with you over the coming months.

The Service Levels will be set out on the Jisc Site. These Service Levels are subject to change and we will notify you should this happen. The Service Agreement does give your Institution considerable flexibility to terminate during the Initial Term if you are not satisfied with the service you are receiving. We want to retain customers and ensure they’re satisfied with the service we’re providing, so in this interim period we’ll be working with you to ensure any concerns you have a promptly addressed.

Service Agreement – Clause 4.8 Only giving institutions 1 month to provide written notice of termination if JISC amend charges is not enough. The period that Institutions can give notice to terminate if Jisc changes prices has been increased to 2 months.
Service Agreement -Clause 9 What will happen to historical data in the learning records warehouse? Will it routinely be cleared after a period of time, and will this period of time be on a per institution basis? When students leave at the end of an academic year their historical data can be de-identified if the insitution wishes to retain it for data modelling purposes.

If instructed to do so by an Institution, Jisc can also delete all historical data.

Service Agreement – Clauses 8.2.6, 9.1.2, 9.1.5 and 9.1.6. Both parties to the Service Agreement may struggle to fulfil their obligations to notify each other within a 48hr period as set out in Clauses 8.2.6, 9.1.2, 9.1.5 and 9.1.6. A commitment to ‘promptly’ respond would be sufficient for the purposes of this agreement. We’ve received a number of queries about the 48hr response time, particularly in relation to Clause 9.1.5.

We’ve noted that some institutions would struggle to accept a term like ‘promptly’ without it being linked to a stated timescale.

Given that Learning Analytics is a new service for customers and Jisc, we may need to review these response times in the light of our experiences once the service has been up and running for a time.

For now, we believe that 48hr is a reasonable starting point for these notice periods.

Also see the query about Clause 9.1.5 below.

Service Agreement -Clause 9.1.3. What safeguards are in place to protect personal data?

What security standards will be inplace to protect my Institution’s data? When will I be able to see details about them?

The new Service Agreement identifies the obligations on Jisc and the sub-contractors it uses to ensure personal data is safely stored and processed.

To ensure we meet these obligations we are extending the scope of Jisc’s ‘ISO 27001 – Information Security Management’ certificate to include the Learning Analytics Service. This work will be completed in early 2018. We’ll share details of our approach and progress over the coming months.

Details on the scope of Jisc’s current ISO 27001 certificate are available on the Jisc website, see

Clause 9.1.5 How does the timescale for Jisc notification of a data breach to the Institution fit with the deadline an Institution has for reporting a breach to the regulator?

Can the 48hr notice period in Clause 9.1.5 be changed to 24hr, as we must report any breaches to ICO within 72hr?

Under Recital 85 of the General Data Protection Regulation (GDPR) a Controller has up to 72hr to report a personal data breach to the regulator (see )

If the Institution is not aware of the breach itself, then the 72hr reporting deadline for the Institution begins after it has received the breach notification from Jisc.

Jisc did consider whether the notification period could be reduced to 24hr. Based on the current availability of support resources we decided that 48hr was the shortest timescale we could reasonably expect to meet, particularly over a weekend.

Clause 9.1.8 Under GDPR can an Institution rely on consent being sufficient to cover the transfer of data outside the EEA? This query arose in relation to the transfer of personal data outside the EEA by a Jisc sub-contractor. The sub-contractor based in the USA would need to use terminal services sessions to access data stored in the EEA. Access to data via a terminal services session involves a data transfer.

Our approach has been to replace an institution’s reliance on providing consent for a data transfer, with a commitment to ensure that data is transferred under a compliant mechanism, such as Privacy Shield or through the adoption of EU Model Clauses.

Service Agreement – Clause 9.1.9 a Current clause does not take into account if there have been any breaches/near-misses/etc. Clause 9.1.9a has been amended to allow an institution to undertake an audit following an actual or ‘near miss’ personal data breach
Service Agreement – Clause 9.1.10 What are the arrangement for the return/deletion of data at termination? The process is described in Clause 9.1.10.

The time allowed for the return and deletion of data and any back-ups upon termination is now 60 days.

Service Agreement -Clause 17 Can a clause be added to allow us to exit the agreement with immediate effect if we do not approve of a sub-contractor Jisc has appointed? An Institution may not be using the services of the newly appointed sub-contractor. Allowing an automatic right to terminate in this situation could introduce the risk that termination may be triggered without Jisc first having the chance to discuss the practical implications of the appointment with the Institution.

As a result, we decided not to incorporate this change.

Service Agreement – Clause 11 I’m an existing pathfinder site. We’re implementing Tribal Student Insight as part of the cohort that jisc is funding. My institution would like Tribal to process the 5 years of historic data we have. Three years of historic data was the maximum amount we’d previously discussed under these arrangements. Is there anything I’m contractually obliged to do before I pass this additional data to Tribal? You are not contractually obliged to do anyting further in order for your data to be passed to Tribal.

Tribal is an existing sub-contractor of Jisc and Clause 11 of the Service Agreement allows Jisc to disclose an Institution’s data to its sub-contractors soley for the performance of Learning Analytics services.

You’ll probably need to discuss the extra years of historic data you’d like to use with Tribal and Jisc, so that you can confirm the practicalities of when and how the data will be made available.

It is also worth noting that, as the Data Controller, each institution can decide what data to release for use by the Jisc Learning Analytics service or any Add-On services.

Service Agreement -Clause 11.3 Why has Amazon Web Services been singled out for a unique sub-clause in Clause 11.3? We included separate wording for the Jisc sub-contract with Amazon Web Services (AWS) because:
• AWS provides the hosting service for many components of the Jisc Learning Analytics architecture, so is an existing core Jisc sub-contractor.
• AWS does not negotiate on, or vary, its standard terms and conditions of service. With other Jisc sub-contractors, such as HT2 Ltd (which maintains the Learning Records Warehouse), we have been able to negotiate to ensure that the data protection terms in our sub-contracts with them are compliant with the new EU General Data Protection Regulation (GDPR). In terms of AWS, although we cannot control the data protection clauses they use in their contact with us, we do expect that as world leaders in hosting services they will have GDPR-compliant processes and agreements in place to meet their obligations under GDPR when it is implemented in May 2018.
Service Agreement – Clauses 15.2 and 15.3 What in ‘Clause 15: Liability’ addresses the larger liabilities under GDPR, such as fines?

Does the liability position in the agreement allow an Institution to recover from Jisc the cost of any regulatory fines that it may receive for a data protection breach?

Is the liability position in the agreement suitable for the period prior to implementation of GDPR (May 2018)?

GDPR places specific legal obligations on Data Processors (in this case Jisc). This marks a significant change to the Data Protection Act, where the Data Controller (in this case the Institution) was responsible for ensuring legal compliance.

Under GDPR the Data Processor (Jisc) will have a statutory obligation to implement appropriate security measures to protect the personal data made available to it by the institutions (the Data Controller). As such, under GDPR, Jisc (rather than the Data Controller) can be directly fined for a breach of these statutory obligations.

The liability position in the new Services Agreement reflects that situation and is in line with what other suppliers currently offer in the marketplace.

Service Agreement – Clause 15 Do Jisc and the Institution offer to indemnify each other? No.
Also see Liability position response above
Sub-contract Agreement Will there be a pro-forma agreement that Institutions can use for Add-On Services they procure under the DPS? If an Institution opts to buy Add-On Services via a mini-competition in the Jisc Dynamic Purchasing System (DPS) for Learning Analytics, then the contract for those services will be directly between the Institution and supplier.

In a static procurement framework suppliers generally sign up to use a standard pro-forma contract with their customers. The DPS operates slightly differently. Under the DPS an Institution can use its own contract wording or the supplier’s.

In a bid to ensure that all suppliers adopt a consistent approach to data protection/GDPR-compliance, Jisc has provided a standard set of data protection clauses and mandated that suppliers use these in their contracts with Institutions.

Jisc is also in the process of reviewing some final changes to our sub-contract agreement. Once finalised, we can make this available as a starting point for contracts Institutions may enter into with suppliers under the DPS.

By Paul Bailey

Head of co-design, part of a research and development team

Leave a Reply

Your email address will not be published.