Data Handling: Ethics and Legal Requirements

Lesson goals and objectives

In this lesson you will learn:

  • why it is important to keep ethics in mind in online environments
  • why GDPR is essential to look into

What are the legal frameworks and what policy does your educational organisation have when it comes to dealing with data from and about students? Particularly if the data is used for individual student profiles on the basis of which interventions are carried out by the instructor, it is very important to be open and transparent about what you do.

So involve the legal department of the educational organisation and the Data Protection Officer in the learning analytics project from the outset. There is no point in starting if the legal frameworks and rules are not known to everyone from the outset. What you absolutely need is a Code of Practice for the use of student analytics and learning analytics that sets out the ethical principles your school has established.

Ethics policy must have a place at the heart of learning analytics. Be sure you are as transparent as possible about what you are doing and why. Also be aware about transparency in who has access to the data and with whom the data are shared.

Institutions must decide who has overall responsibility for the legal, ethical and effective use of learning analytics. Specific responsibility within the institution should be allocated for:

• the collection of data to be used for learning analytics

• the anonymisation or pseudonymisation of the data to be appropriate

• the analytics processes to be performed on the data and their purposes

• the interventions to be carried out

• the retention and stewardship of data used for and generated by learning analytics.

Student representatives and key staff groups at institutions should be consulted or at least informed about the objectives, design, development, roll-out and monitoring of learning analytics.

GDPR  General Data Protection Regulation
Nowadays, strict legal requirements apply to the collection of data. When the purpose is defined, it will be assessed whether this purpose can be based on one of the following principles of GDPR:

a. Consent of the person concerned.
This means that student gave permission to collect data for the purpose you explained to them.
For example in a project on learning analytics the students should give permission to collect and analyse the data of their online learning behaviour, with the aim of improving the support and guidance of online students.

b. The data processing is necessary for the execution of an agreement.
It is quite normal for a school to collect a student’s details such as address and place of residence, age, prior education and learning disabilities. Without this information the school cannot possibly offer the best learning circumstances.

c. The data processing is necessary to comply with a legal obligation.
d. The data processing is necessary for the protection of vital interests.

e. The data processing is necessary for the performance of a task in the public interest or in the exercise of official authority.

f. The processing of data is necessary for the purposes of protecting the legitimate interests of the person concerned. As a school you can have the law on your side. That is if you have an interest that society considers so important that it has found recognition in law. And you can only promote this interest by processing personal data. We call such an interest a legitimate interest.

EDUCAUSE Exchange has made a podcast about ethics in learning analytics. Listen to their episode below:

Legal requirements
Any processing of personal data must meet the ‘other’ requirements set by GPDR.

Storage periods: Determine the storage period based on how long it is necessary to store the data for the purpose for which they were collected. Follow the legal retention period (if applicable) and destroy the data afterwards. For example, destroy the datasets used for the investigation when the investigation is over.

Data minimisation: only process data that is necessary for the purpose. In other words: neither too much nor too little data should be processed for the goal. If too little data is processed, it may wrongly create an incomplete picture of the person concerned.
For example, if you want to use the variable ‘time of registration for the course’ for your research, it is often sufficient to take the month of registration and not the exact date.

Integrity and confidentiality: protect personal data against unauthorised or unlawful processing and against accidental loss, destruction or damage. Please take appropriate technical and organisational measures. For example, make sure that when data is exchanged, it is done via a secure connection.

Obligation to provide information: be transparent about data processing. The parties involved (in this case students) should be informed about the processing of their data. This involves, for example, informing the person concerned about the identity and contact details of the controller, the  purpose and basis of the data processing, the rights of the data subject, the retention period of the data, possible recipients of the data, etc.
When applying learning analytics in an online learning environment, it is mandatory to inform students about the purpose of using learning analytics. Permission must also be requested and there must be a possibility that a student may not wish to participate. In addition to a statement of consent, a student must also have the option of opting out.