GDPR and open education
This weekend I received an interesting question about the new European General Data Protection Regulation (GDPR) and open education:
A trend in open online education is a shift from attention to publishing and reusing open materials (including MOOCs) to their effects on education. Terms such as Open Educational Practices and Open Educational Pedagogy are part of this. Such practices are characterised by using openness in a much broader context: not only OER, but also open data, open platforms (such as forums, twitter, blogs, Wikipedia, etc.). Most of these practices involve students creating content on such platforms, for example as a form of assessment (such as writing a Wikipedia article).
Most such platforms require (justifiably) non-anonymity in order to be able to make contributions. That is where my question lies. What I understand is that under the GDPR you cannot force students in an educational setting to share their data in that way. Wilfred recommends looking for alternatives that do not have such a requirement or (if that platform is used structurally) concluding a data processing agreement. However, it is precisely this non-anonymity of contributions that cannot be prevented, so platforms that do not demand it will not, in my opinion, be available. And is Wikipedia, for example, waiting for processing agreements to be concluded with all kinds of educational institutions?
A very interesting question and one I try to answer. Big disclaimer: I'm not a lawyer, anything I write here is my interpretation of GDPR and not legally binding.
An important aspect of the new lay is consent before data is processed. To meet the GDPR requirements regarding consent, personal data must meet the following tests:
- Freely given: The consent must be freely given and capable of being withdrawn at any time.
- Specific: Separate consents must be obtained for different processing operations.
- Fully informed: Organisations should clearly communicate to individuals what they are consenting to and of their right to withdraw consent;
- Consent must be unambiguous and be a positive indication of agreement: consent will no longer be presumed or inferred from silence, inactivity or pre-ticked boxes.
This means that if a student can freely chooses if he creates an account, it is allowed. As soon as it is mandatory, there is no choice and no consent.
Lawful basis for processing
Another option that it is allowed to process data if it is needed:
- for the performance of a contract to which the data subject is party or to take steps at the request of the data subject prior to entering into a contract.
- for compliance with a legal obligation to which the controller is subject.
- to protect the vital interests of the data subject or of another natural person.
- for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- for the purposes of the legitimate interests pursued by the controller or by a third party unless such interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require protection of personal data, in particular if the data subject is a child.
This means that a university is allowed to process data of students because of legal obligation (for state universities) and/or contract of the student. The university is responsible that data procession is according to GDPR. They are allowed to use third parties, but this requires a Data Processiing Agreement (we use the standard SURF DPA).
Yes, the new GDPR does effects open educational practices. As university you need a DPA with external parties or there should be free consent of the student. If writting a wikipedia article is part of the assessment, there is no free consent. This means it is only allowed if you have DPA with Wikimedia.
For all non-European universities, this also applies to your institute if you have European students!
Image Credit: CC-BY Dennis van der Heijden
No feedback yet
Form is loading...