A new appraoch

Background

From 2016-2018, Liz Hudson was working as a learning technologist at Coventry University. Even before the arrival of GDPR, there was concern about the privacy and other risks associated with using external technologies or tools in teaching and learning. The term external technologies refers to technologies that have not been screened and officially approved by the university’s IT and other authoritative departments. Lecturers would often ask Liz for a list of tools they were permitted to use in teaching and learning – and a blacklist, if there was one. It was easy to recommend the virtual learning environment, Microsoft Office tools, and a few others that had been carefully procured and packaged within security systems and policy frameworks. Most of the time, however, lecturers were eager to try something that wasn’t on the list.

Technologists had been asked to find out what technologies staff and students wanted to use, so that they could each be evaluated for use. The list was intimidatingly long and continued to grow. Furthermore, the diversity of technologies meant that the criteria for approval needed to extend well beyond data protection. As preparations for GDPR started to get underway, use of any external technologies would now need to be approved by the newly-instated Information Protection Unit. As their focus was not, at that time, concerned with pedagogy or innovation, Liz began to research GDPR to see if she could come up with a mutually agreeable solution.

A breakthrough

While the GDPR is a long and complicated piece of legislation, it is pivotal on a simple question: are you controlling or processing personal data? If not, then GDPR does not apply to you

Some teaching and learning activities do require the lecturer/university to control and process personal data, but they are usually administrative or operational in nature. In contrast, many pedagogical activities do not.

So, on the one hand, there are essential or common activities that staff and students are required or expected to do, in order to meet course requirements. Lecturers need to assign grades and provide feedback online. They might lead lessons and tutorials via video conference. There will be documents students must read and they probably need a means to submit their work electronically. In these instances, staff and students are required to share personal data with the associated technologies and services. Therefore, the university and its technology services are controlling and processing personal data, and so those technologies must be carefully vetted and managed, and users must be fully consensual.

On the other hand, if a lecturer wishes to use an external technology to demonstrate a concept in class, or a student wishes to use an external tool to build their portfolio, the lecturer and institution is unlikely to be considered the controller or processor of students’ personal data. Provided that the student knowingly and voluntarily engages with the external tool, and the lecturer is not acting on behalf of students, this ought to be the case.

So, if staff or students choose to sign up to or engage with a service voluntarily, then the legal contract is between the individual and the service provider. Liz realised that there were other other factors to consider, but this distinction between the types of activities could potentially be used as a basis for flexible policies and processes.

Pathways and principles

Liz used what she had learned to develop a new set of guidelines based around six principles. After many months of discussion with various departments, approval by the Quality in Learning and Teaching committee, and the all-important approval of the Information Protection Unit, the new guidelines were passed and implemented ready for the start of the 2018-2019 academic year.

Liz’s approach has now evolved to define four pathways for the approval of technologies, which depend on a clear communication strategy and adherence to six principles.

New literacies

A key concern raised about this new approach has been that staff and students may not possess the digital and information literacy required to make informed decisions about the tools they use. There are also concerns that, aside from data privacy, there are various other legal and ethical issues that need to be considered before a technology can be approved e.g. accessibility, student welfare, sustainability. 

Liz has always maintained that she does not necessarily condone the use of external tools and is deeply concerned about the misuse of personal data by many technologies. She believes that:

“not only do students have a right to data privacy, they have a right to be educated about it and make informed decisions”

So while the pathways and principles should never be seen as a loophole or workaround, the GDPR should also not be cited as the reason for restrictive institutional policies, when this is quite often not the case. She argues that both these interpretations undermine efforts to improve privacy and human rights.

So, just because you can, doesn’t mean you should. Informed decisions are dependent on effective education. Hence the need to develop a range of literacies related to the use of digital technologies, or new literacies

Wider impact and future developments

Liz presented the approach via webinar at the ALT Online Winter Conference 2019, generating enthusiastic discussions among the 70 delegates. Questions raised were responded to in a collaborative document after the session. 

A persistent question about the approach has been whether it has been approved by legal experts. This reflects the widespread and understandable nervousness about getting it wrong. A strategy that could be interpreted and applied to limitless scenarios is difficult to legally approve, particularly when GDPR is case-based law and there are no known precedents for this particular issue. However, Liz described the approach to the ICO and submitted a set of key questions. On 25th Feb 2020 they responded with positive and helpful feedback on its interpretation of GDPR law. Liz is currently writing interpretative guidance on this feedback and developing decision making tools to put it into practice. She also plans to blog on upcoming developments and interesting topics as they arise. 

Liz is keen to know of any institutions who have already or are planning to implement something similar or based on this approach.

You can follow Liz Hudson on Twitter @Lizlovelearn and get in touch with her via email at liz@lexedio.com.

Get started

To see how the approach works, start by reading about the four pathways and then the six principles.

css.php
Select the fields to be shown. Others will be hidden. Drag and drop to rearrange the order.
  • Image
  • SKU
  • Rating
  • Price
  • Stock
  • Availability
  • Add to cart
  • Description
  • Content
  • Weight
  • Dimensions
  • Additional information
Click outside to hide the comparison bar
Compare