Learning Analytics in 5 steps: a guide to the GDPR

Does your institution want to start with learning analytics? Please follow the plans’ different steps with your learning analytics team to immediately survey the impact of learning analytics on privacy.

Student met telefoon

GDPR places strict criteria for using learning analytics

The GDPR places strict criteria on the basis for using learning analytics. The use of learning analytics requires careful consideration of the risks for individuals, and suitable measures to be taken. It is not as simple as asking for consent once and including a privacy statement on the website. Within this this roadmap SURF aims to assist educational institutions to shape their learning analytics in accordance with the GDPR.

5 steps to shape learning analytics

This 5 steps roadmap is only intended as a guide, each educational institution will need to make its own considerations in regard to privacy. It supports institutions in safeguarding the legal aspects of their learning analytics projects. This contributes to creating a secure learning environment which respects the privacy of individuals. Don’t skip any steps. It is best to focus on the steps that are most relevant to your project. With each step, you can read about therelevant l egal terms and what you have to do. Also make sure that your institution’s Data Protection Officer (DPO) is involved in carrying out this plan.

Step 1: preparation

In this first step you make a plan of action in which you describe the specific goals that you want to achieve with learning analytics. You also put together a multidisciplinary project team.

Step 2: design

In the design phase, you determine how you include privacy protection, the scope of your processing, how the data will be processed and how you will protect the data.

Step 3: Assessment

In this step you investigate whether the goals of learning analytics are proportionate to the infringement for the individuals whose data you process (proportionality). And whether you cannot achieve the goal in a less disadvantageous way for the individuals involved (subsidiarity). The basis justifies the institution’s processing of personal data for the purpose of learning analytics. In principle you require one of the following six bases for each phase (collection, analysis, use):

  • consent
  • execution of an agreement
  • legal obligation
  • protection of vital interests
  • fulfilment of public service
  • legitimate interest

Step 4: Implementation

In this step you will take the necessary legal, technical and organizational measures. This includes the conclusion of necessary contracts with suppliers in the form of processing agreements. You also draw up the necessary policy documents and procedures and inform individuals, students, about the learning analytics processing.

Step 5: evaluation

Assessing whether a learning analytics system is responsible from a privacy law perspective is not a one-time event. The organisation itself and external factors do change. This may impact the societal and legal frameworks of the system and therefore also its legitimacy. It is therefore important to periodically evaluate whether the system is still liable.