Inherent to the concept of learning analytics is the collection and utilisation of information, in a variety of contexts, generated by a student's activities without the student having to produce it consciously and actively at any stage. The University, as a controller of personal data, must assess the risks associated with data processing in the context of learning analytics, in order to contain them and ensure the data’s proper handling.
A study carried out as part of the AnalyticsAI project Learning analytics and student data processing at the University (Ouli, J. & Voutilainen, T. 2019) looks at a wide range of legal issues related to the use of learning analytics in university education, especially from the perspective of a university student. Also included in the study report, is a simplified risk assessment model for data processing, for different learning analytics use cases. Based on this model, we have prepared a separate tool for carrying out the risk assessment, which is intended to be published openly online with guidelines for users. The format of the tool to be published is being further elaborated. The challenging nature of creating a new technological tool, is heightened by the fact that the related legislation is fairly recent. As a result, there are relatively few guidelines or use cases on the subject.
When considering the risk assessment of learning analytics, risk factors with different weights pose different risks. For example, one major risk factor is, if the use of learning analytics enables automated decisions concerning students. According to Ouli and Voutilainen’s report there is no legislation, which would allow the use of automated decision-making in learning analytics use cases. Similar issues have arisen in the public debate regarding the automated decisions regarding Kela and the tax authorities.
The risk assessment tool being prepared in the project does not automatically answer the question of whether the controller has to carry out an impact assessment under the Data Protection Regulation. It does, however, provide a basis for addressing specific issues in learning analytics and highlights the key risks and perspectives to consider, which in any case need to be assessed from a risk-based perspective in the Data Protection Regulation.
It should also be noted that, even though data processing from a risk assessment perspective would be a good model for learning analytics, it must also be considered separately whether its implementation follows through with ethically sustainable practices and criteria, what principles are accepted for the use of analytics, and how the responsibilities of the various stakeholders are defined. In addition, it should be noted that according to Ouli and Voutilainen’s report, learning analytics cannot be developed in universities from the point of view of data protection law alone, because action is governed by general administrative law, within the framework of the national leeway, the most important of which are the Administrative Procedure Act, the Act on the Openness of Government Activities, the Information Management Act, as well, the Universities Act.
Special Designer Tommi Haapaniemi, Study Services
Project Researcher Meri Sariola, Department of Law
University of Eastern Finland