Covid-19 has major implications for the way education is currently delivered. This has not gone unnoticed by the Personal Data Authority (AP) either. The AP has received a large number of signals and questions about the processing of personal data in digital education. As a result, in May, June and July of this year, it conducted investigations focused on the application of the General Data Protection Regulation (AVG) in the use of online (video) calling applications and online proctoring (software used by educational institutions during a test or examination to prevent fraud).
In times when online education has boomed, it is critical to consider the processing of personal data. It also brings new risks and challenges for educational institutions.
A total of 12 educational institutions in secondary, higher and scientific education were surveyed by the AP using a questionnaire. The results were recorded in the report recently released by the AP. In this blog, read more about some of the relevant recommendations the AP has made to educational institutions.
The AP first addresses the basis for processing personal data, pointing to the educational institution's own responsibility to assess the necessity of the processing. The AP indicates that it is possible for an educational institution to invoke the basis of fulfilling a task in the public interest or a task in the exercise of public authority entrusted to the controller (public task), when the processing is necessary to perform this task. The requirement is that this task must be defined by law. In many cases, however, it will be difficult to determine the boundaries of a public task, and whether the public task in question provides a sufficiently precise basis for certain data processing, according to the AP.
It is also important to note that necessity for the performance of a public duty may vary from time to time. For example, the AP indicates that it is possible for an educational institution to come to the conclusion that the Covid-19 measures make it necessary to process video footage of students in specific situations in order to perform the public duties imposed by the Education Act and the Higher Education and Scientific Research Act.
The AP further indicates that, as for other government agencies, the AVG does not allow educational institutions to invoke the legitimate interest basis.
Furthermore, the AP indicates that the basis of consent can be problematic, as in many cases it is questionable whether students actually have the freedom to refuse consent vis-à-vis the educational institution when there are consequences.
With respect to conducting a Data Protection Impact Assessment (DPIA), the AP says the following. Many educational institutions have made the choice to deploy online (video) calling applications, which may be a good choice partly because of external time constraints. It should be noted, however, that when a (video) calling application is deployed for purposes other than those for which it was initially purchased, the data processing may involve other risks and a new DPIA may be required. The example given here is that the deployment of a (video) calling application during a meeting may have a different impact on the protection of personal data than when the same application is used to give a lesson or lecture to a large group of students.
With regard to decision-making on the deployment of (video) calling applications and online proctoring software and the creation of appropriate safeguards, the AP indicates that this requires timely and active involvement of the Data Protection Officer (FG). It is insufficient to inform the FG (after the fact) about choices made. Furthermore, the AP encourages educational institutions to involve, in addition to parties such as the participation council, the examination committee and the Executive Board, also students and other stakeholders in the design and evaluation of distance education, i.e. also parties that do not have the right to consent or advice.
In the context of accountability, an educational institution should be able to properly justify why the use of online proctoring is necessary to prevent fraud. Depending on the nature and specific characteristics of a test or examination, this may differ per situation. It is important to consider online proctoring as a last resort, which means that it should first be examined whether other forms of testing are available that infringe less on students' data protection rights, according to the AP.
It is indicated by the AP that it is important to establish institution-wide policies or guidelines on how to handle footage when making online (video) calls, which should include at least the following agreements:
surveying students and documents and making recordings;
informing data subjects of, among other things, the purpose of the recording and the retention period;
secure storage, retention period and who is responsible for timely deletion of stored images (if applicable).
Institution-wide policies or guidelines on remote review should also be established for remote review, which should at least include agreements on the following:
The cases in which online proctoring can be used;
the obligation to always consider first the options that have the least impact on the protection of student personal data;
documenting the consideration made if the educational institution decides to use online proctoring for a particular test or examination;
By what means and in what manner personal data of data subjects are processed;
student identification during digital tests (having the student show a full (unshielded) ID is not allowed);
the requirement for human intervention in assessing whether a student may be committing fraud during a test or examination.
The AP further notes the influence students and teachers themselves have on the data they share during a digital lesson or test. The AP recommends that teachers and students (if they are in the picture) be advised to provide a neutral environment in which personal items are kept out of view. It also recommends instructing students to turn off the camera and microphone when not necessary to follow a digital lesson.
The AP also points out that students should be informed of their right to object to the processing of personal data. If a student objects to online proctoring and the educational institution cannot demonstrate that the interests of the institution outweigh those of students, the educational institution is obliged to offer a suitable alternative that sufficiently eliminates the privacy concerns, such as an alternative form of test without online proctoring or offering a test at a different location. It should be noted that this alternative may not result in negative consequences for the student, such as disproportionate study delay.
It recently came out that online proctoring has led to major problems for several students. Because the online proctoring system did not work in a number of cases, exam evaluations of nearly 100 students were invalidated. Ultimately, 15 students had their diplomas revoked. So such system errors can have far-reaching consequences.
The AP's investigation therefore leaves open the question in which cases online (video) calling and online proctoring is permitted. It is in any case important for educational institutions that prior to the relevant processing of personal data, the basis on which this processing rests is substantiated.
However, educational institutions should at all times make a sound assessment regarding the necessity when they want to deploy online video (calling) or online proctoring. If deployed, educational institutions should at least ensure that the invasion of privacy is as limited as possible.
The results of the study conducted by the AP will be discussed by the AP with umbrella organizations in education. The AP indicates that it will emphatically point out to the various umbrella organizations the improvements it believes are needed.
More articles from AKD