JISC Legal have a produced a report Consent Management: Handling Personalisation Data Lawfully which addresses the following questions:
- Must an institution always get the consent of learners if it wants to process their information in a new and innovative way?
- What is the best means of administering the individual consent of learners to various processing activities that will occur with their data?
- What laws apply to the vast quantities of user activity data that are generated as learners participate in and engage with online resources?
Their recommendations are:
For Institutions Generally
- Institutions should raise awareness of the risks to those engaging with and providing personal data to external third party organisations.
- Where there is no reasonable likelihood of an individual being identified personalisation data can be considered anonymous data and not subject to the DPA 1998. Consent to its use therefore is not required.
- Where consent is obtained, the data subject should be left in no doubt that they are giving their consent - consent should be specific and informed.
- Ensure that details of online services that are required as part of a student’s learning are described up- front - probably at the time registration.
- Where learning providers process users’ information that is indicative of their online activity and interests this should be considered personal data.
- Any profiling of natural persons or other value-added services should only be carried out after expressed consent has been obtained from the user.
- When processing is not necessary then personally identifiable data must be processed only with the consent of the individual involved.
- Where processing is necessary in order for an agreed relationship to take place and this processing is clearly described in advance to the learner then further consent to the particular processing is not necessary.
- Where learner’s personal data is provided to external online services as part of their learning there is an onus on the institution - as data controller - to ensure that the learner understands that the transfer is necessary for the purposes of their learning.
- Where institutions are using social network services as data processors then the institution is obliged to ensure that this processing is data protection compliant.
- Data protection compliance should be designed into systems that are processing personal information from the start. In many cases conducting a Privacy Impact Assessment can be a useful method of gauging the privacy risks to individuals.
- If storing or processing of personal information including personalisation information cannot be justified as necessary, then it should not take place at all.
- In the Information Commissioner’s view, provided there is no likelihood of a significant adverse effect on the individual as a result of processing their information, the specific consent of the data subject will not always be required.
- It is recommended that sensitive personal data of learners is not provided to external service providers without the explicit consent (in writing) of the individual learners involved.
For Information Technology Staff
- Attributes that do not reveal personally identifiable information should be used wherever possible.
- Data should be anonymised by removing all personal identifiers wherever possible.
- It is necessary to have in place the technical and organisational measures necessary to ensure that anonymous data cannot be reconstituted to become personal data.
- A collection notice describing who is in control of the processing and what use will be made of the personal data is required to satisfy the fair processing information element of consent.
- Attributes should be designed not to collect or categorise information according to racial or ethnic origin or gender, for example, unless there are clearly justified and lawful reasons for such collection or categorisation.
- The eduPerson specification is recommended as the basis for the metadata standard for the attribute set that will be stored for end users since this is well developed and implemented in some institutions’ directory servers already.
For External Service Providers
- Users should be fully informed by means of a collection notice of all profiling and personalising processing that involves their usage activities.
- Clear informed consent obtained from the individuals concerned can satisfy the legal obligations contained in the DPA 1998.
- The use of systems that anonymise personalisation data fits well with the approach that information that identifies individuals should be minimised or avoided.