'Learning analytics' can help universities improve student engagement and performance but data protection issues must be addressed, say experts

Out-Law Analysis | 16 May 2017 | 10:08 am | 4 min. read

ANALYSIS: Universities have an opportunity to use the increasing volume of data at their disposal to improve students' learning and attainment, as well as the quality of teaching and content provided on their courses, provided they get data protection issues right.

Technology is playing a growing role in the way teaching is delivered to university students. Students are increasingly accessing course materials, completing modules and participating in assessments online. This digital activity leaves a data trail that can offer insights into students' engagement and performance.

So-called 'learning analytics' solutions are available and being adopted in the higher education sector by an increasing number of universities to tap into this bank of information. The technologies offer institutions the chance to identify students that are at potential risk of dropping out of courses or failing exams, and even restructure the way courses are delivered, and what content is included, on the basis of the insights gleaned from the data.

The use of learning analytics has been endorsed by the Higher Education Policy Institute (HEPI). In a report (60-page / 337KB PDF) published earlier this year, HEPI said there is "growing evidence" that learning analytics can be used to "reduce university non-retention rates" and that it also has the potential to improve students' performance too, including through "personalised learning".

As HEPI put it, learning analytics "correlates patterns of student activity with learning outcomes" and allows staff to "spot disengaged and underachieving students at the earliest possible opportunity".

HEPI urged universities to consider adopting learning analytics "at the earliest opportunity".

The use of big data analytics is already prevalent in many other sectors. Retailers, for example, have used data on the movements of customers to help inform store layouts, and insurers use data about customers to set premiums for their products.

However, for universities, the collection of data about students and lecturers gives rise to data protection issues that they must address.

First, it is vital that universities meet their 'fair processing' obligations under data protection laws. Those rules require organisations to explain to people what data they plan to collect about them and for what purpose, as well as whether they plan to share that information and with whom.

Meeting this obligation requires careful thought. Universities must ensure that they explain how students will benefit from the institutions' use of learning analytics to counter any concerns about the tracking of their habits.

There is also a question of how these privacy notices should be communicated.

Students are typically tech-savvy. Universities should use that to their advantage. As part of a layered approach to data privacy, universities should display short chunks of easily-digestible information about the planned data processing to students when they access course materials, modules or assessments online via their devices, and back this up with a more extensive explanation of the processing in a privacy policy. Social media channels also offer a useful medium for getting the message out to students.

Beyond the obligations on transparency, universities also must ensure that there is a lawful basis for collecting and processing the information.

Universities might argue that they have a legitimate interest in processing students' data for the purpose of building a profile about them to step in to improve their engagement and attainment and/or improve teaching and learning. However, they would have to be confident that the legitimate interests they have in that data processing is not overridden by the rights of the students concerned, such as their rights to privacy.

The balancing of the competing interests and rights might be influenced if universities intend to make decisions about what interventions to take based on the automatic processing of the data by software. That might be considered prejudicial to the rights of students.

Where the 'legitimate interests' basis for data processing is not valid, universities might need to put in place processes for obtaining students' consent to the use of learning analytics.

Many of the learning analytics solutions are delivered by third parties via cloud computing. Universities must be mindful of the terms and conditions on offer when engaging with those service providers as there are legal ramifications to consider. For example, organisations in the UK are required, under data protection laws, to have contracts in place governing their data processing arrangements when they outsource those activities.

Under the new General Data Protection Regulation (GDPR), the requirements to be included in contracts of this nature will become much more stringent, which could lead to lengthier negotiations with learning analytics providers. Universities will be on the hook for a potentially severe fine if they do not meet these requirements. In addition, because data processors will also be subject to new obligations under the GDPR, there is a need for universities to carefully consider whether they are exposed to undue risk through their  contracts with learning analytics suppliers.

The GDPR will also introduce a new data breach notification regime. Universities will be subject to those new duties to report data breaches to data protection authorities and, potentially, individuals affected by a breach. The institutions must therefore ensure that data processing contracts stipulate a level of cooperation from learning analytics suppliers that allows them to meet their breach notification duties on time.

If accessing learning analytics solutions means using cloud providers based outside of the European Economic Area (EEA), universities will also need to ensure that there are data protection arrangements in place that are essentially equivalent to those that apply within the EU.

With cyber risk growing for all organisations, universities should also conduct due diligence of the data security offered by third parties they engage with for providing learning analytics.

Joanne McIntosh and Craig Callery are experts in education technology (edtech) and data protection law at Pinsent Masons, the law firm behind Out-Law.com.