The Portuguese Data Protection Authority issues guidelines for the use of distance learning enabling technologies
Data Protection Alert Portugal
The Portuguese Data Protection Authority (CNPD, Comissão Nacional de Proteção de Dados) issued, on April 8, guidelines regarding the processing of personal data carried out through distance learning platforms driven by e-learning, MOOC (massive open online course), content/file sharing, videoconferencing and messaging technologies.
These guidelines, primarily addressed to controllers of the personal data processed through the use of the abovementioned technologies and their processors, as well as to the public bodies involved in decisions related to the use of these technologies in education, can be summarised as follows:
1. Personal data processed in the context of the use of distance learning enabling technologies
The CNPD begins by listing the personal data that may be processed in this context, which may include not only the data normally processed in the context of the educational practice, but also other data revealing (or enabling to infer) aspects of the private life of the data subjects (e.g. verbal statements from participants in the platforms concerned, images of the participants and their surroundings, intellectual skills and learning difficulties of the students) or even health data (in the case of platforms programmed to identify, through certain indicators, situations of dyslexia, autistic spectrum disorders, intellectual disability, hyperactivity, attention, memory, perception or language disorders, or cognitive impairment).
This government agency also highlights that such platforms may lead to the processing of personal data relating not only to students and teachers, but also to other people who share the same space with them (for instance, family members of students and teachers).
2. Data subject's privacy risks
The CNPD also warns of the data subjects’ privacy risks that may arise from the use of distance learning enabling technologies, including:
Risk of improper use of data collected or transferred through these technologies;
Risk of profiling or grading based on information derived from the user's activity, which may lead to discriminatory treatment of the profiled individuals (with particular focus on automated decisions based on artificial intelligence systems analysing the student's behaviour and performance - learning analytics -, since errors in the evaluation of the student's progress may limit his/her access to certain contents, which in the long term may impair the student's learning outcomes);
Risk of illegitimate reuse/sharing of data (e.g. posting data obtained through these technologies on social media or other data platforms, and processing such data for non-legitimate purposes);
Risk of remote surveillance of teachers in order to monitor their professional performance.
The CNPD concludes its guidelines with a set of recommendations aimed at protecting the personal data processed through distance learning enabling technologies and minimising the impact of the use of such technologies on the data subjects' rights, including:
Only platforms with well-defined purposes, compatible with distance learning, and suited to the technical capabilities of the educational institution (i.e., platforms that do not overload the educational institution technological systems and thus rendering them unsafe), should be used;
Only platforms respecting the principles of data minimisation and privacy by design should be used, and technologies involving the least possible exposure of the data subject and his/her family environment should be chosen wherever possible;
Both teachers and students must be provided with information on the platforms to be used, especially when algorithms requiring the data subject’s consent (students or, when minors, their parents or guardians) are involved, which implies that the details of the data processing to be carried out must be properly defined (e.g. what data will be processed, and their retention periods);
A data protection impact assessment should be carried out prior to the use of the distance learning enabling platforms (the platform providers themselves may carry out such assessment);
The roles and responsibilities of the various parties involved in the processing, as well as the obligation for platform providers to report any personal data breach to the educational institutions, should be clearly defined;
The use of learning analytics algorithms must be made in a lawful, careful, fair and transparent manner, and the educational institution may not impose the use of these technologies (which shall require consent from the data subject or, when minor, his or her parents or guardian);
The educational community must be made aware of a set of best practices and precautions to be followed in the use of distance learning enabling technologies.
Educational institutions intending to use or already applying distance learning enabling technologies should therefore ensure that a number of measures are taken, including:
Careful selection of technologies of this type and their suppliers, documenting their analysis:
on the adequacy of the selected technology for the intended purpose (including the exposure of the data subject and his family environment resulting from its use);
on the technical capability of the educational institution to support the implementation of the selected technology;
on the compliance of the selected technology with the provisions of the General Data Protection Regulation and other relevant data protection legislation;
on the availability of adequate data protection impact assessments (or, when not available, on the assessments conducted by the educational institution itself);
on the security measures applied by the supplier to the selected technology;
on the supplier's ability to comply with the applicable data protection legislation.
Entering into personal data processing agreements with the technology providers where their responsibilities and those of the educational institutions are clearly established.
Defining the details of the personal data processing operations to be carried out using the selected technology (e.g. personal data to be processed, retention periods, recipients of the data), with special care when the selected technology involves user profiling and/or automated decisions.
Dissemination of easy-to-read documents describing best practices in the use of the technologies made available by the educational institution.