Last updated: 
1 week 6 days ago
Blog Manager
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

GDPR: Attendance Monitoring

Wednesday, June 14, 2017 - 11:30

A question recently arose about monitoring students' attendance at lectures and tutorials, and how this fitted into data protection law. Since the main purpose of such monitoring seems to be to identify and assist students who don't attend, and whose presence is therefore not recorded or processed, there seem to be a number of both practical and legal issues to think about.

Firstly, is there any processing of absentees' personal data going on at all? It seems to me that there is, because at some point the absence record will lead to an "expression of opinion about the individual and…indication of the intentions of the data controller or any other person in respect of that individual" (Data Protection Act s1(1)). That means some legal basis for the processing is required: since these individuals won't, by definition, have had recent contact with the organisation, consent seems an unlikely option (these individuals may, in any case, be the least likely to provide opt-in consent). So it seems better to consider the data collection and offer of support as legitimate interests of the university or college. As in our approach to Learning Analytics, the benefits of such processing need to be balanced against the risk to the individuals. When the student responds to the offer they will either grant or refuse informed consent for the help being offered.

So what about processing the personal data of those who do attend? In many cases the main purpose of this seems to be to understand what patterns constitute normal attendance, so as to be able to identify those whose behaviour diverges from what is typical for their cohort or class. Since these students are making their personal data available, consent might be a possible basis, but this has practical disadvantages because of the need for that consent to be informed and opt-in. Since attending students obtain little or no personal benefit, a low participation rate seems likely, so the patterns derived from the data may well be unreliable. A useful rule of thumb is that for any processing that depends on maximising participation, consent is likely to be a poor choice. Again, legitimate interests appears a better option, though the balancing test may impose stronger requirements on the processing. Unlike non-attendees, where the benefit of intervention can be included in the calculation, attendees are unlikely to receive any benefit themselves. So stronger risk-reduction measures are likely to be required: for example it would be worth considering whether attendance patterns can be derived from pseudonymised data, kept separate from the students' actual identities. Information about the processing, and the option to object if a student's particular circumstances mean processing creates a greater risk for them, needs to be provided, but could be included in course or enrolment details.

In some situations, a couple of other legal bases may be available. Where attendance monitoring forms part of a university or college's access agreement with a regulator, it might be argued to be necessary for that public interest. Or, for some students (e.g. international) and some courses (e.g. those leading to professional recognition) attendance monitoring may be necessary to comply with a legal obligation. Whether this could be interpreted under non-discrimination law as a duty to record attendance for all students is a question for lawyers – the argument that you need to increase someone's data protection risk in order to not discriminate in their favour is a tricky one!