2017 - ICO Request for Feedback on Profiling

Download as PDFDownload as PDF

This is Jisc's response to the ICO's request for feedback on Profiling under the General Data Protection Regulation.

1. When, how and why does your organisation carry out profiling? Do you agree that there has to be a predictive element, or some degree of inference for the processing to be considered profiling?

Jisc uses analysis of personal data to improve its own services and provides services that educational institutions can use to improve theirs.

We consider that the "evaluat[ion] of personal aspects relating to a natural person" [GDPR Article 4(4)] is the key feature that distinguishes which of these activities represent profiling. In other words processing must lead to a personalised effect, rather than a group one, to be considered profiling. For example analysing university library borrowing records to determine which sources were popular with which classes would not be profiling, using those records to guide interventions with individual students would. The comment on page 9 of the guidance document that profiling creates new personal data may be a helpful rule of thumb: processing that does not create new data "relating to individuals" cannot be profiling. We do not agree that prediction or inference is necessary for processing to be considered profiling: for example automated analysis of historic data that resulted in an individual pay award or course mark would carry the same risks of unfairness and require the same safeguards.

2. How will you ensure that the profiling you carry out is fair, not discriminatory, and does not have an unjustified impact on individuals' rights?

We expect most profiling activities to involve two stages: first a preparatory, non-profiling, stage to identify patterns of group behaviour and then, if appropriate, a profiling stage identifying the individuals who match those patterns and personalising their treatment in some way. For example in the use of learning analytics a preparatory stage might identify signs common to students at increased risk of dropping out; the profiling stage would involve identifying and offering appropriate support to individuals showing those signs.

This allows fairness etc. to be delivered at two distinct stages. For example we would expect Fair Processing Notices to mention both the use of personal data to identify possible improvements to educational provision, and the subsequent offering of particular types of support to those individuals likely to benefit. In assessing the appropriateness of pattern identification we would expect to use a balancing test such as that in guidance on the legitimate interests justification; this should permit discriminatory and other harmful patterns to be identified and addressed before they affect any individuals. In assessing the appropriateness of individual intervention we would expect educational institutions to check that students are either in a position to offer free, informed, consent, or that intervention had been approved, for example under the provisions of universities’ access agreements with the regulator.

3. How will you ensure that the information you use for profiling is relevant, accurate and kept for no longer than necessary? What controls and safeguards do you consider you will need to introduce, internally and externally, to satisfy these particular requirements?

Since the aim of learning analytics is to enable prompt intervention to help students, using old, out-of-date, information for profiling would defeat this purpose. Our Learning Analytics Code of Practice, developed with universities and the National Union of Students, describes the procedural and technical safeguards that we would expect educational institutions to implement.

4.(a) Have you considered what your legal basis would be for carrying out profiling on personal data? How would you demonstrate, for example, that profiling is necessary to achieve a particular business objective?

We would expect most profiling to be a secondary purpose for data collected for some other primary purpose and using the appropriate legal basis for that collection. The secondary pattern-identification process would then be performed as a legitimate interest of the educational institution, subject to the balancing test (if special category data were to be used for pattern-identification then a separate consent would be needed for this stage, though the organisation should still use a balancing test to ensure the use of SCD is appropriate). Any personalised treatment of an individual – which would be the purpose and main part of the profiling stage – would normally be based on the individual’s consent. This approach is described in Cormack, A, "Downstream Consent: A Better Legal Framework for Big Data" [2016] 1(1) JIRPP.

The identification of individuals from whom consent will be sought – the first step in profiling – cannot be based on that consent, so must also be based on a legitimate interest of the organisation. The requirements of the legitimate interests balancing test and the requirement that this part of profiling not have any significant effect on the individual both require organisations to ensure that the consent request is made in the least impactful way possible. If the act of making the consent request carries a significant risk of harm (for example if the request itself may cause distress), organisations must either justify that risk against the potential benefit to the individual, or else not make the request. We would expect these circumstances to be identified as part of the design of the proposed intervention, before profiling takes place.

Where the use of personalised interventions had been agreed as part of an access agreement with the statutory regulator profiling might alternatively constitute processing necessary in a recognised public interest.

4.(b) How do you mitigate the risk of identifying special category personal data from your profiling activities? How will you ensure that any 'new' special category data is processed lawfully in line with the GDPR requirements?

As in our answer to Q2 above, we would expect any patterns identifying special category data to be identified and appropriate safeguards applied at the pattern-finding stage before any profiling takes place.

5. How do you propose handling the requirement to provide relevant and timely fair processing information, including "meaningful" information on the logic involved in profiling and automated decision-making? What, if any, challenges do you foresee?

Information should be provided to data subjects both at the initial stage when data are collected or added to an analysis system and subsequently when personalised treatment is offered. The latter allows provision of information specific to a particular personalisation.

We agree that information about the types and sources of data, where possible with an indication of the weight given to each, will be the most helpful to data subjects: in particular this allows them to check the accuracy of the particular data values used to derive their individual profile. For example Tribal’s Student Insight allows universities to both display and amend the factors that result in a particular student’s profile.

6. If someone objects to profiling, what factors do you consider would constitute "compelling legitimate grounds" for the profiling to override the "interests rights and freedoms" of the individual?

In most of our applications the part of profiling that has significant impact on the individual will be based on consent, so an objection would constitute withdrawal of consent, rather than a request capable of being refused if there were "compelling legitimate grounds" to do so. Since interventions should be designed to benefit the student, a significant benefit might constitute legitimate grounds for continuing either the offer of intervention or, in cases where it is not based on consent, the intervention itself. This might, for example, apply where an intervention was likely to make the difference between a student completing their course or dropping out.

Where profiling is based on a public or legitimate interest, purposes such as access agreements with the regulator or fraud detection might constitute compelling legitimate grounds for continuing despite an objection.

9. Do you foresee any difficulties in implementing the GDPR requirement to carry out a DPIA, when profiling?

No. We have recently commenced a DPIA for our learning analytics service.

10. Will your organisation be affected by the GDPR provisions on profiling involving children’s personal data? If so, how?

No current plans for Jisc to collect children's personal data. If universities or colleges wished to process children's data using services provided by Jisc we would expect them to have made appropriate arrangements for parental consent before doing so, for example at the application or enrolment stage.