Protecting and Using Personal Data in Education: Where Do We Stand?

On May 25, 2018, the "RGPD", General Data Protection Regulation, comes into force. Among the elements of novelty, the increased accountability of all actors who process personal data, facing sanctioning powers of national authorities that can be as much as 20 million euros or 4% of a company's global turnover!

A recent article by B. Devauchelle evokes the difficulty of the various actors in the educational domain to enter the framework of this European law ... and to fully assume their double responsibility, "legal as well as ethical", about the mass of personal data of a student that can be aggregated today.

Another recent article on EducPros discusses the new regulation from the "political" angle of data storage location and digital independence: several higher education institutions would be exposed to the dilemma of outsourcing, faced with particularly sharp commercial strategies from private operators.

Another new feature of the GDPR is the right to portability, defined as "the right to retrieve one's data in an open, machine-readable format for reuse for personal purposes." The European position often wavers between data protection and data enhancement; the idea of data reappropriation is not new, it was already mentioned in 2015 about Fing's initiative "Self Data ". Initiatives like MyStudentData, in the US, were supposed to allow each student to upload their schooling data, scattered across federal and local governments.

The Regulations Have Certainly Progressed since then, but What about the Practices?

A reading of the recent US press reveals that the MyStudentData initiative never really took off, apart from a timid attempt at the federal financial aid application registration site (FAFSA). Many reasons would account for this lack of realization: the lack of development of a common metadata dictionary to allow each agency to publish its data. An overly centralized target vision would have proved incompatible with a decentralized organization, where each agency or structure can evolve its own information system autonomously.

Also across the Atlantic, another project - this time a private initiative - has also met with abject failure. InBloom, 100 million funded by the Gates Foundation, an open-source platform centralizing educational data that intended to break down interoperability barriers and unleash the full potential of data analytics, in terms of decision making and learning tracks. An article from the Data Society looks back at the legacy of this project and the reasons for its failure:

• insufficient anticipation of the bureaucratic ramifications of educational administrations;
• the imprecision of the economic model (between 2 and 5 dollars per student),
• a typical start-up operation in the face of a market still difficult to identify, not very acceptable in an initiative of such a scale.
• the lack of case studies or pilot initiatives to convince a reluctant public opinion, concerned about the dangers of possible commercialization of data.

Two initiatives that have failed despite a political will are the involvement of recognized actors and a financial envelope sometimes consequent. What lesson should we learn from them? Probably, the need to roll out less ambitious pilot initiatives, on a smaller scale, which could light the way, such as two ongoing Erasmus+ policy experimentation projects:

• Erasmus without paper, to exchange between universities mobility data at the basis of the Erasmus program, or
• the Emrex project, to transfer student files or share them with employers, in a context of European strategy aiming for a 20% mobility rate of students by 2020.

During a workshop to prepare for the "RGDP" organized by the CNIL (Commission Nationale de l'informatique et des libertés) last December, the right to portability was presented as very theoretical, with no one yet knowing how it would be put into practice. One scenario presented as plausible was the emergence of trusted intermediaries that would take care of interfacing and formatting data instead of data provenance structures.

Now it remains to imagine how to apply this to the educational world.

To learn more about the GDPR, a CNAM MOOC starts in April on the fun platform: https://www.fun-mooc.fr/courses/course-v1:CNAM+01032+session01/about

Illustration: thedescrier, Foter.com

References

1. Bruno Devauchelle : Les données personnelles, en question
   http://www.cafepedagogique.net/lexpresso/Pages/2018/02/16022018Article636543632555710486.aspx (February 2018)
   
2. MyData Button: Button, Button, Who's Got the Button?
   http://www.arniedocs.info/wp-content/uploads/2016/05/MyData-Button-Disappears-2016-05-03.pdf (May 2016)
   
https://datasociety.net/pubs/ecl/InBloom_feb_2017.pdf (February 2017)

3. Erasmus without paper - http://erasmuswithoutpaper.eu
   
4. Emrex - http://www.emrex.eu/