Just a few quick remarks on this crucial point of Data privacy from the work that we've done in European Schoolnet. In this post I refer to the Privacy policy of LREforschools portal, to find the policy scroll down and click on "privacy policy". It's well hidden, right ;)

First and foremost, the use of data (e.g. what is gathered, who has access to it) will always need to be explained in the privacy policy. For example, in the LRE we say:

Information such as user IP address, internet service provider (ISP), web browser, operating system, approximate times of use, referring site, and any similar data exchanged between a user's computer and the servers of the LRE portal is collected on an aggregate basis, and, unless initiated by a specific user account, the LRE cannot tie this information to a particular user account. This information is accessible only to the system’s administrators of EUN Partnership aisbl and is only used to ensure the broadest compatibility and connectivity between users and the LRE portal, and to take appropriate action in case of unlawful or inappropriate behaviour.

Second, the privacy statement says what is the purpose for gathering the data, under current EU and most national laws, one cannot gather data just for the purpose of gathering:

Personal information provided by the user or collected during usage of the LRE platform will only be used to enable and improve the LRE user experience, including for the purposes of access control, tracking usage frequency, habits, preferences and settings, and for informing the user about any developments and updates related to the LRE platform.

So in this case it's important to say "to improve teh LRE user experience" which can include a variety of thing, namely to create better ways to search and find resources (e.g. recommender systems, better ranking of results, social navigation). 

Thirdly, something is said about who can access this information:

Access to this information is strictly limited to EUN Partnership aisbl , education ministries and entities in charge of implementing the LRE. EUN Partnership aisbl will not divulge your personal data for direct marketing purposes.

Unfortunately, in this case it is not explicitely mentioned that the data could be used for research purposes by any third parties, so with a strict reading of the data, I could not give out the full dataset with usernames, personal info, stats, etc, say, to a university of XYZ to run some test for recommender algorithms.

However, I should be able to use this data if anonymised (correctly), which is another tricky issue... and its own field of study... Just as a remind about how tricky it is, check the AOL search data scandal  that kind of put a stop for sharing corporate data, let's hope only for a while. 

In my next post I will talk about another privacy statement that we have for another project (called eTwinning, more than 90 000 users) where we have been able to take these steps to secure the use of that data for research purposes.

Final note: don't use any of this information before consulting your lawyer!