Riina Vuorikari

Profile

Friends

Friends of

Blog

Pages

Files

Riina Vuorikari
611 days ago

Just a few quick remarks on this crucial point of Data privacy from the work that we've done in European Schoolnet. In this post I refer to the Privacy policy of LREforschools portal, to find the policy scroll down and click on "privacy policy". It's well hidden, right ;)

First and foremost, the identification of data (e.g. what is gathered) will always need to be explained in the privacy policy. For example, in the LRE we say:

Information such as user IP address, internet service provider (ISP), web browser, operating system, approximate times of use, referring site, and any similar data exchanged between a user's computer and the servers of the LRE portal is collected on an aggregate basis, and, unless initiated by a specific user account, the LRE cannot tie this information to a particular user account. This information is accessible only to the system’s administrators of EUN Partnership aisbl and is only used to ensure the broadest compatibility and connectivity between users and the LRE portal, and to take appropriate action in case of unlawful or inappropriate behaviour.

...

• Registrant data: name, surname, occupation, if teacher subject taught, language/s spoken, email address
• School data: school's name, type, address, town, postal code, country
  

Second, the privacy statement says what is the purpose for gathering the data, under current EU and most national laws, one cannot gather data just for the purpose of gathering:

Personal information provided by the user or collected during usage of the LRE platform will only be used to enable and improve the LRE user experience, including for the purposes of access control, tracking usage frequency, habits, preferences and settings, and for informing the user about any developments and updates related to the LRE platform.

So in this case it's important to say "to improve teh LRE user experience" which can include a variety of thing, namely to create better ways to search and find resources (e.g. recommender systems, better ranking of results, social navigation). 

Thirdly, something is said about who can access this information:

Access to this information is strictly limited to EUN Partnership aisbl , education ministries and entities in charge of implementing the LRE. EUN Partnership aisbl will not divulge your personal data for direct marketing purposes.

Unfortunately, in this case it is not explicitely mentioned that the data could be used for research purposes by any third parties, so with a strict reading of the data, I could not give out the full dataset with usernames, personal info, stats, etc, say, to a university of XYZ to run some test for recommender algorithms.

However, I should be able to use this data if anonymised (correctly), which is another tricky issue... and its own field of study... Just as a remind about how tricky it is, check the AOL search data scandal  that kind of put a stop for sharing corporate data, let's hope only for a while. 

In my next post I will talk about another privacy statement that we have for another project (called eTwinning, more than 90 000 users) where we have been able to take these steps to secure the use of that data for research purposes.

Some links:

http://www.delicious.com/vuorikari/dataTEL

Final note: don't use any of this information before consulting your lawyer!

Hendrik Drachsler

Profile

Friends

Friends of

Blog

Pages

Files

Hendrik Drachsler
610 days ago

Hi Riina,
very interesting stuff you posted here, I directly had a couple of questions in my mind?

1. If EUN would have added RESEARCH as another activity to the policy would it than be okay to share it with other Universities? So is it just a matter of adding the term to the policy or needs such an addition the commitment of the users?
2. How long did it take EUN to setup the policy and is it also applicable to other data sets at EUN?
3. Does the policy only apply to European law and are there any differences between European law and national laws?

I think we need a kind of handbook on how to setup a proper data set policy within an organization or for a certain service. Something with editable forms that support the people in creating their own data set policies, a tool that asks the right questions to the people and suggests the important paragraphs for such a policy. The outcome should be a draft text that can be given to a lawyer.
 
Or we just do it like facebook and all content is owned by the service provider. ;)

Riina Vuorikari

Profile

Friends

Friends of

Blog

Pages

Files

Riina Vuorikari
603 days ago

Here is the privacy document of the other project, eTwinning, that I talked about:
http://www.etwinning.net/en/pub/misc/privacy_statement.htm#i2450

It's been in making for many months, because many stakeholders were involved (e.g. EAC Agency who owns the data (data controller), EUN who is the data processor, Commission's data privacy expert)

Part 2 is important, it outlines what data is collected (2. What personal information do we collect, for what purpose and through which technical means?). We outline 3 areas:

• Personal information
• Other data
• Usage data
• Technical information

Data related to users’ behaviour within the various areas of the eTwinning platform may be used only for the purpose to carry out research and monitoring by the EACEA, the European Commission, and authorities in charge of implementing eTwinning (e.g., Central Support Services (CSS) and National Support Services (NSS) and national or regional school authorities) and other third parties (for instance, duly authorised research centres and universities). All usage of data by the actors mentioned above must be communicated to the data controller, which reserves the right to deny authorisation to such use.

Data shall not be processed for any other purpose. The legal basis for these processing operations of personal data is listed under point 9.

Then, we outline who can access that data (3. Who has access to your information and to whom is it disclosed?). This is what we learned that we need to add to the privacy document which makes it possible to use the data for our research purposes:

The transfer of specific data to other third parties (e.g., research centres and universities) can be permitted under specific authorisation of the Data Controller. Whenever possible, data will be processed in an anonymous way, especially if transferred to third parties for research purposes.

What happens is that we make a separate contract with each project/researcher/student who uses that data. It outlines the purpose of the research and says that the data can be only used for that purpose, is not shared, etc. It's also important to us to know who does research on our data and that we can use that research to make things better!

So, if anyone else wants to use the data to verify the research results, it is possible to make a new contract with them and make the dataset available.

As for now, we only are getting started with this procedure, but I can imagine that doing this type of research contract can become rather standardised, a bit like this one that I looked at as an inspiration (Data Purchase and Use Agreement for Welfare, Children and Families: A Three-City Study).