Persónuvernd (Island) - 2022040716

The Icelandic DPA held that the University examining a student’s use of a learning website in a course supervision system violated the transparency requirement in Art. 5(1)(a) GDPR. The lack of information regarding peer assessment violated Art. 12-13 GDPR.

English Summary

Facts

A student at the University of Iceland complained to the Icelandic DPA that a teacher was monitoring their use of a teaching website in the Canvas student management system. In a subsequent complaint, the student also alleged that the University did not provide sufficient information about using peer evaluation as a method.

The Icelandic DPA combined both the complaints and asked the University of Iceland to reply. In reply, the University of Iceland stated that the University's processing of student's personal data is based upon authorisation granted under the Act on Data Protection and the Processing of Personal Data. The University also stated that the examination of student's use of a teaching website was necessary for the assessment and was as per Art. 6(1) GDPR. However, one of the web pages which would have provided the necessary information to the student about the examination of the use of the learning website on Canvas was inactive. With respect to peer assessment, the University provided no evidence claiming that the student was informed in this regard.

Holding

The Icelandic DPA held that the University's examination of student's use of the learning website on the Canvas platform violated Art. 5(1)(a) GDPR. It also held that as the University violated Article 12-13 GDPR because it failed to provide the student the required information about examination of their use of the learning website and peer assessment.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.

Solutions

Processing of personal information by the University of Iceland

Case no. 2022040716

22.2.2024

All processing of personal information must be covered by one of the authorized provisions of the Personal Protection Act, as well as being compatible with all the principles of the law, i.a. that personal data is processed in a lawful, fair and transparent manner towards the data subject. In this case, the complainant was not sufficiently well informed about the possibility of teachers at the University of Iceland to process personal information about him and the university's processing was therefore not considered to have been compatible with the transparency requirement of the privacy legislation.

----

Privacy has ruled in a case where a complaint was made about the electronic monitoring of teachers at the University of Iceland. More specifically, it was complained that the teacher had monitored the use of the complainant, who was a student in a course with the teacher, on the teaching website in the Canvas learning management system. The complaint was also based on the fact that the teacher had used the peer assessment of the complainant's fellow students when grading the course.

The conclusion of the Personal Protection Agency was that there was no electronic monitoring, according to the definition of the term in the Personal Protection Act, as the teacher's assessment of the complainant's activity in the learning management system was not sustained or repeated regularly. It was also considered that the said processing of personal information about the complainant had been necessary for the university in connection with statutory tasks entrusted to the university by law and therefore can be based on authorization in section 5. Article 9 Act no. 90/2018, on personal protection and the processing of personal data, which stipulates that processing may be permitted if it is necessary for work carried out in the public interest or in the exercise of official authority exercised by the responsible party.

However, it was not considered that the complainant had been sufficiently informed of the teacher's possibilities to examine his activity in the course, by examining his use of the Canvas learning management system and making it the basis for grading, and the use of peer assessment for grading. The University of Iceland's processing was therefore not considered to have complied with the transparency requirement of the Personal Data Protection Act and the university was not considered to have provided the complainant with appropriate training on the processing of personal information.

Ruling

about a complaint about the processing of personal data by the University of Iceland in case no. 2022040716:

i

Procedure

On April 7, 2022, Personal Data Protection received a complaint from [A] (hereinafter the complainant) about the processing of personal information about him by the University of Iceland. More specifically, the complaint relates to the fact that a teacher at the University of Iceland engaged in illegal electronic monitoring of the complainant by examining his activity in a course by examining his use of a teaching website in the Canvas learning management system. During the course of the case, the complainant filed a new complaint against the same teacher at the University of Iceland, with a letter of the day. September 13, 2023. The second complaint concerned the instructor's use of peer evaluation by the complainant's fellow students in grading the course. The complainant's second complaint was combined with his previous complaint under case number 2022040716 at Personal Protection.

Personal Protection invited the University of Iceland to comment on the complaint in a letter dated 26 June 2023, and the university's answers were received on 1 September 2023. By letter, dated 5 p.m., the Data Protection Authority requested more information from the University of Iceland and received it by letter dated 26. s.m. The University of Iceland was then informed that the complainant had added to his complaint and the university was invited to comment on the subject of the complaint by letter dated 12 October s.á The university's answers were received by letter, dated 28 November s.á At the same time, the complainant was given the opportunity to submit comments to the answers of the University of Iceland by letter, dated 4 September 2023 and 30 November 2023, and the complainant's comments were received by letter, dated 17 December s.á.

When resolving the case, all the above-mentioned documents have been taken into account, although not all of them are separately explained in the following ruling.

The processing of the case has been delayed due to the heavy workload at Personal Protection.

___________________

There is a dispute over the authorization of a teacher at the University of Iceland to examine the complainant's activity in a course, by examining his use of the Canvas learning management system, but the complainant was at the time a student of the teacher in a course taught at the university. There is also a dispute about the teacher's authority to use peer assessment when grading the course.

The complainant is based on the fact that the teacher in question engaged in illegal electronic monitoring of him as a student by monitoring what he viewed in the University of Iceland's Canvas learning management system, without him having been informed about it or given consent for such electronic monitoring. The complainant also believes that the teacher has violated the principles of the privacy legislation on reliability, transparency, fairness and proportionality by using peer assessment for grading in a course that the complainant sat with the teacher.

In the response letter of the University of Iceland, it is stated that according to the syllabus in the course that the complainant sat at the university and the teacher in question taught, there was a three-part assessment, i.e. (1) group project, (2) participation and activity, and (3) final exam. One part of the assessment "participation and activity" consisted in the fact that students were asked to watch videos during class and post suggestions and questions through the Canvas learning management system. The teacher therefore checked the complainant's activity in the course by checking his use of the teaching website in the Canvas system. The University of Iceland is based on the fact that the processing of students' personal information in the Canvas student management system is based on authorization according to section 3. Article 9 Act no. 90/2018, on personal protection and processing of personal information. It is pointed out that according to paragraph 1. Article 2 law on universities, no. 63/2006, a university is an independent educational institution that carries out teaching, research, preservation of knowledge, knowledge seeking and creation in the fields of science, studies, technological development or art. In paragraph 1 Article 7 it is stipulated that universities decide on the arrangement of teaching. According to the above, the University of Íslands uses the Canvas learning management system to manage student teaching. The university also points out that the feature of the Canvas system is designed so that assessment in distance learning and grading can be based on the students' practice and the teacher can therefore decide that it is important for the grading that the students look at files, recordings, documents, pages and more. According to the answers of the University of Iceland, the complainant, on the other hand, was not instructed about the processing of his personal information in the Canvas student management system.

With regard to the teacher's use of peer assessment as the basis for grading the course, the University of Iceland did not provide substantive answers to the questions of the Data Protection Authority during the investigation of the case, but referred to an attachment with the decision of the dean [at] the University of Iceland in a case regarding the complainant's complaint about the assessment in the course, pursuant to Article 50. of the rules of the University of Iceland no. 569/2009, as well as to the opinion of the appeals committee in student affairs in case no. [....] on the occasion of the complainant's complaint.

II.

Conclusion

1.

Lawfulness of processing

This case concerns the authorization of a teacher at the University of Iceland to examine the complainant's activity in a course, by examining his use of a specific teaching website in the Canvas learning management system, as well as the teacher's authorization to use the peer assessment of the complainant's fellow students when grading the course. It concerns the processing of personal data that falls under the authority of the Personal Protection Agency.

The person responsible for the processing of personal information is compatible with Act no. 90/2018, on personal protection and processing of personal data, and Regulation (EU) 2016/679 is the named responsible party. According to number 6 Article 3 of the Act, it refers to an individual, legal entity, government or other entity that alone or in cooperation with others determines the purposes and methods of processing personal data, cf. Number 7. Article 4 of the regulation. The University of Iceland is considered to be the responsible party for the processing in question according to the aforementioned provisions of the law and the regulation, as it is generally understood that the responsible party is the institution or company concerned and not individual employees, whether it is managers or ordinary employees.

Electronic monitoring is monitoring that is persistent or regularly repeated and includes monitoring of individuals with remote or automatic equipment and is carried out in public or in an area that is normally visited by a limited group of people, cf. Number 9. Article 3 Act no. 90/2018. As the incidents have been described by the parties, the examination of teachers at the University of Iceland on the activity of students in courses, by examining their use of a specific teaching website in the Canvas learning management system, was not ongoing or repeated regularly. In the opinion of the Data Protection Authority, this is not a case of electronic monitoring according to the referenced legal provision.

All processing of personal information must nevertheless fall under one of the authorization provisions of Article 9. Act no. 90/2018, cf. Paragraph 1 Article 6 of regulation (EU) 2016/679. When the government and public institutions work with personal data, it is best to refer to item 3. of the legal article, cf. Section c of the regulatory clause, which stipulates that processing may be permitted if it is necessary to fulfill a legal obligation incumbent on the responsible party, and section 5. of the legal article, cf. Clause e of the regulatory clause, which prescribes that processing may be permitted if it is necessary for work carried out in the public interest or in the exercise of official authority exercised by the responsible party. When assessing whether the processing of personal data is based on the 3rd or 5th item. Article 9 of the law, it is important to keep in mind that according to item 3 it is assumed that the legislator has decided clearly in the law that certain processing shall take place. When based on number 5. on the other hand, it is assumed that the government has a certain scope to assess what processing is necessary to implement the statutory tasks of the relevant government authority with reference to the public interest and the exercise of public authority.

In addition to authorization according to the above, the processing of personal data must be compatible with all the principles of paragraph 1. Article 8 Act no. 90/2018, cf. Paragraph 1 Article 5 of regulation (EU) 2016/679. Among other things, it is stipulated that personal data must be processed in a lawful, fair and transparent manner towards the data subject, cf. Number 1. of the legal provision and point a of the regulatory provision. In connection with the assessment of transparency during processing, according to the above-mentioned principle, provisions on the responsible party's educational obligation towards the data subject must also be taken into account, cf. Article 17 Act no. 90/2018 and 12.-14. art. of regulation (EU) 2016/679.

When evaluating authorization for processing, provisions in other laws that are applicable in each case must also be taken into account. In particular, law no. 63/2006 on universities. In Article 7 The law states that universities determine the arrangements for teaching, research, study and assessment. The comments to the draft law also state that the law is intended to continue to ensure flexibility in the organization of universities, where flexibility and independence are paramount.

In its answers, the University of Iceland has referred to the fact that the assessment in the course the complainant sat with the teacher was three-part and that one part was "participation and activity" and the other "group project". The university is based on the fact that it was necessary to examine the complainant's activity in a specific course, by looking at his use of the teaching website in the Canvas learning management system, as a basis for grading the evaluation component "participation and activity". It is also clear from the documents of the case that the peer evaluation of the complainant's fellow students in a group project was one of the factors that formed the basis of the grading of the "group project" evaluation component. When the processing of personal information is carried out by the government in connection with their statutory tasks, the Data Protection Authority has considered that the processing can mainly rely on item 5. Article 9 Act no. 90/2018, cf. point e, paragraph 1 Article 6 of regulation (EU) 2016/679. In the opinion of the Data Protection Authority, it will be considered that the University of Iceland can base the said processing of personal information on this basis, in light of the tasks assigned to the university by law no. 63/2006.

However, the University of Iceland has agreed with the complainant that he was not sufficiently informed of the teacher's potential to examine his effectiveness in the course by examining his use of the teaching website in the Canvas course management system and using this as the basis for grading. It was also stated in the response letter of the University of Iceland that when the complainant logged into the Canvas learning management system, the information page about processes in the system, which appears to individuals when they connect to the system, was inactive. There is also no evidence that the University of Iceland provided the complainant with information that peer assessment would be used as a basis for grading.

With reference to the above, it will therefore be considered that the University of Iceland's processing of the complainant's personal information, which included an examination of the complainant's use of a specific teaching website in the Canvas learning management system and the use of peer assessment for grading, did not comply with the transparency requirement of item 1. Paragraph 1 Article 8 Act no. 90/2018, cf. point a, paragraph 1 Article 5 of regulation (EU) 2016/679. Then it will not be considered that the University of Iceland has provided the complainant with appropriate education according to 1.-2. paragraph Article 17 of the Act and 12.-13. art. of the regulation.

Ruling:

The University of Iceland's processing of personal information about [A] did not comply with the provisions of Act no. 90/2018, on personal protection and processing of personal data, and Regulation (EU) 2016/679 on fair and transparent processing and education obligation.

Privacy, January 22, 2024

Valborg Steingrímsdóttir Edda Úríður Hauksdóttir