Whereas learning analytics uses data to inform decisions – from individual to curriculum level – on how to support students’ learning, data may also be used to inform decisions on how to support their wellbeing and mental health. Possible applications cover a very wide range: from screen-break reminders to alerts when a student appears to be at risk of suicide. Clearly such uses of data can involve both significant benefits and high risks.
This code of practice suggests how universities, colleges and other tertiary education providers can ensure that their use of data to support wellbeing does not create risks for students or staff, taking responsibility and demonstrating accountability for their actions in selecting, developing, implementing, operating and reviewing data-informed wellbeing processes.
As the headings in the code indicate, this will involve working with groups and individuals across the institution:
These need to be developed with students, staff, data owners, IT services and university governance, as well as student support services and data protection officers. Universities UK refers to this as a “whole-university approach”; Student Minds’ University Mental Health Charter calls it a “cohesive ethos”.
To support these discussions, this code also includes practical tools – for Data Protection Impact Assessments (DPIA) and purpose compatibility assessment for data sources – that should help to ensure the institution’s activities are, and can be shown to be, both safe for individuals and compliant with the law.
The approach taken by Jisc’s code of practice for learning analytics provides a good starting point for wellbeing and mental health applications.
This wellbeing and mental health code provides a detailed discussion of additional issues raised by the use of data for wellbeing purposes. Here we concentrate on the use of data in delivering wellbeing and mental health support: broader issues such as duty of care, healthcare treatment, human rights, equality and discrimination are not covered, though we have referenced relevant guidance on those issues where we are aware of it.
When delivering wellbeing and mental health support, institutions are likely to be processing personal data concerning health; some forms of analytics may aim to infer such data from other, behavioural, indicators, such as the student’s engagement with learning systems and processes. As well as meeting the legal standards that apply to all processing of personal data, wellbeing and mental health applications must satisfy the additional conditions and safeguards that apply to special category data.
This code of practice therefore includes safeguards from several areas of the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018 that may be relevant when addressing wellbeing and mental health. In particular:
- Voluntary wellbeing apps – where each individual makes a positive choice to report or be monitored – could be provided on the basis of “consent”, though this requires both clear and detailed information to be given to users and that their consent be freely given, informed, unambiguous, specific, explicit and recorded
- If, however, an institution wishes to provide support across all students, or all of a group – for example by increasing the information available to appropriately-trained tutors and support staff when they have conversations with students or by flagging students who may need to be contacted proactively – then consent cannot be used as a basis. To help institutions fulfil their responsibilities in these circumstances, this code includes safeguards applicable to processing in the substantial public interests of preventive medicine and “protecting the physical, mental or emotional well-being” of individuals who are at risk of one or more of those types of harm
- Where using existing, historic, data to develop and test statistical models, provisions and safeguards on research use of personal data may be most appropriate
A detailed discussion of these, and other, lawful bases for processing health data can be found in step four of Annex A: data protection impact assessment template for wellbeing and mental health analytics.
Increased use of data may help to ensure that additional support is offered consistently and effectively, where there is greatest need. However the overall level of such provision – in effect the threshold at which support is offered and the kinds and depth of support that are provided – is likely to remain an institutional choice. AMOSSHE’s discussion of universities’ duty of care suggests the level of provision likely to be required by law.
Where wellbeing or mental health information is derived from existing learning analytics processes, the stronger controls in this code should be used from the point where the wellbeing/health purpose separates from the learning analytics one. In other words, where the aim becomes to identify potential health issues rather than academic ones. For example:
- If the organisation decides to collect additional data for the wellbeing/health purpose, this code, rather than the learning analytics one, should apply to the decision to collect that data and thereafter
- If the organisation decides to use different algorithms for the wellbeing/health purpose, use this code from the decision to use those algorithms
- If tutors, or other support staff, are told “this pattern of learning problems may benefit from a wellbeing discussion”, use this code from the decision to create that instruction
- If, during normal tutorial conversations, an individual tutor suggests to a student that they might seek other kinds of help, that would be covered by normal tutorial processes, not this code of practice
Consideration of validity and enabling positive interventions and minimising adverse impacts may indicate that the purposes of learning analytics and wellbeing and mental health should separate earlier. For example those principles may reveal that learning analytics algorithms are not, in fact, the best predictors of wellbeing issues or that some interventions should take place in a health, rather than tutorial, context.
Key differences from learning analytics
Since wellbeing and mental health analytics is intended to improve students’ health it should be overseen by health professionals, in the same way as analytics to improve students’ learning should be overseen by learning professionals. Provided they remain under this authority and are subject to appropriate confidentiality rules, the day-to-day operation of wellbeing and mental health analytics may be conducted by appropriately trained and supported tutors and other staff (see responsibility section for more).
A wider range of data sources may be relevant to wellbeing and mental health than for learning analytics: both environmental indicators of when a student may be in a stressful situation (for example a change of course) and behavioural ones that suggest they may not be coping (for example a sudden change in study pattern). Some of these sources may have been collected for very different purposes, and students may not expect them to be re-used in this way. Institutions will therefore need processes to determine whether it is appropriate to include a particular data source and, if so, what additional measures may be needed (see transparency and consent, and Annex B: purpose and transparency for wellbeing and mental health analytics.)
Testing and validation of algorithms and processes are even more important for wellbeing and mental health analytics because of the serious consequences if they go wrong. However such testing must be conducted separately, using data pseudonymisation and anonymisation wherever possible, to ensure that information does not leak between the test and production processes. Testers must not see individual identities, counsellors must not be able to see data that was provided only for testing (see validity for more).
Since the likely legal justification for proactive wellbeing and mental health analytics is to provide support to individuals, institutions must ensure that adequate services to provide such support will actually be available to individuals when data, algorithms or other signals indicate that they may be needed (see under enabling positive interventions and minimising adverse impacts).
Wellbeing and health applications will require a formal Data Protection Impact Assessment (DPIA), involving stakeholders and the organisation’s data protection team (see responsibility and Annex A: data protection impact assessment template for wellbeing and mental health analytics).
Code of practice for wellbeing and mental health analytics
Jisc’s code of practice for learning analytics provides a baseline for supplementary uses of student data.
This code uses the same headings: for each it highlights key common areas (for which detail can be found in the learning analytics code) before a detailed discussion of additional issues raised by the use of data for wellbeing and mental health purposes.