From the code of practice for learning analytics:
- “Access to student data and analytics should be restricted to those identified by the institution as having legitimate need to view them”
- “Institutions should ensure that student data is protected when third parties are contracted to store or carry out analytics on it”
As for learning analytics, systems must be designed to protect individuals’ privacy. Health-related processing and data are likely to require tighter restrictions (both technical and organisational) than that relating to learning. Medical standards for confidentiality, granting and controlling access should be the norm.
Systems and processes must be designed to use no more data than is necessary (see validity); data obtained for one purpose must not be used for others without the individual’s agreement (see consent) data should have a defined retention period or event, and be deleted or anonymised once that passes.
Health or wellbeing information can only be shared with third parties if there is an appropriate legal basis for this. For example:
- If processing is based on consent then sharing must be covered by that prior consent
- If sharing is part of physical, mental or emotional wellbeing services then information may only be shared – under an appropriate data sharing agreement – with those providing those services
- If there is a legal duty to share, this must be limited to information covered by that duty, and under the safeguards prescribed
- If none of these applies then information may only be shared in life and death situations where the subject of the information is incapable of giving their consent