From the code of practice for learning analytics:
- "Institutions must decide who has overall responsibility for the legal, ethical and effective use of analytics"
- "Student representatives and key staff groups at institutions should be consulted about the objectives, design, development, roll-out and monitoring of analytics"
Confidence and trust among students, staff and wider stakeholders is essential if wellbeing activities are to be beneficial, rather than harmful.
To achieve this, institutions will need to show that they are taking responsibility:
- Consulting and planning carefully before implementing any policies, processes, systems or data gathering
- Checking to ensure they deliver the expected results
The GDPR’s principle of accountability addresses many of these issues - designing processes and systems to ensure they protect personal data and the rights of individuals, monitoring those processes to ensure they are followed, and reviewing them to see where they can be improved. This code suggests various documents and records – assessments of data protection impact and purpose compatibility; records of processing activity, mapping of data flows, and policies on use of special category data – that the institution can use to demonstrate accountability and reassure students, staff and stakeholders.
Applications that aim to derive information about an individual’s health are likely to represent a high risk to privacy, and thus require a formal Data Protection Impact Assessment (DPIA). This includes identifying the relevant legal basis or bases for processing and ensuring that their specific requirements are satisfied.
Several organisations have published processes for conducting DPIAs, including ucisa and the Information Commissioner’s Office. Annex A: data protection impact assessment template for wellbeing and mental health analytics (pdf) offers specific guidance on using these processes to assess proposed wellbeing activities.
Where a high risk cannot be mitigated – though a successful DPIA process should normally do this – the institution should consider whether to continue with the proposal. If it decides to do so, the law requires prior consultation with the national data protection regulator: in the UK, the Information Commissioner’s Office.
The law requires that processing for preventive medicine must be done “under the responsibility of a professional subject to the obligation of professional secrecy” (Data Protection Act 2018 s.11(1)(a)). For wellbeing and mental health applications, UUK suggests that such regulated professionals should be found in student support directorates; both Jisc and UUK recommend “extensive consultation with mental health and student counselling specialists”.
Provided policies and processes remain “under the responsibility” of such professionals, day-to-day operations can be assigned to appropriately trained and resourced tutors and other staff in accordance with appropriate confidentiality rules.
Student Minds’ University Mental Health Charter stresses that “it is vital that staff in these roles are properly equipped, qualified, registered and supervised. This need for quality assurance extends to other interventions, such as the provision of digitally based services”.