GDPR: Attendance Monitoring

A question recently arose about monitoring students’ attendance at lectures and tutorials, and how this fitted into data protection law. Since the main purpose of such monitoring seems to be to identify and assist students who don’t attend, and whose presence is therefore not recorded or processed, there seem to be a number of both practical and legal issues to think about.

Firstly, is there any processing of absentees’ personal data going on at all? It seems to me that there is, because at some point the absence record will lead to an “expression of opinion about the individual and…indication of the intentions of the data controller or any other person in respect of that individual” (Data Protection Act s1(1)). That means some legal basis for the processing is required: since these individuals won’t, by definition, have had recent contact with the organisation, consent seems an unlikely option (these individuals may, in any case, be the least likely to provide opt-in consent). So it seems better to consider the data collection and offer of support as legitimate interests of the university or college. As in our approach to Learning Analytics, the benefits of such processing need to be balanced against the risk to the individuals. When the student responds to the offer they will either grant or refuse informed consent for the help being offered.

So what about processing the personal data of those who do attend? In many cases the main purpose of this seems to be to understand what patterns constitute normal attendance, so as to be able to identify those whose behaviour diverges from what is typical for their cohort or class. Since these students are making their personal data available, consent might be a possible basis, but this has practical disadvantages because of the need for that consent to be informed and opt-in. Since attending students obtain little or no personal benefit, a low participation rate seems likely, so the patterns derived from the data may well be unreliable. A useful rule of thumb is that for any processing that depends on maximising participation, consent is likely to be a poor choice. Again, legitimate interests appears a better option, though the balancing test may impose stronger requirements on the processing. Unlike non-attendees, where the benefit of intervention can be included in the calculation, attendees are unlikely to receive any benefit themselves. So stronger risk-reduction measures are likely to be required: for example it would be worth considering whether attendance patterns can be derived from pseudonymised data, kept separate from the students’ actual identities. Information about the processing, and the option to object if a student’s particular circumstances mean processing creates a greater risk for them, needs to be provided, but could be included in course or enrolment details.

In some situations, a couple of other legal bases may be available. Where attendance monitoring forms part of a university or college’s access agreement with a regulator, it might be argued to be necessary for that public interest. Or, for some students (e.g. international) and some courses (e.g. those leading to professional recognition) attendance monitoring may be necessary to comply with a legal obligation. Whether this could be interpreted under non-discrimination law as a duty to record attendance for all students is a question for lawyers – the argument that you need to increase someone’s data protection risk in order to not discriminate in their favour is a tricky one!

By Andrew Cormack

I'm Chief Regulatory Advisor at Jisc, responsible for keeping an eye out for places where our ideas, services and products might raise regulatory issues. My aim is to fix either the product or service, or the regulation, before there's a painful bump!

Leave a Reply

Your email address will not be published. Required fields are marked *