Who owns student data in EdTech?

Many newer privacy laws, such as the European Union’s General Data Protection Regulation (GDPR), begin with the assumption that the data subject owns and exerts control over their own personal data. After all, the GDPR talks about “controller” and “processor” relationships with data and no “owner” relationship for any third party. Then either through consent or other mechanisms other organizations may process that individual’s data for legal and defined purposes, but the data subject maintains ownership throughout.  

On the other hand, other sources argue that some data, including personal data in the social media context, is a product of a series of transactions and “give to get” interactions.  In fact, data subjects who give their data away in return for “free” products and services or social benefits, including through intermediaries like social media platforms, are driving digital capitalism by giving their data away.  

Moreover, where personal data is created as a result of interactions with other people, such as through social media, there could be an argument for collective ownership of that personal information.  

The question of who owns personal data becomes even more complicated in the realm of education.  

Why is student data complicated?

Some of the complicating factors in the education data ownership debate come from the: 

• Number and types of parties involved
  • Institutions (some public, others private) and their vendors, teachers, and students all interact with student data on a day-to-day basis. Additionally, researchers, employers, and business-to-consumer companies all have an interest in student data to fulfil their own goals.
• Amount and types of personal data involved
  • Education institutions are often little worlds of their own, providing their own medical care, food, employment, education services, religious services, housing, support services, and recreation opportunities to students. These activities have the potential to generate an enormous amount of personal data about all facets of an individual’s life, including sensitive personal information. There are also quite different contexts around each of these use cases. For example, a student might be a student, tenant, patient, employee, and member of a congregation all in the same day. The data that the student provides or generates in each of these distinct roles will have vastly different contexts related to privacy.
• Level of student sharing
  • Students do not only share personal information through traditional social media. Rather, students also are required to share content for classes – photos, art, and written content – some of which may be very personal in nature and not provided with the intent of making public more widely.  
•  Possible minor status of students
  • Depending on the level of education and jurisdictional definition of “child,” many students may be under the age of consent and/or considered to be a vulnerable data subject group. These statuses can call into question whether students themselves own data and/or can give consent for data uses and collection, or whether parents/guardians must exert any control.  

Questions to ask when it comes to student data ownership

Given the complexity and context-dependent nature of all these factors, there is no single answer to the question of student data ownership. However, educational organizations and educational technology companies will find it useful to think about the answer for all the data they hold to make compliant, sound, and ethical decisions about the data. As is so often the case in answering complex questions, it will be useful to ask (and answer) more questions to get to a determination.  

Following these steps can help an educational or edtech company come to a thoughtful conclusion: 

• Describe data flows: Most privacy activities start from a place of knowledge – of what data an organization collects and how, how the data flow through the organization, to what uses do applicable groups/entities put the data, which internal and external groups/entities access the data, whether and how the data flow out of the organization, and whether and how the relevant parties delete the data. In other words, the facts about the who-what-when-where-why of the data is the launching pad of any privacy decisions.  

• Determine applicable jurisdictions and laws: As mentioned previously, some jurisdictions already provide an answer to the data ownership question by asserting that the data subject always owns their own data. A careful review of relevant jurisdictions and relevant laws may help provide clarity on ownership. It is common for one set of laws to cover some data under one set of circumstances and other laws to apply under different circumstances. A careful review of jurisdictions and laws may require detailed analysis resulting from the preceding data inventory/mapping process.  

• Consider context – relationship, data collection experience, expectations: At a basic level, the complicated set of circumstances related to the relationship the educational organization has with the data subject, any implicit or explicit promises related to the data/data handling/incentives for providing data, the type and sensitivity of the data, and how the data subject themselves feels about privacy/data/the organization all combine to create a set of data subject expectations. A savvy organization will consider these factors when making decisions about data ownership and use.  

• Determine data subject majority/capability: Even if relevant law, circumstances, and data subject expectations lead to a possibility that the data subject could give or trade their personal data to an educational organization rather than allow for its use, the data subject must have the capacity to do so. Age, mental status, and an unequal balance in the relationship can create an obstacle to transfer of data ownership.  

Final thoughts

In the end, an educational or educational technology organization may conduct this type of analysis and still come to uncertain conclusions about data ownership. However, at a minimum, careful consideration of these factors will help the organization determine the full extent of compliance requirements and student expectations related to each data set and data use. It will help the organization make sound decisions about which data it may use for which purposes, impacts on the data subjects, and the best ways to collect the consents and consent experiences it needs to fulfil organizational goals, data subject needs, and regulator requirements.  

You might also like to read: