One of the many consequences of the ongoing Coronavirus (COVID-19) pandemic is the cancellation of second level state examinations in Ireland, the UK, and other jurisdictions.
In Ireland, the Leaving Certificate examinations were cancelled with students’ results based on calculated grades. Similarly, in the UK, calculated grades would be derived from a combination of various data sources relating to students. Naturally, all of these data sources will contain personal data and therefore fall within scope of the General Data Protection Regulation (GDPR).
In this blog, we explore below how the GDPR can be used to support the development of a robust process for a previously untested approach to state examinations. We outline a number of areas that teachers, pupils, parents, and the relevant Government departments should consider as results are published to students (in Ireland calculated grades were made available on Monday 7th September 2020).
Risks of lack of transparency, unfairness, bias, and exclusion mean that data protection can be utilized by all stakeholders to ensure that fundamental rights are protected, and that calculated grades are as successful as possible.
In Ireland, the steps in the process of calculating a student’s final grade (on which entry into preferred university courses will be based) include teachers assigning grades, based on their professional judgment, to each student. This includes combining coursework and project appraisal, end of terms tests, mock exams, and an assessment of the overall ability of each student. In addition, each student is assigned a ranking position in the class amongst their peers, in terms of how likely each student would be to get a grade.
This information is then input to an algorithm, the output of which will be the actual grades of a student. The Department’s processing includes a “standardization” of the teacher-awarded marks to reduce risk of students being marked too high or too low relative to previous years1. The Irish Government confirmed2 that students will not be given access to this “class ranking” when their calculated grades are released.
Data protection and privacy implications
Holistically, calculating or predicting grades for students requires several fundamental data protection matters which must be considered:
1. All processing activities require a clear lawful basis
Therefore, a clear lawful basis for issuing calculated (or “predicted grades”) must be identified and justified. It must be clear, robust, and defensible.
2. The processing must be transparent
A key principle of the GDPR is “transparency of processing”. In other words, how clearly, fairly, and transparently the processing activity is presented to the affected individuals. Some considerations might be:
- How is data subject made aware of the processing?
- Is the processing fair to the data subject?
- Will there be automated decisions taken that could have a significant outcome on the data subject?
- Does the data subject have a choice not to be subject to automated decisions?
- Is sufficient and meaningful information about the algorithmic calculation published and made available?
- Will the detailed elements of the final “predicted grade” such as class rankings, socio-economic determinants be made available?
3. Right of Access
It is important that controllers review their policies and procedures for dealing with data subject access requests (DSARs) before the release of the grades. This will help in ensuring that any ensuing DSARs can be met. If a DSAR is received, parties should note that under the GDPR the definition is very broad and means any information relating to an individual could be in scope. Where student information appears in other documentation and files, then the additional information contained in those files must also be considered personal data because it relates to the individual.
The GDPR mandates that a data controller shall undertake a Data Protection Impact Assessment (DPIA) where processing activities are likely to create high risks for data subjects. Predicted or calculated grades will have significant impact on the class of 2020, determining whether students achieve the entry requirements for their chosen third level or further education course, and a properly conducted DPIA would identify those risks and help the authorities to mitigate their impact and protect the fundamental rights of the students.
A DPIA on calculated grades has yet not been made publicly available. There are reports, however3 that teachers are advised to destroy any supporting documentation used to assign a result to a student, which is input to the calculated grades process. This goes against the fundamental right to access personal under Article 15, GDPR, and is a potential outcome that a DPIA could protect against.
A robust application of the GDPR, including undertaking DPIAs, helps Data Controllers to get data protection right, protecting fundamental rights by ensuring appropriate due diligence over the rights and freedoms of the data subjects. This helps to provide assurance to the affected data subjects; and is needed more than ever given the unheralded circumstances in which the class of 2020 finds itself.
The calculated grades situation unfolding in Ireland has already played out internationally, with significant controversy arising the UK. In Scotland and England, following significant protests and unrest from students and student groups, the respective governments performed a complete U-turn on their alternative system for exam grading. Instead, the students’ final marks will be “based solely on teacher or lecturer judgment”. Similar reversal of policy was initiated in Northern Ireland.
With the recent experience in the UK evident and what could unfold in Ireland, privacy related questions that stake-holding bodies need to ask include:
- Is it appropriate for teachers to retain notes that may have a definitive impact on a student’s grade?
- Is sufficient detail about the calculated grades process made public?
- Has a DPIA been performed to assess and mitigate the potential impacts on students and will this be made public?
- Are the internal data subject rights management processes fit for purpose?
- Has the advice of the DPO been sought, and has this advice been followed?
The GDPR was envisioned to enable data controllers to be transparent and fair in processing personal data. These protections are needed more than ever in the information age and data protection provides a constructive framework that can be utilized by all stakeholders to protect fundamental rights.
It is likely that any challenges relating to exam results will also include interpretations of the GDPR and relevant local legislation (e.g. Irish Data Protection Act 2018). Full and complete transparency with respect to proposed activities will go some way to assuage the significant concerns relating to calculated grades. Undertaking a data protection impact assessment (DPIA) that transparently details the algorithm and assures the public is key, and in today’s society is the absolute minimum requirement.
Moreover, the protection of fundamental rights and freedoms is vital in what is truly an exceptional year with an extraordinary set of circumstances.
1. Minister Foley announces details of Calculated Grades model for Leaving Certificate 2020 (sourced 01 September 2020) https://www.education.ie/en/Press-Events/Press-Releases/2020-press-releases/PR20-09-01.html
2. Leaving Cert students will not have access to ‘highly sensitive’ class ranking data (sourced 02 September 2020) https://www.irishtimes.com/news/education/leaving-cert-students-will-not-have-access-to-highly-sensitive-class-ranking-data-1.4345093
3. Leaving Cert: Teachers advised to ‘destroy’ documents relating to students’ grades (sourced 27 May 2020) https://www.irishtimes.com/news/education/leaving-cert-teachers-advised-to-destroy-documents-relating-to-students-grades-1.4263122