The GDPR provides that the data subject has to give his/her consent to process his/her personal data for one or more specific purposes. This consent must be a “[…] freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her“. Our legal and ethical approaches are complementary to define the requirements to fulfil these four features in the context of TeSLA.
First, the “free” aspect of the consent is the effectiveness of the choice submitted to the data subject. It implies the presence of an alternative that he/she can select in case of refusal, which allow to avoid any feeling to be compelled to accept. However, the GDPR does not define precisely what constitute a genuine alternative.
Ethical analysis makes it possible to enrich the contribution of Law at this level.
TeSLA, as it was originally conceived, provides two possibilities:
– Either the teacher provides a possibility of examination completely outside the context of TeSLA. This potential delegation of responsibility toward the professor needs to be clearly explained for reasons of transparency towards future TeSLA user institutions. Indeed, it is important that they know what they will incur if consent is not given by the student.
– Either the teacher allows the student to take the exam with another combination of TeSLA instruments. We have suggested to the partners to standardize and clarify the uses that would be made by teachers to avoid a certain discrimination toward some students (what is the principle of justice if students are judged according to very different instruments?)
Secondly, the consent must be specific. This requirement means that, in case of multiple purposes for several data processing, the data controller must receive a separate consent for each purpose. We have stressed the importance of clearly defining how feedback is treated to submit a consent proposal for all the manipulations made with the private data (not only their collection).
Thirdly, the consent has to be informed. The objective is that the data subject understands the processing of his or her own personal data. According to the GDPR, the information must be concise, transparent, intelligible and easily accessible, given in a clear and plain language, avoiding specialist terminology. By surveying the students using the system during the pilot phases, we have highlighted some aspects they consider salient to be mentioned in the consent proposal. It concerns mainly the activation period of biometric instruments, the way they collect this data (the continuous aspect), and the behaviours to be avoided to allow the instruments to correctly collect the necessary data.
In the TeSLA project, the consent form is one page that appears on the computer screen. The objective is to facilitate and to ensure the provision of information to the students by ensuring that they have at least once taken note of all information relating to the processing of their personal data.
Finally, due to the sensitive nature of the biometrics data, the consent must be the result of an express statement from the students and cannot be only presumed or ambiguous. It may be canceled at any time because the GDPR specifies that it must be as easy to withdraw consent as to give it.
Nathan De Vos, UNamur, Manon Knockaert, UNamur
FUNDED BY THE EUROPEAN UNION
TeSLA is not responsible for any contents linked or referred to from these pages. It does not associate or identify itself with the content of third parties to which it refers via a link. Furthermore TESLA is not liable for any postings or messages published by users of discussion boards, guest books or mailing lists provided on its page. We have no control over the nature, content and availability of any links that may appear on our site. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
TeSLA is coordinated by Universitat Oberta de Catalunya (UOC) and funded by the European Commission’s Horizon 2020 ICT Programme. This website reflects the views only of the authors, and the Commission cannot be held responsible for any use which may be made of the information contained therein.