Educational institutions hold a wealth of data, including student characteristics, academic performance, evaluations, and attendance records. This data is valuable for research, as it can generate insights that help improve educational policy, reduce dropout rates, and monitor student wellbeing. By analysing this data, researchers and institutions can more effectively identify how to enhance both student support and academic success.
At the same time, this data typically relates to identified or identifiable individuals and therefore qualifies as personal data. As a result, the General Data Protection Regulation (GDPR) applies. This raises an important question: under what conditions can educational institutions share student data with external researchers?
This blog explores the key considerations for sharing student data responsibly in a research context.
Roles in research collaborations
Before discussing the conditions for sharing personal data for research, it is important to emphasise that collaborations between external researchers and educational institutions can take different forms. Research may be initiated either by an external researcher or by an educational institution, or it may be set up jointly. Depending on the situation, both parties may assume different roles under the GDPR.
For the purpose of this blog, we assume a situation of joint controllership. This arises where research is initiated in collaboration between one or more external researchers and educational institutions, and where both the purpose and the means of the research are jointly determined.
The GDPR framework
Researchers and educational institutions cannot simply share and use all available student data for research purposes. The GDPR sets clear limits on the processing of personal data. However, this does not mean that research is excluded altogether.
The GDPR lays down a number of conditions under which personal data may be processed responsibly. These conditions are therefore also relevant when sharing personal data for research. As the full set of conditions is too extensive to cover in this blog, the focus here is on one key requirement: that any processing, including the sharing, of personal data must be based on an appropriate legal basis.
In practice, external researchers and educational institutions often find it challenging to meet this requirement. As a result, sharing and using personal data for research purposes can quickly be experienced as navigating a legal minefield. Below, we therefore explain in more detail which legal bases may apply in different research scenarios, so that personal data can be used responsibly as a goldmine of insights.
The most appropriate legal basis
When an external researcher and an educational institution jointly initiate a research project, they must also jointly determine the legal basis on which the processing is based. Based on this legal basis, the educational institution may then share personal data with the external researcher. When choosing a legal basis, it is important that the most appropriate legal basis is selected, which in practice may require a careful assessment of different options.
In many cases, students are asked to give consent for the sharing (and further processing) of their personal data for research purposes. However, consent is not always the most appropriate or practical legal basis. Under the GDPR, consent must be freely given, specific, informed and unambiguous. In addition, it must be possible to withdraw consent at any time. This means that students may choose to withdraw their personal data from the research at any point. If, during the course of the research, certain data can no longer be used, this may disrupt the research or lead to unreliable results. For this reason, relying on consent is not always advisable, and it is important to consider alternative legal bases.
As an alternative, public educational institutions can often rely on the legal basis of a task carried out in the public interest, particularly where the purpose of the research follows from statutory duties or obligations. For example, research into first-year dropout rates aimed at improving education aligns with the statutory task of public educational institutions to provide high-quality education. This legal basis is therefore only appropriate for public educational institutions and for research purposes that can be linked to specific legal provisions. It is therefore important that educational institutions and external researchers carefully assess whether these additional requirements are met before relying on this legal basis.
In other cases, legitimate interests may provide an appropriate legal basis, provided that three cumulative conditions are met.
First, there must be a genuine legitimate interest. Second, the sharing and use of personal data must be necessary to pursue that interest. This requires assessing whether the research objective is proportionate to the impact on the privacy of students, and whether the objective cannot reasonably be achieved in a less intrusive way. Third, a careful balancing test must be carried out, weighing the research interest against the privacy interests of the students. Here too, it is essential that educational institutions and external researchers make a critical and well-considered assessment before relying on this legal basis.
Finally, it is important to emphasise that where special categories of personal data are processed, an additional exception under the GDPR must also be identified.
Conclusion: a conscious choice is worth gold
Student personal data is very valuable for research within education. It provides insights that contribute to improving both education and student support. At the same time, sharing and further processing such data requires careful legal consideration. The choice of legal basis is a crucial starting point that determines the lawfulness of the entire research project.
Educational institutions and external researchers must therefore critically assess, for each research project, which legal basis is the most appropriate, taking into account the specific circumstances of the case.
By making this assessment consciously and carefully, what may initially seem like a legal minefield can be turned into a goldmine of valuable insights.
Interested in other topics in data and privacy? Explore our other blogs.
