General Data Protection Regulation
The EU General Data Protection Regulation (GDPR) enters into force on May 25, 2018. Although it is an EU regulation, it extends to customers who may be processing data from EU citizens located anywhere in the world. This document provides an overview of the rights that are given to individuals and how it may affect D2L customers.
If you were given access to Brightspace or other D2L offerings by your institution (educational or otherwise), employer or organisation (“Organisation”) you should contact your Organisation to find out its practices regarding your personal information.
This document is for informational purposes only and is not legal advice. We urge you to contact a legal advisor familiar with your requirements for any such advice.
Because D2L is a company that has its roots in Canada, we process and use personal information in a manner that is already closely aligned to what is required by the regulation. The EU has given Canada an adequacy ruling for data transfers which identifies the country as largely aligning with data protection expectations (see http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/third-countries-faq/index_en.htm). D2L uses AWS Infrastructure currently located in the EU for the bulk of its EU operations. Data is only accessed by our affiliate offices for support and maintenance activities. Any such access by these offices are covered by EU Standard Contractual Clause agreements to ensure the protection of personal information.
We take data seriously, which is why we have pursued ISO 27001/ISO 27018 certification to see that our safeguards and access to your data follows industry best practices. We will continue with our annual security audits and maintain our ISO certification to comply with GDPR requirements of having evidence of adequate safeguards. D2L is one of the few Learning Management System companies that holds compliance certifications directly and does not rely solely on its hosting partners. You may review D2L security related information, and request copies of our certificates here: https://www.D2L.com/security/
Updated Rights of Individuals under the GDPR
The following is an overview of the rights of individuals under the GDPR and an explanation as to how these rights generally affect our customers’ use of Brightspace. As each customer is different, we recommend that you review the GDPR with your privacy department and legal advisors.
The GDPR provides individuals with the right to:
- Be informed of data collection and processing.
- Access their personal information.
- Erasure of their personal information.
- Restrict processing.
- Object to automated decision making and profiling in certain cases.
- Request rectification of incorrect information.
- Data portability.
- Object to data processing.
These points are explored in greater detail below.
Be Informed of Data Collection and Processing
D2L’s basis for collecting and processing personal data is based on a contractual service agreement with you. We rely on you having obtained consent from your end-users, or you having another legal basis (e.g. contract, legitimate interest) for data collection and processing of their data. Because D2L does not police or monitor your information, or register your users, if D2L receives a request directly from your users for information surrounding the purpose of data collection and processing, we will instruct them to contact you. We will also notify you that we received such a request.
Access their Personal Information
The GDPR requires that individuals have access to their personal information that is being collected and processed. Within Brightspace, you and your users have access to the data that you upload as it is readily being displayed in most circumstances depending on permissions (e.g., your system administrators would have greater access to data than students). D2L does collect and process data that may not be directly available (e.g. system event data, tool usage, page views, mobile device usage), however this data is anonymous / de-personalised. If you receive a request from a data subject and require assistance in fulfilling it, please contact D2L Support and open a service ticket. D2L intends to help you fulfill the request within 30 days and will notify you if we believe it will take longer to complete.
If D2L receives a data access request directly from your users, we will instruct them to contact you, as you are considered the data controller under the GDPR.
Erasure of their Personal Information
The right to the erasure of personal information is provided to individuals so that their data will be removed from systems where it is no longer required. However, the right is not absolute; if you’re collecting the data to fulfill a contractual service, your organisation can continue to collect/process the data. For example, students enrolling in a school have expectations that the school will assist them in graduating; if a student needs Brightspace to graduate, removing that student from the system may not be the appropriate action to take in that case.
D2L provides options within Brightspace to allow you to meet your data retention policies for your organisation.
The right to restrict processing is based on a set of circumstances within the GDPR. You may need to limit your data processing activities to storage only if:
- Data is inaccurate and needs to be corrected.
- The individual has objected to processing (based on legitimate interests) and you need to verify the grounds for continued processing.
- The data you are processing has been determined to be unlawful and the individual opposes erasure and requests restriction instead.
- You no longer need the data, but an individual requires it to establish, exercise or defend against a legal claim. This would prevent you from deleting the data even if it falls outside of your data retention policies.
Correcting inaccurate data in most circumstances is under your control with the features available in Brightspace or by changing data with which Brightspace synchronises.
Object to Automated Decision-Making and Profiling in Certain Cases
This right is to protect individuals where a system is automatically making decisions that may restrict an individual’s rights and freedoms. For example, a system that automatically determines if a person is unable to attend law school. In this type of situation, you are required to provide individuals a way to:
- Obtain human intervention.
- Express their point of view.
- Obtain an explanation of the decision and challenge it.
Although D2L provides products and services that create profiles and predict success in courses, decisions based on any resulting recommendations still require an individual to take action.
Request Rectification of Incorrect Information
You have a responsibility to change personal information that has been identified to be incorrect. In most circumstances, you have control over this data and can alter it directly within Brightspace or from within a system that synchronises with Brightspace. If you are unable to correct or require assistance in making the correction, please contact D2L support.
The right to data portability allows individuals to obtain their data in a format that allows them to move from one service to another of similar capability: for example, to take contacts from one email service to another. With Brightspace, courses, achievements, and grades information are not directly transferable to another school or corporation; i.e., the assignments, materials, achievements in an Introduction to Astronomy course may not be taught in a similar named course at another school. There should be no expectation of individuals to move certain elements of personal information (such as achievements, quiz attempts) within Brightspace to be imported into any other school or corporate Learning Management System. For educational customers, the student transcript is the key piece of information that is transferable between institutions to determine course equivalence. Students who are using ePortfolio are able to export their learning artifacts files and import them into another ePortfolio system.
Object to Data Processing
Individuals have the right to object to the processing of their data in specific circumstances, such as:
- Processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling).
- Direct marketing (including profiling).
- Processing for purposes of scientific/historical research and statistics.
In order to perform a contract and meet your obligations for Brightspace products and services, it is necessary for D2L to process personal data. In the event that D2L receives an objection to data processing directly from your users, we will instruct them to contact you.
Other Resources; Legal Disclaimer
The UK Information Commissioner’s Office is an invaluable resource for information about the GDPR. More information about the regulation and the rights given to individuals may be found here: https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/