CDUL have listed the learning technologies approved by Kontraktenheden at Aalborg University. This means that the producers are abiding by the rules of GDPR and data protection. Kontraktenheden have developed a site where you can find answers to most of your questions about GDPR and data protection. When visiting this new site, you can filter the contents accordingly. This means that you can easily find the contents targeted at administration, educators, or students. If you can´t find what you are looking for, please contact Kontraktenheden. You can also subscribe to the newsletter about GDPR and thus stay up to date about GDPR at Aalborg University.
Below you can find the GDPR-approved learning technologies and digital platforms. All of these can be safely and securely utilized in learning situations:
- Office 365 (including Teams etc.)
Not ITS supported: But still GDPR-approved
- Mentimeter (Free version)
- Adobe Connect (Support is offered through DeiC)
- Peergrade (The Data Processing Agreement only includes licenses at HUM and SAMF. Not the free version of Peergrade.)
These systems are only approved to process regular personal data. They are not approved to process sensitive personal data.
Guide to the use of personal data in an educational situation.
The principles of GDPR applies whether you are in a regular classroom or utilizing different learning technologies to teach online. If the data is acceptable to use in a classroom, they are typically also acceptable to use online. Only remember to utilize the learning technologies recommended by CDUL, since these are approved in accordance to the GDPR-regulations and IT-security.
These systems are only approved to process regular personal data. They are not approved to process sensitive personal data. What does this mean?
Personal data is relevant information according to the GDPR-rules. Usage of personal information is when you let personal information be a part of your lectures. Either because you talk about people directly or because you use them in cases and examples. If you use completely fictional persons or cases it is – obviously – unproblematic. But if you use real life persons you must be aware of the following:
Regular personal data, GDPR-safe:
- Names, addresses, e-mail, and phone number
- Occupation, education, age, and marital status
- Pictures or videos of everyday situations where the person is not in focus
Confidential or sensitive personal data, NOT GDPR-safe:
- Health, religion, sexuality, political persuasion, unions and similar
- Crimes and misdemeanours or personal issues
- Social security number (CPR)
- Pictures or videos revealing something private
What about anonymous data?
According to the GDPR it is legal to utilize completely anonymous data. It does, however, require that neither you, the person in question, or others can uncover the person´s identity. You must remove name and identity where possible, but it is not always enough to live up to the rules of anonymizing.
Examples on NOT anonymized data according to GDPR:
During a lecture, you are describing a case containing an interview from person X. The interview has quotes about person X´s troublesome fight with cancer. The data stems from your own research data, which still contains the interview and where person X is named.
Even though you have deleted the raw data, the quotes are so specific, that X or her next of kin will be able to recognize them, if they participated in the lecture.
In both cases the data will be pseudo-anonymized, and this is not secure enough.
Can I use personal data from the news or social media according to GDPR?
The rules of GDPR is that you can only use these personal data if the person themselves have published the information. For example, you can mention or link to an open profile on social media or in a news story, and still abide the rules of GDPR.