How xAPI Helps Solve For GDPR Requirements
On May 25th the General Data Protection Regulation (GDPR) for EU citizens will become enforceable. Whilst it’s causing a fair few headaches for businesses around the world, the legislation, at its heart, is a good thing.
Making people more aware of their rights when it comes to data, and forcing businesses to take proper account of those rights, is a key step in taming the somewhat wild-west nature of the Internet just as AI and the use of data to personalise experiences is becoming dramatically more widespread.
As an xAPI company we are often asked about the potential impact of GDPR on collecting data. I actually don’t think this is such a big deal; if you have a Contractual Need or a Legitimate Interest in capturing the data that you do, you have little to fear from GDPR.
Apart from, that is, the need to potentially fulfill data access requests that might come across your desk from time-to-time.
The rights you need to fulfill
Given that you have already negotiated the right to store data on your learners in the first place, the GDPR legislation enshrines a series of rights that an EU citizen has to their data, to which a data controller must accede, given that other legal requirements don’t interfere (for instance, where a data controller must keep a record for legal purposes).
The most significant of these rights for us in the corporate learning world are as follows:
The right to access data held about me
You must be able to provide a complete record of data held about a person within a reasonable period of time and in a format that is both human and machine-readable. xAPI is a fit for this in most cases – the headline ‘triple’ of Actor / Verb / Object is clear for people and the JSON format of xAPI is machine readable.
The completeness of the record will be a challenge for some who only use xAPI occasionally; GDPR could push this usage to be more standardised across the board. Using a Learning Record Store, you could allow individuals access to their own data online and via a download type facility.
The right to edit incorrect data
Under GDPR, an individual accessing their record can make requests to correct out-of-date or otherwise incorrect data held about them. In most cases the xAPI statements held about a person will not be strictly ‘incorrect’ – if the statement was the creation of an automated logging process, it is likely to be ‘correct’.
And xAPI makes no allowance for the edit of a statement, but it does have a specific function, Voiding, for this sort of purpose.
Any legitimate error would need to be first ‘Voided’ (rendering the whole statement obsolete) and re-submitted as a complete new statement. The most likely case in practical application here is data being incorrectly assigned to a person – maybe a shared login or some other identity foul up causes my records to get intermingled with another person.
Learning Record Stores, including Learning Locker, tend to store a variety of data outside of just xAPI statements. Learning Locker, for example, creates a ‘persona’ record for each individual with data in the LRS. The persona holds identifying information and ‘non-xAPI’ attributes, such as department or location.
These are perhaps the most likely areas for need of correction as the data her tends to be mutable; it can change.
The right to be forgotten
This one is a little trickier. GDPR says that all users have a right to be forgotten; essentially to be removed from the database. But the xAPI specification makes no allowance for deletion.
You can make a case for obscuring a record; obfuscating identifiers with a one-way hash for example. You could perhaps achieve this by Voiding an entire users record and then re-inserting the same statements but this time with an anonymous ID, but, dependant on the nature of your xAPI statements, this might not be enough.
Even with an anonymous ID, it can still be relatively trivial to identify some users from the data they have submitted to the LRS (for example, if only one person asks to be forgotten, it’s instantly obvious whose records those are from the odd-looking IDs).
At the end of the day, the xAPI specification is going to be trumped by local legal requirements and you may have to work with your LRS provider to delete data, despite the rules of the application.
This will be possible, even grudgingly, but could have implications for downstream systems that expect the data to exist. Making sure consuming applications are robust to missing data will be necessary.
The right to obtain a copy of your data in a portable format
Again, going back to our first right on accessing records in the first place, personal data held in the xAPI format is portable by its nature. This one should be easy.
The ICO website, for UK viewers, is a great source of plain English insight into GDPR, including the rights mentioned above. You shouldn’t be put off collecting xAPI data because of GDPR – the rules apply whether you have an LRS, an LMS or whatever.
But far from being a burden, xAPI can be a great advantage to fulfill these rights.
Introducing our GDPR app
As a case in point of how xAPI can help facilitate GDPR requirements, we’ve made tool for administrators, the GDPR app, that plugs directly into your Learning Locker LRS and allows users to get access to the data that is held on them and to make requests of the data controller to edit / anonymise / remove data accordingly.
Any organisation with a maturing xAPI ecosystem has instantly got an advantage over those who keep data in many siloes.
Adopters of xAPI have been creating a single source of record for learning activity data, the Learning Record Store, which can make fulfilling data access requests several orders of magnitude easier than it might otherwise be.
The GDPR app taps directly into the Learning Locker LRS to allow administrators to create new data access requests, creating a time-limited (and PIN protected) URL that learners can access to see the data that is currently held on them.
A simple process…
1. A data access request is submitted to the organisation; through their own established GDPR request process.
2. An LRS administrator logs on to the GDPR app and creates a new data access request for the user in question.
3. The GDPR app generates a time-limited URL that will allow the requester to access their data online for 48 hours. The GDPR administrator sends the URL to the requester, alongside a PIN code that is required to gain access to the data at the URL.
4. The requester uses the unique URL and PIN code within the time window to access their data and make any requests (edit, download, etc).
5. Requests are sent directly back to the GDPR app and the administrator for action. Once action has been taken, the GDPR app logs the request as complete. Access to the data page is automatically revoked 48 hours after the request (and can be reinstated on-demand).
The whole process creates an audit trail from start to finish that allows the organisation to showcase how they took a request, gave access to the requester and then took actions to fulfil the requester’s rights. Perfect for demonstrating how you conform to GDPR needs.
The GDPR app is available free to Enterprise Learning Locker customers with one of our new ‘app’ plans; allowing adopting organisations to install and use 2, 4 or 8 ‘add-on’ applications that extend the use of Learning Locker beyond the Learning Record Store. See our website for more details and existing clients should get in touch with account managers to find out more.