(July 24, 2020) On July 20, 2020, the Norwegian Data Protection Authority (NDPA, Datatilsynet) issued a letter to the International Baccalaureate Organization (IBO) ordering it to explain its use of personal data, atomization, and historic prediction data in awarding final grades to Norwegian International Baccalaureate Diploma students during the current COVID-19 pandemic.
The NDPA is Norway’s supervisory authority for compliance with the European Union General Data Protection Regulation (GDPR), which applies throughout the European Union (EU) and European Economic Area, including Norway. In this capacity, the NDPA may order processors of personal data, such as the IBO, to provide information as needed in accordance with article 58(1)(a) of the GDPR.
The International Baccalaureate program is a high school program in which 80% of the final grade is based on in-person testing during the final year of high school. Typically, final exams are held during a three-week period in May each year. This year, however, because of the pandemic, the IBO decided to cancel the tests and instead award final grades on the basis of student coursework, teacher-delivered predicted grades, and historical prediction data tied to the prior performance of the student’s individual school. The historical prediction data used consisted of prior performances by students who had graduated from the same school in the past. In its letter the NDPA specifically notes that
[s]ome have voiced concerns that the calculation of individual grades is an automated decision-making process. The reasoning is that although the input factors in part may consist of assessments made through human involvement, the calculation of the final grade itself appears to happen through a wholly automated process where there is no room for meaningful human assessment.
In accordance with the GDPR, all use of personal data requires a legitimate purpose (GDPR art. 6), and the automated use of personal data is allowed only if it
(a) is necessary for entering into, or performance of, a contract between the data subject and a data controller;
(b) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or
(c) is based on the data subject’s explicit consent [art. 22].
Moreover, violations of the GDPR may result in administrative fines in accordance with article 83 of the GDPR.
The Norwegian Data Protection Authority specifically notes that
[i]n line with Article 5(1)(a), (c), and (d) GDPR, personal data must be processed fairly, they must be adequate, relevant and limited to what is necessary in relation to their purpose, and they must be accurate.
All processing of personal data must have a legal basis in Article 6(1) GDPR. Automated decision-making as defined in Article 22(1) is nonetheless prohibited unless one of the exceptions of Article 22(2) applies and on the condition that there are suitable measures and safeguards in place in line with Article 22(3), such as the right to human intervention and to contest the decision.
In its letter the NDPA orders the IBO to explain how personal information and atomization was used. It notes that personal information may be used only for an explicit purpose as provided for in the GDPR, and automated decisions may be used only if they qualify under one of the exceptions in article 22 of GDPR. Specifically, the NDPA ordered the IBO to explain
- the May 2020 awarding model, the input data, how the input data are weighted, and how the actual calculation takes place;
- how the IBO considers that the processing of IB students’ grades is fair, in line with article 5(1)(a) GDPR;
- how the IBO considers that the data used in the calculation of final grades are adequate, relevant, and limited to what is necessary in relation to their purpose, in line with article 5(1)(c) GDPR;
- how the IBO considers that the final grades of IB students are accurate, in line with article 5(1)(d) GDPR;
- whether the IBO considers the process of awarding final grades as automated decision-making falling under article 22 GDPR, and why or why not that is the case;
- the IBO’s legal basis under article 22(2) GDPR for carrying out automated decision-making if it considers the process of awarding final grades as automated decision-making falling under article 22 GDPR, as well as which measures and safeguards are in place, in line with article 22(3); and
- how the IBO has, in the context of calculating final grades for IB students graduating in 2020, complied with its informational duties as well as its duty to provide access to data subjects without undue delay.
Citing the urgency of the issue, the Data Protection Authority ordered the IBO to respond by July 24, 2020. The IBO had previously issued a statement on their website explaining the grading process, without mentioning the applicable GDPR rules.