At NTNU, we are in the middle of a discussion about the Retention Center (RC) and are trying to find out whether or not this functionality is legal or not post-GDPR. I would love to hear how the rest of you have concluded in this issue if you consider it an issue at all. I have included a description of the crux of the matter as NTNU sees it (below), and I am curious if these are concerns for you as well
So - our questions are:
- Have you made any GDPR-related decisions for certain functions in Learn, like the Retention Center (turn off/on etc)?
- Do you feel that the Retention Center is legal (per the below description)
- Have you made any decisions to inform students explicitly about Retention Center when it comes to data protection?
- Have you taken other measures to ensure the use of Retention Center complies with GDPR (f.ex. editing the standard criteria, or other things)?
The crux of the matter - legal stuff
RC uses criteria to categorize students that meet them into groups of 'at risk' students, or other groups depending on the criteria you set in the course. The teacher can follow up on the students who meet certain criteria individually and by group. The teacher can see named individuals and which criteria they meet.
The core issue is Article 22 of the GDPR:
1. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
And, further, the GDPR defines profiling as such (my emphasis added):
 The data subject should have the right not to be subject to a decision, which may include a measure, evaluating personal aspects relating to him or her which is based solely on automated processing and which produces legal effects concerning him or her or similarly significantly affects him or her, such as automatic refusal of an online credit application or e-recruiting practices without any human intervention.  Such processing includes ‘profiling’ that consists of any form of automated processing of personal data evaluating the personal aspects relating to a natural person, in particular to analyse or predict aspects concerning the data subject’s performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, where it produces legal effects concerning him or her or similarly significantly affects him or her.
Our legal dept. argues that since RC uses profiling (as all learning analytics and dropout predictions do, as they combine data to make predictions and analyses automatically), it is not legal to use without students' explicit consent. Whether or not it has the potential to produce legal effects for students is debatable and probably depends on each teacher using RC. I agree that the Retention Center, in the GDPRs definition, is profiling - but is it the kind that requires that we collect consent from students or not?