UPDATE: 23.08.20 One week on from this original post below, and it is clear (and unsurprising, when one reads the details) that many IB students are still deeply unhappy about the process, and now, with the u-turn on the A-Level awards, are arguably feeling even further aggrieved that their results are still tied to the outcome of what they see as a flawed an unfair algorithmic process. Also one week on, there seems to have been no word from the ICO about the decision of the Norwegian DPA, and what it means for UK IB students. END UPDATE.
UPDATE: 17.08.20 It appears that the IBO has responded to concerns (and possibly to the Norwegian DPA’s investigation, by reviewing the results, and making an adjustment to awarded results, with the emphasis that “no student will receive a lower grade than what was received previously”) END UPDATE.
In a piece for the Mishcon de Reya website last week, I noted, in the context of the recent A-Level awards fiasco, that the Norwegian Data Protection Authority had sent the International Baccalaureate Association (IBO) an advance notification that it was going to order the latter to rectify grades it had awarded based on “so-called ‘school context’ and ‘historical data'”. The IBO has until 21 August to “contradict” the Norwegian DPA’s draft decision.
What I had not fully appreciated were two things:
- The effect of the Norwegian DPA’s draft decision, should it be formalised, may be that all IBO grades based on such data would have to be re-done, not just those of Norwegian children.
- In a move now saturated with irony, the IBO’s grading process is, apparently, already being scrutinised by…erm…Ofqual, to whom the IBO’s awarding model was submitted , both prior to its actual use and to the issue of results.
The second point raises the rather remarkable possibility that Ofqual was a controller, in GDPR terms, for the International Baccalaureate model, as well as for the English A-Levels. This will only add to its already significant woes.
The first point turns on this: the IBO is based in Switzerland. Although Norway is not in the EU, it is in the European Economic Area (EEA), and by a joint agreement of July 2018 GDPR was incorporated into the EEA Agreement. To the extent that the IBO is offering (which it clearly is) goods or services to data subjects in the European Union, it is subject to GDPR’s extra-territorial provisions at Article 3(2). So, although in theory, the Norwegian DPA’s decision would only apply in respect of the processing of personal data in respect of Norwegian data subjects, in practice it is very difficult to see how the IBO could comply with an order only applying to Norwegians, when the effect of the order would be that IB candidates across everywhere would have had their data impermissibly processed in the same way. If it decided not to redo all awards, and just Norwegian ones, then presumably supervisory authorities across Europe, including the Information Commissioner in the UK, would need to investigate.
[This post was edited to reflect the blindingly obvious point that Norway is not in the EU, but is in the EEA. I’m embarrassed to admit that I’m only human]
The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.