Research Article: 2021 Vol: 24 Issue: 3S
Enas Qutieshat, Philadelphia University
Citation Information: Qutieshat, E. (2021). The Jordanian legal approach on educational data mining: Privacy of individuals v. Data mining. Journal of Legal, Ethical and Regulatory Issues, 24(7), 1-11
Educational institutions collect various data from several sources, but this sort of data is rendered worthless if it is unprocessed effectively by the institution. Typically processing this data is beneficial to decision-makers in educational institutions, but the enormous amount of data present and stored in educational institutions is difficult to be processed traditionally, which has promoted the effective employment of machine intelligence when applying data mining algorithms. Processing raw data stored in an educational institution's databases raises legal concerns, most noticeably the legality of such a procedure and whether data processing would violate individuals' privacy since the Jordanian legislature has not directly regulated the issue of educational data mining and processing and its legal consequences. Accordingly, this research aimed to examine the Jordanian legal approach towards the use educational data mining algorithms and the legality of processing raw data in light of the current legislations in force and present proposals and recommendations in this regard.
Data Mining, Right to Privacy, Right to be forgotten, Property rights, Artificial Intelligence.
Higher education is regarded as one of Jordan's most important sectors. Where educational institutions are competing in attracting students and maintaining the quality of educational process outcomes as well as working hard to graduate students who are well-versed in their fields by depending on the available resources and capabilities. Due to the globe’s adoption of artificial intelligence policies and their applications and the growing utilization of Artificial Intelligence (AI) software in the field of education; computer scientists, through the use of certain algorithms, were able to analyze massive amounts of data available in educational institutions to understand and analyze the behavior of the learner and the educational environment leading to the emergence of the term the Knowledge Discovery from Data (KDD) (Han & Pei, 2012) or Educational Data Mining (EDM) has emerged.
Algorithms rely on knowledge discovery by establishing logical relationships, patterns, and recurring models. The obtained data is depicted in a new, interpretable way for the data owner, allowing it to be used to identify weaknesses and anticipate future challenges in that institution. The use of data mining algorithms is not limited to educational institutions, rather it extends to include most activities related to various sectors (Zaki, 2020, & Dindarloo & Siami-Irdemoosa, 2017, Kusiak et al., 2009) in which AI is used and data is mined especially, in the legislative fields and national security. The stored massive raw data are then analyzed and logically interpreted so that the stakeholders can take the appropriate decisions.
Despite the benefits that educational institutions and decision-makers (Yang et al., 2021) gain from data mining, one of the most pressing concerns in this regard is the legal legitimacy of exploring educational data and claiming ownership of this data on the one hand and violating individuals' privacy on the other. In a matter of fact, using algorithms for data mining whether in general or for educational data, requires processing massive data stored in the databases of the institution, and here many questions arise when it is used for example in the educational institution: Do these educational institutions possess this data and they can use and analyze it legally? Or Are these data possessed by the provider? And when the institution conducts its analysis and studies through algorithms, do they violate the privacy of individuals and deal with data that it does not own?
In general, it can be said that the topic of EDM is not new, as there are various research have addressed this area from a technical perspective, the methods used, and the benefits (Aydogdu, 2020) expected from them. Noticeably, few papers have addressed the legal aspects of using these algorithms (Clemons & Wilson, 2015). This paper sheds light on the reality of using techniques of EDM from the Jordanian legislative perspective, as to the date of writing this paper no research paper addressed this topic from the perspective of Jordanian legislation, not to mention the absence of legislation and regulations that regulate the work of technological systems based on the use of AI technology and machine learning in Jordan.
The paper is divided into three main sections, in addition to the introduction and conclusion section. The first section was devoted to highlighting the definition and importance of EDM . The second section presents the position of the Jordanian legislator regarding EDM, while the third section discussed the position of the Jordanian legislation on the issue of mining educational data and the violation of the privacy of individuals.
The Definition and the Importance of EDM
It was found that educational institutions collect and store a huge amount of data in their databases. These institutions are working to implement high-precision security systems to prevent unauthorized access to their databases. To understand the data mining algorithms, it is necessary to shed light on what is meant by some terms of special significance for this paper, and then to highlight the desired benefits of EDM.
Definitions
Although this paper deals with the study of the legal aspect of some aspects related to EDM, it is necessary to introduce the reader to some of what is meant by EDM, as it is the main purpose of this paper to highlight some relevant issues related to it.
Data: The Jordanian legislator defined the term “data” in many legislations related to electronic transactions and cyberspace. In article 2 of the Cybercrime Law of 2015, it is defined as "texts, pictures, illustrations, sounds, symbols, databases, computer software and the like" (Law, 2015) This definition is identical to what the legislator also stipulated in Article 2 of the Cyber Security Law for the year 2019 (Law, 2019) The foregoing definition obviously suggests that the legislator did not deviate from the traditional concept of data, as he considered it a group of images and data of limited significance in its primitive form without any processing. These data are collected by the institution in various ways, for example, they can be provided by the learner or his parents upon joining the institution, such as name, place of residence, religion, and other personal information that the applicant provides. Additionally, some data which the institution obtained are related to the student's educational achievements in previous educational stages as well as the information stored and obtained from the various departments of the educational institution such as the library, the health center, and the financial department. Notably, educational institutions have recently introduced distance learning methods through which they can collect additional information about users of these platforms, such as the number of entries and the time the student spent using the available electronic resources.
Data mining: If the massive amount of data collected and stored in its raw form is not used efficiently, it will become useless data, taking up valuable storage space in the institution's databases. Therefore, such data should be studied and analyzed using statistical sciences. However, if the educational institution decides to study and traditionally analyze this data, the magnitude, and diversity of the data that has been collected over time make this process nearly impossible. Using artificial intelligence algorithms and their various applications, computer scientists were able to analyze this data statistically and scientifically, facilitating the process of searching for the required data and exploring knowledge. Only then, such processed data will provide the user with information that can be used in making a specific decision. Accordingly, data mining can be defined as the discovery of knowledge from the data, or it is the process of analyzing data from different perspectives and drawing relationships between them, and summarizing them into useful information. We can also say that data mining, in general, is nothing but an application of algorithms mastered by the machine that results in useful information by analyzing the available data from multiple angles determined by the algorithm based on the programming of the concerned person to classify the available data and exclude the inappropriate from it and then link this data with each other in a logical manner and presented to the beneficiary (Algarni, 2016). Therefore, the data mining process is nothing but a means to convert the information in its raw form into data that helps decision-makers in making proper decisions. Finally, data, if processed, is called, information and under article 2 of Cybercrime Law it is “data that has been processed and has significance,” and it is the same definition adopted by the legislator in the Cyber Security Law.
Determining the scope of educational data mining: The application of data mining algorithms in the educational field is undoubtedly distinguished from other fields in which these algorithms are used in terms of the desired goal of improving the teaching and learning process. Also, EDM differs from data mining in general in terms of the data that will be used, which are usually data related to students and the educational process . Such data is kept in the databases of that institution. Besides, the adoption of a specific algorithm exclusively in the exploration of educational data depends ultimately on the goal sought by the person who applies the algorithm. (Algarni, 2016).
The Benefits of EDM:
We have previously mentioned that EDM is concerned with studying a set of raw data related to the aspect of the educational process which seeks to access information that will benefit decision-makers in improving the teaching and learning process and in maintaining the quality of its learning outcomes. Perhaps one of the most important benefits of discovering educational data is to identify students' weaknesses points during the learning process, especially those who may achieve poor grades or even dropping out of the educational institution. These algorithms also help in determining the educational priorities for a specific group of students. Furthermore, considering the increased competition between educational institutions in Jordan, whether the public institution or private ones, scientifically studying the stored data helps these institutions to improve the performance of their students, which reflects positively on the process of student polarization, especially since these studied and scientifically analyzed data help in evaluating the institution’s performance. The institution can also benefit from the results by improving the learning resources available to its students (Yang et al., 2021).
The Position of the Jordanian Legislator on the Use of Data Mining Algorithms
The data mining process consists of a series of steps that are logically linked together. (Algarni, 2016)The first and most significant step is collecting the data that will be studied and analyzed using the appropriate algorithms. Generally, when speaking about computer science and AI on one hand and EDM in particular, an important question is raised: Has the Jordanian legislator put in place special provisions that govern data mining operations in general and educational data mining in particular?
AI has been defined according to the Jordanian Policy for Artificial Intelligence for the year 2020 as
“The use of digital technology to create systems capable of performing tasks that simulate human mental capabilities and work patterns, analyze the surrounding environment and learn from errors to make predictions, recommendations, make decisions, or take actions that have an impact over the real or virtual environments with a degree of autonomy.”
When talking about data mining algorithms, we are talking about one of the areas in which AI applications have been employed for the benefit of their user. To effectively use algorithms to process data mining in an automated logical manner, it is necessary to initially access the data, that is, to enter databases to extract and process the saved data in a specific way. Therefore, the use of AI and EDM must be done in accordance with the provisions of the law, and the access to saved data should not constitute a violation of the provisions of the law.
In the Cybercrime Law, the Jordanian legislator criminalized access to the computer network or information system by any means without obtaining a permit or in the event of a violation of the permit granted to him. The legislator defined the “permit” in Article 2 of Cybercrime Law as
“The permission granted by the person concerned to one or more persons or the public to access or use the information system or the information network to access, cancel, deleting, adding, changing, republishing data or information, blocking access to it, stopping the work of devices, changing, and canceling a website, or modifying its contents”
The legislator also punishes anyone who performs any process that can cancel, delete, add, destroy, disclose, destroy, withhold, modify, change, transfer, or copy data, information, arrest, or Disrupting the work of the information network or the information network information system.
By interpreting the above text, the legislator has criminalized the following acts:
1. Unauthorized entry: indicating the entry made forcibly and despite the will of the owner or the one responsible for the databases so that the entry is temporary.
2. Entry with a permit, but the perpetrator exceeds the limits of the permit granted to him.
3. Entering without permission to cancel, delete, add, destroy, disclose, damage, block, modify, change, transfer or copy data, stop or disrupt the work of the informational network and system and this act differs from its predecessor in that the perpetrator interferes in the system continuously and can move between the stored data continuously and not accidentally, whether access is with permission or without.
4. Physical change, transfer, and copying of data, noting that the legislator in Article 2 of the Cybercrime Law has mentioned acts that would be criminalized if they were done without obtaining a permit, which are actions that are “to cancel, delete, add, or destroy Or divulging, destroying, withholding, modifying, altering, transferring, or copying data or information" noting that the legislator omitted to include the term “processing” among the acts that may occur on the data.
5. Actions that lead to disruption or suspension in the work of the information network or the information network information system.
It is not enough for criminal liability to simply commit the above-mentioned acts; there must also be a mental element known as "criminal intent," which denotes the direction of the perpetrator's will to engage in criminal behavior and commit the acts punishable by law (Negm, 2015), in addition to the availability of a special element in the criminal acts known as the commission of specific acts. By performing the aforementioned acts, we are faced with two issues: the first is the issue of accessing databases, and the second is the application of algorithms related to data mining. By extrapolating the legal texts, to legalize the process of educational data mining, the following two conditions must be met:
Obtaining authorization to access the databases to avoid criminal access, as was previously mentioned.
The authorization shall include permission to process the saved data and the authority authorized to do so. Otherwise, if the processing is carried out despite the legal entry, this behavior exposes the committer to penalty contained in the Electronic Crimes Law, which ranges between imprisonments, fine, or both punishments. Note that the legislator has doubled the punishment imposed on for the previous acts against anyone who commits any of them due to performing his job or work or exploiting any of them. Likewise, the legislator punished the accomplice, interference, and instigator of committing any of the aforementioned crimes with the same penalty specified therein for the perpetrators.
The Jordanian Legislative Approach on the Use of Stored Data
We have already stated that EDM is primarily dependent on collected and stored raw data available in educational institution databases. Given these various types and sources of data, the following question had to be addressed: Do educational institutions truly own these data according to the provisions of the rules governing property rights in Jordanian law, i.e., whether storing them made them the actual owner who can process them? Does EDM infringe personal privacy?
The Authority of the Institution over the Data Stored in its Database
The question arises as to whether the institution that maintains the educational data is the owner of that data under the provisions governing the property rights stipulated in civil law, or if its authority over those data is of other kind? The Jordanian Civil Code of 1976 defines the property right as "the power of the owner to dispose of his property in an absolute manner, in kind, for benefit, and exploitation." (Civil Code, 1976) The right of ownership over things, is carried on both tangible and intangible things.
Going back to the raw data that is processed using EDM, it must be noted that these institutions when viewing the personal data of individuals, do not infringe on the individual's right to privacy as long as the later has voluntarily disclosed such data, and the institution did not commit any act in contravention of the law to obtain such data. As mentioned earlier, such data is saved and stored in databases protected by the educational institution. Databases are computer programs used by the educational institution and are subject to its control and supervision. Having said that, it is important to highlight Article 3 of the Copyright and Neighboring Rights Protection Law of 1992. According to this article, the legislator has identified the works protected under this law, including “computer programs, whether in the source language or the machine language.”
In addition to that, and along with Article 2 of the Electronic Transactions Law (2015), it can be said that programs are Computers that meet the definition of (electronic information system), which the law defines as
“A set of programs and tools intended for creating, sending, and delivering, processing, storing, managing, or presenting information by electronic means”
Accordingly, as soon as the application for affiliation to the institution is filled out, or personal information is disclosed in a later period, and personal data is saved in the institution database, it enters within its possession as saved data only in a database that it possesses. This was confirmed by the Jordanian legislator when it criminalized entering databases illegally.
Data Mining and the Issue of Individual Privacy
The Jordanian Constitution of 1952 and its amendments protected the privacy of individuals in Article 7 therein by stating that
“Every infringement on rights and public freedoms or the inviolability of the private life of Jordanians is a crime punishable by law”
The Jordanian legislator has issued much legislation regarding cyber security and cybercrime, but it is noted that legislation concerned with protecting individual information and data and the privacy of individuals has focused on financial and banking transactions. The legislator, for example, has regulated the issue of financial consumer protection for payment and transfer companies, payment, and electronic transfer of funds in special instructions. Besides, through the Cyber Risk Adaptation Instructions for the year 2008, some related issues were regulated, but Article 2 of it explicitly states that the scope of its application is limited to
“All licensed banks, financial institutions, credit information companies and microfinance companies that are subject to the supervision and control of the Central Bank of Jordan.”
In addition to the above, the legislator, and through the Cyber Security Law of 2019, has dealt with the establishment and tasks of both the National Council for Cybersecurity and the National Center for Cybersecurity and considered under Article 12 of it that the information, data and documents and their copies that are received by the center or related to its work or viewed by its workers Protected documents subject to the provisions of the Law on Protection of State Secrets and Documents.
Educational institutions applying EDM to saved raw data and converting them into information that can be used to track certain behaviors of learners on the one hand and to improve the quality of educational work on the other hand for the benefit of both parties. Accordingly, two types of data that are processed for processing will be addressed: personal information and data related to the academic achievement of the learner obtained from the educational institution.
First: Personal information: In a matter of fact, the Jordanian legislator did not define the meaning of "personal data" except in Article 2 of the Instruction of Financial Consumer Protection for payment and electronic transfer of funds companies for the year 2021 as:
“All customer data, regardless of their source or form, through which the customer’s identity, identification can be made from his dealings, directly or indirectly, except for information available and known to the general public”
Traditionally, this personal data is obtained through the voluntary disclosure by individuals. Individuals usually disclose data that includes for example his name, gender, national number. The process of disclosing some personal data related to the learner remains upon requests, such as some financial aspects, health care matters that in addition to some sensitive information that the learner wishes to keep private, but at the same time is disclosing them for specific personal reasons such as applying for educational sponsorships or requesting health care services for example.
Second: Relevant Data Obtained from the Educational Institution
The institution obtains some data from the process of direct interaction between the learner and the educational community, in addition to the personal data disclosed by the learner previously, for example, the data collected regarding the time the learner spends on e-learning platforms.
Moreover, the institution can also exploit learning platforms that can collect data through files that are usually saved on the learner's devices (cookies) that collect some information related to the student’s electronic activity, for example, the sites he visited, the databases he has accessed, the number of times some files are downloaded, and many more, which the educational institution collects. Without a doubt, the voluntarily disclosed personal data that the educational institution stores carry with it a set of obligations, including the need to notify the learner and obtain his consent for the following:
1. Personal data will be collected and stored in secure databases that are subject to its control so that only specific persons are authorized to have access to this saved data for limited purposes related to work within the educational institution.
2. They will be saved by the institution and will not disclose to any third party except with his prior approval or in exceptional cases such as the issuance of a judicial decision to do so.
3. They will be processed in the future, indicating the limits and objectives of that processing.
4. He will be informed of his right to object to the data processing process if it is used in a way that violates the limits and objectives declared by the educational institution, or if he has strong justifications that the processing is not necessary to achieve the goals and objectives for which it was collected or if it is in violation of the provisions of the law.
5. He will be informed that he has the right to withdraw his consent regarding the issue of preserving, disclosure, and processing of his private data, and allow him to make a written or verbal withdrawal, provided that the verbal withdrawal issued by him is documented.
6. He/ his guardian will be informed that they have the right to request the deletion of unnecessary and unnecessary data to achieve the purposes for which it was collected, or the purpose for which it was collected has ended, unless the law provides otherwise, which is known as (the right to forgetting). (Fabbrini & Celeste, 2020).
It is feasible to include a clause in the application form that includes the above-mentioned conditions in a prominent position, in understandable and readable language, and clear handwriting, so that the applicant can read and understand the conditions. Typically, the person wishing to join the educational institution or his representative, after filling out the application, signs his approval of the information contained therein, and of its validity.
This request indeed is a contract between the recipient of the educational service and the educational institution, and if the recipient of the educational service signs this request (contract) that contains a set of clauses, including the clause related to data collection and processing, in this case, the institution has notified the recipient and I obtained his consent. The educational institutions may also inform the person who enrolls electronically to fill in some personal data electronically and then ask him to click on the (I Agree) icon, which is usually listed on websites to obtain the user's consent on certain conditions, and this is known as click-wrap agreements. (Davis, 2007)
Regarding the data that is collected during the membership period in the institution, the institution shall inform the participant when filling out the application form or every time the institution accesses or use it also the institution may include those conditions through an online link provided by using browse-wrap agreements (Garcia, 2013).
The main goal of this paper is to identify some of the legal aspects concerning educational data mining from a Jordanian legislative perspective. No one can deny that educational institutions are striving to elevate the level of their educational process and optimizing the quality of their outputs, hence, decision-makers must be informed of the reality of the educational process and the difficulties that it may face on the one hand, as well as the difficulties that students may face on the other, for them to make the appropriate decision. The data collected by educational institutions, whether it is personal data that has been voluntarily disclosed or collected by the institution after joining it is considered valuable if it is used logically and appropriately. Accordingly, to be exploited appropriately, it is necessary to discover the massive data stored in the databases of the educational institution. Fortunately, the Jordanian legislator has regulated the issue of saving data, entering it, and dealing with it legally but without specifying the type of such data and the mechanism for obtaining it.
As a matter of fact, one of the requirements for joining an educational institution is that it collects data about its students' personal information. However, the issue of processing that data and converting it into valuable information necessitates legislative intervention, especially since most educational institution members are unaware that the institution may process sensitive natural data that reveals the ethnic or religious side, party affiliations, criminal record, or even some data that would identify the student's identity and indicate some details related to his family. The data that is disclosed by individuals upon joining educational institutions is stored in the educational institution databases that are protected under the copyright protection law as the Jordanian legislator has criminalized unauthorized access to these rules and criminalized illegal processing of them or exceeding their limits. As for the ownership of these data, they are governed by the provisions of the Jordanian civil law, considering that it is the property of the educational institution, which acquired its ownership (as raw data) when it was disclosed at the moment of signing the contract with the educational institution to join it and benefit from its educational services.
Regarding the institution's right to process this data, especially as it may include personal data of sensitive nature, here, this paper recommends direct and rapid intervention by the legislative authorities in Jordan to legalize the educational data processing processes that serve decision-makers by legalizing the legal aspects related to the protection of personal information in various aspects of life without limiting it to banking-related activities and electronic payment services, so that the legislation includes the following points:
1. Confirming that the information disclosed by recipients of educational services is legally protected.
2. The recipient of the educational service shall be informed that the educational institution will collect personal data and save it in protected databases that are subject to its supervision, while ensuring that unauthorized access to these rules is not permitted and educational institutions are obligated to take technical measures that ensure the protection of stored and saved data, regardless of its source and type, with an emphasis on confidentiality and security of personal data collected by the educational institution.
3. Emphasis on the educational institution's duty to notify the recipient of the educational service, if he is still on the seats of study-even after he has left the educational institution-of any breach of the educational institution's databases as soon as possible and within the time frame specified by law.
4. The recipient's consent must be obtained before processing his data by adding a clause upon applying for joining the institution that is placed in a prominent and legible place and in a language that the recipient of the service understands. If the request is electronic, the educational institution must also inform him of the content of the condition, either by directly requesting him to click on the approval icon if Clickwrap-agreements are adopted or by including the condition in the list of terms and conditions in the case of adopting wrap agreements.
5. Emphasizing that in some cases no approval may be required prior approval if the information is available to everyone and has been publicly published by the official authorities, for example or if a judicial order is issued requiring the educational institution to disclose the information stored in it.
6. The recipient of the educational service must hold the right to delete some data that is not relevant to the specific purpose of the processing data, in other words, he has the right to be forgotten.
7. The recipient of the service must be given the right to object in the event that the educational institution exceeds the scope and purpose of the treatment and the body performing the treatment.
8. Emphasizing the right of the recipient of the educational service to claim compensation for any damage that may arise and befall him as a result of the educational institution’s breach of its duty to inform him of the data collection process and its duty to store and save the data in a way that preserves the security and integrity of that data from penetration in addition to its duty to inform him of the processing process. In a matter of fact, Jordan should expedite the process of issuing legislation that regulates the issue of collecting and processing personal data in various facets of life, especially, in light of the increased collaboration between institutions exchange data between them and the important role that process in developing various sectors.