Founder
April 26, 2026
26 min read
This article examines the legal character of risk scores, success predictions, and engagement profiles produced by AI‑supported learning management systems (LMS). The central thesis is this: when LMS data cease to be merely a technical usage log about a learner and become a structure that evaluates the individual’s performance, behaviour, or future outcomes—and influence institutional decisions—they are no longer “just” learning analytics; they raise issues of profiling, inferred personal data, and, in some cases, automated decision‑making. Against that background, the article addresses the boundary between statistics and profiles, the distinction between early warning and stigmatization, rights to explanation and objection, the meaning of human oversight, the bar on incompatible‑purpose use, and differing protection regimes for children, students, and employees.
AI‑supported learning systems today carry one of education’s brightest promises: an experience adapted to each learner’s pace, needs, and style. LMS platforms no longer merely deliver content; they can measure time spent in modules, difficulty with questions, login times, repetition, unfinished materials, and even which behavioural patterns correlate with failure risk. Technically, this looks like a learning analytics revolution that boosts pedagogical efficiency. Legally, a harder question arises: Is the system processing data to support the learner, or producing a profile from which consequential conclusions about the student can be drawn?
That is where the real issue begins. When an LMS starts generating outputs such as “dropout probability,” “success score,” “low engagement profile,” or “high‑risk user” from behaviour, the data are no longer only a record of the past. They become a forecast about the person’s future and, more importantly, an evaluative layer that can shape the institution’s decisions about them. Once that shift occurs, learning analytics no longer remain a purely pedagogical tool; for data protection law they fall within the territory of profiling, inferred personal data, and sometimes automated decision‑making.
The debate is therefore not merely a technical classification exercise. It is about which information layer educational institutions are entitled to generate about learners, and at what point that production acquires the character of an intervention in pedagogical autonomy, equality of opportunity, and personality rights. LMS architectures were originally built for content distribution and progress tracking, yet many systems today convert behavioural traces into predictions about the future—blurring the line between pedagogical support and algorithmic evaluation. The core legal question, at article length, is precisely this: At what threshold do data collected for education turn into an institutional “file” that yields conclusions about the individual?
Be the first to be informed about our new articles, opinions and case studies in the field of Blockchain.
For a sound discussion, three concepts must be kept apart: raw personal data, inferred personal data, and automated evaluation output. Raw data are directly observed facts—login times, completion rates, quiz scores, or assignment deadlines. Inferred data are the new meaning layer built from raw inputs—for example, “low motivation,” “failure risk,” “high dropout likelihood,” or “insufficient engagement profile.” Automated evaluation output arises when those inferences become the basis for intervention, ranking, or decision‑making about a person.
As source materials also emphasize, the definition of profiling in EU data protection law is very broad. Using personal data to analyse or predict someone’s performance, behaviour, preferences, reliability, or future tendencies—whatever the technical label—falls within or close to the profiling regime. That matters especially in education: academic evaluation is often presented as pedagogical support, yet its consequences can be decisive for a person’s academic trajectory. Success prediction or an engagement profile may look like neutral technical terms, but legally they are often tools of personal evaluation.
From the perspective of Turkish law, the issue cannot be reduced to collection alone. The basic principles in the KVKK require processing for specific, explicit, and legitimate purposes; purpose limitation, data minimization, and proportionality; accuracy and updating where needed; transparency toward the data subject; and, where analysis is solely automated and produces an adverse outcome, a right to object. In that framework, LMS‑based risk scores that produce real‑world consequences for individuals or steer institutional procedures should be treated not merely as “technical performance data,” but as evaluative personal data capable of legal effect.
The legal answer depends on the relationship data establish with the person. If the system, on anonymized aggregates not linkable to an identified individual, produces only general trends, you have statistical analysis. A population‑level finding such as “students who revise weekly have higher pass rates,” standing alone, is not profiling. But if the same statistical model is applied to a specific student and yields “this learner may fail” or “this person is prone to disengaging from the course,” there is individual evaluation predicting behaviour and performance.
Under EU data protection law, profiling is defined as using personal data to analyse or predict performance, behaviour, preferences, reliability, or similar attributes. That definition is crucial for EdTech: outputs such as “engagement profile,” “learning behaviour analysis,” “success prediction,” or risk score—if they forecast educational performance and future position—cannot be dismissed as “mere statistics.” Once linked to a person, they become profile data with legal significance.
Accordingly, the legal character of a score produced by an LMS is determined not by its label, but by what it does to the person. If the system not only measures but ranks, classifies, predicts, and sometimes nudges invisibly, there is not only data processing but evaluation production about the individual. In other words, the moment data are tied to the student, the “learning log” gradually becomes a “student file.”
Here an important distinction from the source literature applies: truly anonymous, non‑re‑identifiable, group‑level statistics are not in the same legal category as a predictive model applied to the individual. It is one thing for a university to conclude, across all students, that “those who never log in during the first four weeks have lower success rates”; it is another to run that model on Ahmet, Ayşe, or a named employee and assign a personal risk label. In the second case, a general trend has been individualized and moved into the architecture of institutional decisions. The move from statistics to profile is triggered not by the model’s existence, but by its deployment against a particular person.
The logic of EU case law around examination assessment is instructive here. If exam papers, assessor marks, and their capacity to shape a candidate’s future strengthen the “personal data” character of those records, LMS scores derived from far denser behavioural traces should, a fortiori, count as personal evaluation. The system is not only logging what the student did; it is generating institutional judgment about what they might or might not do, and how “reliable” they are. In a modern digital learning environment, that judgment can function as an algorithmic version of the classic student file.
Explore a holistic framework covering compliance, risk management, AI ethics, and academic integrity for educational institutions leveraging technology.
The legally most sensitive dimension of educational platforms is often not the data the student supplies directly, but the new outputs the system derives from them. Students leave raw traces—login times, quiz scores, submission timestamps. AI‑supported systems build a new layer: attention span, learning tempo, error patterns, dropout likelihood, low‑motivation risk, weak engagement profile, and the like.
That second layer—data produced by inference—carries distinct weight in data protection law. The person is not merely “reporting about themselves”; the institution interprets behaviour and generates new personal data. A risk score or success prediction is therefore not just a statistical side output; it is an independent data type capable of affecting the data subject.
This distinction matters because institutions often narrow their story with the line “we only collect usage data from students.” Yet the law looks not only at what raw data were collected, but also at what was produced from them. Predictions, labels, and classifications are the system’s most powerful—and often invisible—outputs. Often the risk lies not in what the student disclosed, but in what is said about them.
Moreover, inferences can reach into far more sensitive domains. If attention span, behavioural patterns, repetition counts, or interaction styles begin to support conclusions about health, neurodiversity, mood, or psychological state, the matter is no longer confined to “academic performance.” Processing then approaches areas requiring special protection, and legal scrutiny intensifies. Emotion inference, behavioural monitoring, and biometric‑heavy analytics are among the riskiest practices in educational contexts.
In academic terms: inferred data are not simply a “measurement” of an existing reality; they are often normative production that turns statistical likelihood into individual judgment. The system does not “detect” that attention dropped; it maps behaviour patterns inside its model to that outcome. The score or label is therefore not a record of an indisputable external fact, but the result of an interpretation model designed by the data controller. That matters legally for two reasons: first, inference error is more likely than raw‑data error; second, impact on the person is usually heavier, because institutions typically base decisions not on raw logs line by line, but on meaning layers derived from them.
Hence interpreting access and objection rights as limited to raw inputs is insufficient. If a student can see clickstreams but cannot access the “risky profile” derived from them, the legally salient sphere of effect becomes invisible. Contemporary data protection law—as sources rightly stress—extends protection not only to “data given” but also to derived and inferred data the controller generates about the person. For EdTech that approach is indispensable, because intervention concentrates less at the raw level than at the level of interpretation.
One of the strongest justifications for learning analytics is early warning. Spotting that a student needs support early, offering mentoring, adapting lesson plans, or providing extra help can align with an institution’s duty of support. The problem arises when the warning mechanism is designed as a call for help or as a permanent label.
Telling a student “extra support is recommended this week” is not the same as saying “this student has a high‑risk profile.” The former may be a temporary, support‑oriented, bounded intervention signal. The latter can become a sticky classification that seeps into other decision channels and generates lasting expectations about the person. Legally problematic stigmatization begins at that pivot.
Warning signs that a risk score has become problematic include: persistence in a durable record; sharing with non‑academic actors; use in scholarship, discipline, progression, certification, or performance decisions; absence of effective correction and objection for misclassification; and monitoring intensity that exceeds reasonable expectations. In such an architecture, the system no longer “helps” the student; it passes judgment on them.
The difference between early warning and stigmatization therefore lies not in intent, but in design. A support‑oriented system remains temporary, bounded, challengeable, and tied to a pedagogical purpose. A stigmatizing system places learners in categories such as “at risk,” “weak,” or “failure‑prone” and makes those categories part of institutional decisions.
A further contribution in the literature: early warning can operate not only as support but as a tool for allocating institutional resources. If limited advising, mentoring, or scholarships flow only to students deemed “worth investing in,” while those assigned a low probability of success are passively left out, the early warning system—even if it looks neutral—can become a sorting mechanism that produces structural inequality. Stigmatization risk therefore arises not only from explicit negative labels but from silent exclusion practices.
When models trained on historical data may reproduce past inequality, variables such as socioeconomic vulnerability, language barriers, access constraints, or different learning styles can be invisibly penalized under a “high risk” label. The system then not only “predicts” failure; it shapes institutional response and entrenches it. The academic and legal concern is that a tool built instrumentally for support can normatively turn into a mechanism that categorizes students and narrows their opportunity space.
This is one of the most critical questions. May a school, university, or employer take action against a person based on system outputs such as “this person may drop the course,” “this employee may fail training,” or “high‑risk user”? As a rule, the answer turns on whether the decision produces a legal or similarly significant effect on the individual.
If the score is only a low‑impact, non‑binding nudge to a teacher—easily overridden by human judgment—not every case triggers a bar on automated decision‑making. But if the same score leads to scholarship cuts, restricted access to an advanced course, disciplinary proceedings, denial of certification, lower performance ratings, or an adverse fitness‑for‑role outcome, the legal framework tightens.
Crucially, the sentence “a human made the final decision” is not, by itself, a safeguard. If the human treats the score as dispositive, rubber‑stamps it without scrutiny, or institutional practice near‑automatically follows the score, a seemingly human process becomes an extension of automation. Law cares less about who signs on paper than about which factor actually determined the outcome.
Institutions should therefore avoid turning influential risk scores into a decision engine. At most, they should be a signal—ancillary to human judgment, contextualized, and discardable when appropriate. Otherwise the student file and the algorithmic fate line begin to blur.
Legal assessment should focus less on the formal structure of a decision than on its material impact. If a scholarship committee or education manager technically has the last word, yet in practice the system’s score has become the decisive metric, the reality of human intervention is doubtful. The EU approach reflected in the sources stresses the same point: a human signature on paper does not, alone, provide adequate assurance if the spine of the decision was built by an algorithm. Educational institutions must therefore read their “decision support system” narrative together with actual use patterns.
Another key point: the same score carries different legal weight in different contexts. Recommending an extra module is not the same as cutting a scholarship; scheduling extra training is not the same as downgrading a performance score. Rather than a one‑size‑fits‑all legitimacy analysis for every AI‑assisted evaluation, the decision domain, degree of binding force, and severity of adverse impact each require separate scrutiny. In academic terms, what matters is not only the processing activity but the normative weight of the processing output in the decision architecture.
EdTech is often legitimized through “personalization.” To the extent that data‑driven adaptation reflects that not every student learns at the same pace, it can be pedagogically justified. But when the line between personalization and behavioural surveillance is crossed, the technology ceases to be a supportive tool and becomes a continuous monitoring apparatus.
The simplest test of the difference is this: Is the data collected the minimum necessary to improve learning, or is the institution, under the banner of pedagogical benefit, trying to map the student’s behavioural space in maximal detail? Limited data on module completion, repetition counts, and error clusters are one thing; deep layers such as screen time, micro‑pauses, navigation patterns, multi‑device behaviour, audio‑video analytics, or attention prediction are another.
The legal problem with behavioural surveillance is not only volume. The core issue is the learner ceasing to be a knowing subject and becoming a behavioural object under constant measurement. Someone who knows they are always watched may lose the freedom to err, experiment, backtrack, and try different methods. The learning environment then drifts from a supportive pedagogical space toward an invisible discipline field. That is where law activates principles of proportionality, purpose limitation, and reasonable expectations.
This distinction matters not only for data protection but for the quality of the right to education: education is not the reduction of the student to an endlessly optimized performance object; it includes the freedom to make mistakes, slow down, learn at different rhythms, and have pedagogical experience. If LMS design encodes a logic that reads every pause as risk, every deviation as anomaly, and every low‑interaction spell as a signal of future failure, the system produces a normalizing surveillance regime more than learning support. In such a regime, the personalization narrative can become surveillance’s legitimizing language.
Emotion inference, attention prediction, and biometric‑heavy analytics therefore require much stricter scrutiny in education: processing reaches not only “how much did they learn?” but intimate questions such as “how did they feel?,” “how did they react?,” “what was their mental state?” As sources emphasize, there is a legally decisive difference between monitoring necessary for education and monitoring done merely because it is technically possible. The pedagogical necessity test is therefore not a formality—it is a baseline boundary.
Protection in these systems cannot rest on a generic privacy notice alone: the main impact usually comes not from raw input but from the profile output. Students and workers must therefore be able to see not only data collected from them, but also scores, profiles, predictions, and proposed interventions produced about them.
At a minimum, the following rights should be recognized: access to data; knowledge of profile outcomes; rectification of inaccurate or incomplete data; objection to profile results; understanding which data categories fed an inference; where automated evaluation exists, an explanation of logic and likely effects; and, ultimately, a right to meaningful human review.
It is especially important that objection not be confined to raw data alone. A student should be able to say not only “it is wrong that I logged in late,” but also “it is wrong that my behaviour labels me as high‑risk.” If the law looks only at data entry while labels derived from data remain closed, the most potent part of profiling stays outside oversight.
These rights must not remain abstract promises in policy documents; they must be embedded in workflows. Questions must be answered in advance: where the student sees a profile result, time limits for objection, who reviews challenges, which data categories count as influential in forming outcomes, whether a system output can be temporarily suspended, and whether a human review can delete a score. Otherwise “rights on paper” remain visible while, in practice, the person can only watch a system pass judgment on them.
Academically, an important distinction also separates explanation from access: it is not enough to know that data are processed; the person must be able to understand how those data are tied to an outcome. It is not always reasonable to expect an educational institution to disclose algorithmic source code, but which categories matter, which behaviour patterns raise the score, what organizational consequences may follow, and how to correct the situation must be stated clearly. The approach highlighted in the sources is that explanation is less about exposing trade secrets than about enabling meaningful challenge to the outcome concerning oneself.
One of the most common assurance phrases in EdTech is “human oversight.” Yet the concept is often used misleadingly. A staff member routinely approving what appears on screen is not human oversight. Meaningful oversight is an independent evaluation mechanism able to weigh the decision, understand the system’s limits, question the output, and, where necessary, invalidate it.
Minimum elements should be transparent: the reviewer must know what the system measures and what it does not; be able to challenge the score without automation bias; take account of the student’s context, special circumstances, and explanation; be able to depart from the system outcome with reasons; and be empowered to do so institutionally. In other words, the teacher or administrator should be not the “signer for the algorithm,” but the “decision‑maker who can scrutinize the algorithm.”
If institutional culture rewards whoever quickly approves AI output rather than whoever questions it, there is no real oversight. In that setting, the human is not a safeguard—only window dressing.
Meaningful human oversight is therefore not only a matter of individual diligence but of institutional design. If reviewers lack technical training, are given no adequate time, face a high institutional cost for departing from the system, or de facto lack override authority, human involvement on paper does not amount to effective oversight in a legal sense. In education and employment, the weakest link in AI use is often exactly this: a human is in the process but cannot actually change the outcome.
Human oversight should therefore be thought of in at least three dimensions: knowledge (understanding system limits), authority (ability to change the outcome), and justification (explaining agreement or disagreement with the system). If any one of these is missing, human oversight fails as a fundamental‑rights safeguard.
Perhaps the article’s most practical takeaway is this: data collected for education do not, by themselves, become available for discipline, HR, performance measurement, or fitness‑for‑role assessment. Using LMS data gathered to support a student later for scholarship decisions, disciplinary sanctions, workplace performance scores, or career planning will, in many cases, create incompatible‑purpose risk.
Here the law examines whether there is a genuine link between the original purpose of collection and subsequent use. If a student believed data were collected to adapt course content, but the same data later work against them in institutional decisions, that exceeds reasonable expectations. Given structural dependency in school–student and employer–employee relationships, the logic “we already had the data” is legally insufficient.
A clear separation should be maintained between educational data and decision data. Data flows intended for learning support must not be automatically merged with processes that produce disciplinary or employment outcomes. Otherwise the LMS ceases to be a learning platform and becomes infrastructure for dossiers and surveillance.
In this context, purpose limitation is not a technical compliance checkbox but a basic legal principle that curbs institutional power over data. Educational institutions and employers face a natural incentive to reuse data for different institutional goals; it is typical for once‑collected data to look attractive for second, third, and fourth purposes. That is precisely why law centres the context of collection and the data subject’s reasonable expectations. A student does not expect a platform used to improve grades to later generate evidence against them; an employee may not foresee that behaviour on a training LMS will quietly become a performance evaluation tool.
The compatibility test emphasized in the sources is therefore critical: the link between the first and second purpose, data quality, power imbalance, severity of impact, and existing safeguards must be assessed together. Moving data collected for educational support into discipline, promotion, fitness, or performance sanction domains will often fail that test. In academic terms, the problem is not only a “new processing purpose” but the conversion of a pedagogical relationship into a sanctioning relationship.
No. The same profiling mechanism produces different legal consequences depending on the group. Children require a much higher level of protection: they may not grasp how their data are processed, what future consequences may follow, or what algorithmic labels mean. Profiling concerning children therefore demands both a stricter necessity test and a stronger protective approach.
University students, even as adults, lack full freedom to bargain with the institution. The same holds for employees required to use an employer‑provided training LMS; “consent” to processing is not always freely given. In education–employment settings, the defence “we obtained consent” is often insufficient as a standalone safeguard. Where power asymmetry exists, the real question is not whether consent exists, but whether the system is proportionate, transparent, auditable, and rights‑based.
That differentiation directly sets the degree of the protection regime. For children, profiling is especially problematic because of its capacity to create a forward‑projected digital trace; labels from childhood can have cumulative effects across an educational biography. For university students, risk crystallizes through academic dependency and unequal opportunity. For employees, the same mechanisms intersect with workplace hierarchy, performance pressure, and problems of consent’s freedom. Thus the same algorithmic model—with identical “technical” processing—need not carry the same legal weight across groups.
An institution need not abandon personalized learning systems altogether, but if it wants lawfulness, it must adopt certain minimum governance principles.
First, purpose architecture must be clear: “learning support,” early warning, assessment, discipline, and HR use must not be collapsed into one undifferentiated data pool. Which data are collected for which purposes, who may access them, and under what conditions transfer to other purposes is categorically barred must be fixed in advance.
Second, data minimization should be the baseline: if the same outcome can be achieved with less data, the institution should not drift toward heavier surveillance. Audio, video, biometric layers, emotion inference, and deep behavioural tracking must not be legitimized unless strictly exceptional and necessary.
Third, ensure transparency of inferred data: users must clearly know not only that raw data are collected, but that scores, profiles, and predictions are produced about them; which data categories underpin the system; what kinds of outcomes may follow; and how to object.
Fourth, conduct impact assessment and discrimination testing before deploying systems that may significantly affect education and work: privacy risk, false positives, group‑level bias, and impacts on fundamental rights. Technical accuracy alone does not equal legal legitimacy.
Finally, institute human oversight, retention limits, role‑based access, and independent audit: scores must not be kept indefinitely, visible to everyone, or exempt from periodic review; procedures should allow suspending the system when needed.
Taken together, these principles yield not only data protection compliance but an algorithmic governance model for educational institutions: collect not everything that is technically possible, but what law and pedagogy require; treat the student not as an object of prediction but as a rights‑bearing subject. The shared conclusion in the sources is that lawfulness is determined less by privacy notices drafted after the fact than by the design assumptions baked in from the start.
A sound governance framework is not only policy text: impact assessment at design time, bias testing on datasets, periodic review of high‑impact scores, plain but substantive user explanations, AI literacy training for teachers and managers, and independent verification of whether the system delivers real pedagogical benefit. In poorly designed systems, compliance language often functions merely as legitimation.
Understand the legal limits of AI, data privacy concerns, algorithmic bias, and institutional responsibilities in Turkey's distance education sector.
The clearest answer is this: LMS data begin to take on the quality of a “student file” when they cease to be merely a usage log of the past and become a structure that evaluates the student’s performance, reliability, success, risk propensity, or future behaviour, classifies them, and influences institutional decisions.
Law is not categorically opposed to learning analytics. What it resists is invisibly scoring and labelling individuals under the rhetoric of pedagogical support, and turning those labels into decision infrastructure for their education or working life. In short, the problem is not collection of data; it is data beginning to pass judgment on the person.
Therefore, in AI‑driven education, the core legal test is this: Is the system trying to understand the student, or slotting them into a predefined category and governing their future through that category? If the second scenario dominates, we are no longer dealing with an innocuous learning analytics tool but with a profiling mechanism that calls for strict legal scrutiny.
Ultimately, the transformation of LMS data into a “student file” is not a single technical moment but the sum of institutional choices. When data are linked to a person, inferences are drawn, those inferences are fed into decisions, the person cannot effectively challenge the outcome, and the system’s labels settle into institutional memory, we are no longer speaking of “ordinary educational data” in a classical sense, but of a digital dossier that can shape educational and even professional futures. The legally salient threshold for protection is right here.
For that reason, debates on AI in education should centre not only on innovation, efficiency, and personalization, but also on classification power, labelling risk, and decisional impact. Otherwise EdTech will operate less as support for learners and more as a largely invisible yet highly consequential institutional evaluation infrastructure. Law’s task at this point is to draw the line without making pedagogical benefit impossible—while preventing students from being treated as nothing but data.
