Hello,
I am planning to use OpenStreetMap for a teaching activity in which I would task student with contributing to OSM. They will not publish anything I haven’t checked of course. Because of the GDPR, I cannot ask them to create their own account, but the iD editor requires an account to use. Is it possible to create and use a shared class account for this purpose or is that against the ToS and will result in the account being locked if there are multiple simultaneous connections?
Hello, welcome, & thanks for introducing kids to OSM! 
There are lot’s of school groups that get shown OSM the same way as you are planning, & they all create their own OSM accounts.
Unfortunately, a lot of the work they do then has to be reverted shortly afterwards, as it’s either outright vandalism, or just very poor quality 
With that in mind, you could have them edit locally, then send the change file to you. Once you’ve vetted it, you can upload it via a shared account. In any case, you would take full responsibility for the edits.
If you decide to create an account specifically for this purpose, it’d be nice if your account description reflected that. Perhaps even create a diary entry or something explaining what you are doing and intend to do.
As for local editing, the options are rather limited. You could use JOSM, but that’s not everyones choice. A few ideas are in this thread: Is it possible to use ID to edit OSM data and save it only locally (on my device), NOT to the server? - #5 by Minh_Nguyen
Thanks for your interest in OSM and introducing others to it!
There is no GDPR issue here, they can use whatever account name, not identifying them.
For starters how old are the pupils?
You need to be aware of Terms of Use - OpenStreetMap Foundation (widely ignored, but you’ve been told).
Then: you can definitely create anonymous accounts for your pupils using mail addresses that will land only in a mailbox of your choosing. Unluckily currently there is no way to restrict access to the OSM messaging system, but you should at least declare it “off limits” (using different wording aka not something that will entice them to use it).
The largest privacy related issue in OSM is that somebody can be identified from their edits. That can’t be totally avoided, but the exposure can be reduced for your pupils by mapping away from their residences and keeping changeset comments neutral*. Note that this is an issue with all contributions to OSM, regardless of how you set things up in the end.
* unluckily the default online editor is a privacy nightmare, if you have time it might be worth the effort to fork it and fix the most egregious stuff.
Thank you for your reply. I don’t expect all the contributions to be of very good quality, which is why I wasn’t planning on letting the students publish without checking their work. I have already found things in the area that need fixing, so they shouldn’t go about it blindly, at least.
JOSM is probably too difficult to use, which is why I wanted to use iD. It is good to see that the changes can be exported without uploading them to the server so that I can check them in JOSM before uploading.
There is a GDPR issue, because the students are obligated to follow my teaching so that would be forcing them to create an account, which is illegal.
They are high-school students, so age isn’t a concern and I don’t think they will vandalize the map on purpose. Sharing an account is easier logistically however, and it doesn’t seem to be against the terms of use. Can you explain why the online editor is a privacy nightmare ?
As said you can create accounts for them (and revoke access after the course).
Records state of the online tutorial and language in the changeset including which errors were fixed/not fixed, plus potentially pulls images from external sources (includes Facebook).
That would naturally be far less an issue if the above wasn’t distributed widely, but that is an 8 year old windmill.
I don’t follow this logic. Obligating an individual to create an account may indeed be problematic (although hardly illegal), but GDPR applies to the management of “personal data”. If care is taken not to disclose personally identifying data, I don’t see how GDPR is triggered?
The IP can already be considered PII. This PII is processed by OSM, making them the processor. Since the account creation is on command of the teacher, they can be considered the controller per GDPR. In the worst case, this requires a written contract between them and the OSMF as to how the personal data is being processed.
If they can provide proof to ensure with technical means that identification is impossible, then creating an account might be possible without getting into GDPR. At that point though, it’s probably easier to just fork all of OSM…
This is definitely the best approach. Be sure to post here which solution you’ve chosen!
Wouldn’t this just be the IP address of the school?
That’d be even worse, because now the IP address contains location information.
The IP address is only an indirect identifier, but with enough additional information (like visited sites, general behaviour), it can be cross-referenced to a specific person. And even if you don’t know exactly who that person is - the IP address allows you to infer a lot that you otherwise wouldn’t be able to. See also Is an IP Address Personal Data? Privacy Implications - GDPR Local for an overview and Is an IP address considered personal data? - TechGDPR for a court ruling on this issue.
In what way?
By the way, there are a couple efforts to facilitate this kind of classroom workflow. HOT has an experimental version of their Tasking Manager tool that integrates an OSM Sandbox feature. TeachOSM has been working on something similar that you could inquire about.
Wouldn’t this just be the IP address of the school?
If I know that this IP address is of that school, then I know the location where the request originated. Ergo, the IP address contains location information.
If the IP gets generated randomly, then it doesn’t contain location information, because it could have been generated anywhere. It can still be used to identify a person.
That is stretching things quite far, the OSMF is not processing data on behalf of @hugdo as in there are no instructions on how to process the data and no output of that processing is returned to, nor available to @hugdo. The normal take on this is that the OSMF is its own data controller and not a processor.
PS: if the students would use the account outside of the school premises @hugdo wouldn’t even be able to access or have any control over the data.
You’re building databases of school IP addresses?
This doesn’t matter. OP isn’t a recipient, yet can still be a controller. To quote Art. 4 GDPR – Definitions - General Data Protection Regulation (GDPR) :
(7) ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data
The purposes (account creation) and means (on the OSM website) are determined by @hugdo instructing the students to create an account.
If the students could choose not to (without penalty), then you could argue that the teacher isn’t a controller as the students determine themselves what happens with their personal data.
Under normal circumstances, people give their consent freely. If they are forced to create an account, you cannot argue that their consent is given freely.
If the OSMF isn’t a processor, who processes the data? The OSMF can be both.
That’s not necessary though, the GDPR only requires that somebody could reasonably have that information and piece one and one together. That’s the main reason that IP addresses are considered PI in the 1st place, on their own they are not that useful, but both the ISP and indirectly due to that the police/authorities/etc could associate the address with a natural person.
The purpose is mapping, not account creation. Neither @hugdo nor OSMF is saving IP addresses to try to connect IP and personal data.