COVID-19 has posed huge challenges for many industries/sectors and not least for the education sector. Whilst many industries were already well placed to cope with the demands of remote working, education providers have had to adopt, in a very short space of time, a completely new way of teaching and communicating with students and parents. The fact that education providers have made the switch to remote learning at all in such a precarious, uncertain climate is commendable. However, many providers will have had to rush to get online platforms ready and available to students and may not have had the requisite time to consider data protection implications in as much detail as they would under usual circumstances.
Ensuring personal data is robustly protected (especially children’s data) remains as important as ever and should be an integral consideration when assessing how to facilitate online learning and which platforms to use.
The GDPR requires that when implementing any new technology that will involve the use of personal data, a data protection assessment should be done to identify and mitigate any risks posed to individuals. In particular, these assessments are necessary when handling more sensitive data and children’s data falls into this category.
With this in mind, this article draws together some of the key data protection issues which would form the foundations of a data protection assessment, and which education providers should bear in mind in relation to providing online learning environments. Whilst the key points are drawn from European data protection laws, they are most certainly relevant to education providers universally.
As always, security is the first and foremost consideration when implementing any new technology. Some education providers are utilising a fully interactive, real time learning platform, where students attend live classes online, whereas others use pre-rendered platforms where assignments are set and completed work can be uploaded.
Regardless of how sophisticated the platform is, it will contain a considerable amount of personal data, including comments/messages between teachers and students, audio and video capability/recordings and parental communications. The school must ensure that any such platform that is used has adequate security to protect the personal data of those using it, including as a minimum, two factor authentication and access to authorised users only.
It is unlikely to come as a surprise that the ideal method would be for the education provider to provide its own private virtual platform, i.e. by procuring dedicated online learning software from a reputable provider and ensuring that contracts with those providers include data protection terms. Teachers should not use generically available software on their personal computers or devices that are free of charge, as these may not have the same level of security and will be outside the control of the school.
There are many platforms out there which are not specifically designed for the education sector but offer virtual conferencing facilities. However, not only may such platforms potentially lack children's privacy standards, but also data collected could end up being assimilated into a general stream of data that is used for the commercial benefit of for-profit organisations. This could result in children/students receiving consumer behavioural advertising, or in a worse-case scenario, targeting for more sinister reasons. No education provider, exchanging information during the course of what is supposed to be an educational experience, would want to expose itself to malicious hacking or commercial exploitation. Yet it is an easy trap to fall into especially with teachers and students operating from home and where quick-fire methods are adopted to cope with the need to expedite virtual learning.
Teachers and students should also minimise the risk of privacy intrusion caused by virtual platforms by using blank backgrounds on their screens wherever possible and being mindful of appropriate audio and video protocols, such as not turning on the video to someone you do not recognise – a problem that can occur when online platforms are compromised, for example if a participant’s online identity has been stolen.
Monitoring and storage
Another factor which is unique to online learning is that unlike in a physical setting, interactions between teachers and students may end up being recorded and stored in the system for a certain period of time. This introduces a layer of monitoring that previously did not exist and consequently imposes more responsibility on education providers to ensure that adequate policies are in place setting out how any such data can be used. For example, can online recordings be used to assess teacher performance appraisals? Can recordings of comments made by students be used in matters of student discipline?
Furthermore, additional personal data may be gathered where platforms allow for students to send messages to each other. To what extent is or should such content be viewed and monitored by teachers? Also, how long is all of this data stored by the school and/or the software provider? These are all questions to be considered and factored into the education provider’s policies and procedures.
An essential part of data protection. Education providers will already have privacy notices in place covering the usual data processing. It is advisable to include a section explaining what personal data might be captured through online learning platforms, including explanations of how it will be used and how long it will be retained. Where consent is relied on as the legal basis for collecting and using personal data (e.g. where the use is not strictly to comply with the school’s legal/public task duties), consents should also be reviewed and updated as necessary. There may be instances, for example, where an education provider wishes to use online recordings for training or marketing purposes. In such circumstances consent should be sought from parents where the student is under 13 or directly from students who are above the age of 13.
Some concluding thoughts
Data protection is by no means a new topic for education providers, but now they are having to grapple with a whole host of issues unique to online learning and often with reduced resource and time constraints. In order to ensure that personal data of staff and students is protected, often it is a good idea to go back to the basics, i.e.:
understanding what data, and particularly sensitive data, is held and then classifying it by its level of sensitivity to the education provider is a good starting point (for example, virtual meetings/notes of sessions discussing special educational needs etc. will require a higher degree of protection);
secondly, education providers need to ensure that personal data is stored securely, prioritising the most sensitive data; and
last, but by no means least, healthy security practices should be deployed, including conducting risk assessments and due diligence. Of course, we are all too aware of the consequences of a personal data breach – the potential for financial and reputational harm, but for the education sector, the stakes are much higher due to the inherent safeguarding implications of handling children’s data.
The Department for Education has a data protection toolkit for schools, which includes helpful guidance as well as useful templates for things like data protection assessments, privacy notices and sample clauses for inclusion in contracts.
If you are an organisation and are looking to assess your data protection practices, please contact Sana Duncan ([email protected]) for further assistance and information.