Protect yourself – ‘Know the Terms’ before signing the dotted line!
It was great to hear in the news this morning that the NSW Department of Education believed teachers spent too much time on “low value” administrative tasks, and aims to reduce that by 20 per cent by the end of 2022. Let’s hope others follow suit…
At the same time this week, a cybersecurity colleague reached out to me on LinkedIn to share an article that showed the dark web was awash with school children’s personal data.
Ransomware gangs had published data from more than 1,200 American K-12 schools and that some schools shockingly appeared unaware of the problem even though such theft could set up a child for a “lifetime of potential identity theft”. One expert highlighted “I think it’s pretty clear right now they’re not paying enough attention to how to ensure that data is secure…I don’t think [schools] have a good enough handle on how large that exposure is”.
I’ve been working in the Education space for nearly 10 years, and when I first started walking the halls of Education Departments to introduce myself/my solution, it was clear, even from the outside, that deals had already been made with the ‘Big Tech’s’. These deals were seemingly based purely on fiscal cost gains and a perceived necessity (cheapest deal) as no one at the time understood or valued the importance of data – let alone what role that plays in privacy.
I questioned those decision makers then (and now) and wrote about this “Creep” getting into the classroom way back in 2017, wondering how much of our children’s privacy and digital footprint had already been effectively “gifted” for a cheap solution.
So, what are Education Departments around the world doing about this now that its blatantly clear harm has been done? Are they righting this wrong, or at the very least recognising the issue? I believe so, in random places.
You have the right over your own data
My U.S. colleague, Mike Dowling, recently wrote a piece on how important protecting student identity is to any school cybersecurity strategy (and how relevant is that piece right now?). He had heard that many U.S. schools were inadvertently giving away student photos online without valid parental consent. This one act alone was giving away more personal data on a child – instantly, to a global audience – than any other. I wanted to start using a term, other than Sharenting, to describe this activity organisations were undertaking under the guise of “social engagement” (if you can suggest a term, please let me know).
When publishing photos on the internet, you cannot erase them as they are shared repeatedly, even after deletion. And many social media sites have clauses hidden in their terms and conditions that give them rights over the content shared on their platforms. This means when a school posts a photo of a child on such a site they are handing over ownership of the photo to the owners of these platform who can then use the photo how they deem fit. And, because the school agreed to the terms and conditions, there is not a lot that they can do about it.
This can also be the case when using a third-party platform or app to store your photos. For example, using Google Photos means giving that platform full access to all your photos so that the company can collect what it can simply by stating it only uses this data when needed. Google then links all this data to your identity to support its data-driven advertising business. Such companies are wishing to gain some revenue opportunity out of your partnership, and this problem is exacerbated by the fact that most schools don’t know all the child-based information that’s being stored on these external platforms (and if it is sensitive data), how this data is being used by these companies, and for how long.
Make sure your data is not being used inappropriately and you have full access
One area that continues to be side-stepped, but is vitally important when making any technology procurement decision at a school is: Have you read and fully understood the provider’s Terms of Service?
As a school, you have the right and responsibility to do a thorough investigation into those Terms before deciding to use a service. Our Privacy Officer spends hours reading though such Terms to help schools understand what data obligations they have either intentionally or unintentionally signed up to, and it’s surprising how many times schools just don’t realise what they’ve given away from signing a contract with a third-party. Ten years ago, before Cambridge Analytica, schools may have had an excuse as to why they may have missed this step, but not today.
What to look out for in “the Terms”
We all understand that School Administrators are under pressure – especially during a pandemic – to employ technology that improves school performance, however, it must not come at the expense of student privacy.
Unfortunately, many global EduTECH platforms were built adult-centric and are not designed with child-safe privacy-by-design features in mind (– and btw, it is very difficult to add them in ‘after’, especially if doing so goes against a business commercial model).
- Use of data – for what purpose are they using your data? Is there any secondary purpose they allude to (i.e. “to improve our service”) that you don’t give consent to use? For example, when using a facial recognition service, do you know if the vendor uses an ethical, private service where students faces are not stored in some global face bank?
- Retention of data – for how long will they keep your data? Is it forever?
- Transfer of data – where is your data stored? Is it staying in your local jurisdiction, covered by local privacy law? If stored overseas, where, how much data, and is the location equivalent in terms of privacy protection coverage?
Under Terms, look out for:
- What data will the vendor collect? Data should not automatically be collected for purposes beyond education or business administration—for instance, product improvement. If data must be used for product improvement or other non-educational purposes, it should be properly anonymized and aggregated.
- Does the vendor follow current best practices in data security? Do you have access to the data at any time?
- Does the vendor warn in its Terms it may share inappropriate content which may be offensive to children? (can be written in the Terms, so look out for it)
- Are you being told if you use this vendor, you cannot use any other service? i.e., a locked-in contract.
- Are you granting the vendor rights to use your content for their own commercial purposes? (i.e. grant to the Site and the Company a non-exclusive, transferable, fully paid, worldwide license (with the right to sublicense) to use, publish, copy, publicly perform, publicly display, reformat, translate, excerpt (in whole or in part) and distribute copies of your Media Material)
- Does the vendor give advance notice when it changes its data practices?
- Will the vendor disclose any student data to its partners or other third parties in the normal course of business? If so, are those conditions clearly stated? What are the privacy practices of those other entities?
- Is the Termination clause immediate? Are you still able to gain access to your data and request it to be returned in a usable form?
While it can be tempting to ignore the Terms and privacy policies in order to speed up the process, it is important to read them – the protection of your data should always be top of mind.
It is also important that you are comfortable that the school’s data is not being used for any other purpose than the original intention, and that the benefit for using the provider strongly outweighs any risks, especially when it comes to the handling of personal (and possibly sensitive) information of children. These third-parties are representing your school brand and reputation.
Your school’s privacy is important. If you skim the Terms, you may inadvertently place your school and families into a legal contract where student data is being passed on and shared commercially with your consent.
Thank you for reading this article.