Schools and PIAs
Privacy Awareness Week (May 3-9, 2021) is here with a theme of ‘Make privacy a priority’, so I thought I would write about the importance of organisations conducting Privacy Impact Assessments (PIAs) on technologies that collect and manage personal data, especially ones used to collect and manage personal data of children e.g., schools – including on their own systems and services.
My own company has recently been inundated with many requests to fill in PIA questionnaires – some 50 questions long, some 150 questions long, some well-designed and written, others not so much, but I am happy to oblige and provide any input and guidance to ensure anyone who partners with pixevety is 100 per cent comfortable with our data privacy and security management practices.
Our platform was built from scratch using world class privacy-by-design (PbD) engineering principles so we will never shy from such requests, in fact, we encourage them. PbD is a process used to embed good privacy practice into design specifications of technologies, business practices and physical infrastructures. Unfortunately, not all Ed Tech providers are privacy centric. Even the big tech players who have decided the school market is an attractive, lucrative market (“cradle to grave”) continue to deliver via schools’ adult-designed and privacy-weak products, services, and platforms to children, even selling this data to advertisers.
Living in a digital world means data breaches will occur more often. With more schools introducing third-party technology services to students at an alarming rate due to the global pandemic, it is extremely important that every school takes their own data privacy management practices seriously and think about the potential financial, reputational, social and privacy costs caused by any potential data breach or mishandling of children’s – in 2021 make privacy a priority!
Properly assessing such risk early will mitigate any potential negative effects and save a school money that would otherwise need to be spent on rectifying harm done. PIAs are designed to identify the privacy risks of handling personal information and reduce these risks via greater security or minimal data collection. Once privacy risks are identified, recommendations can be made on how a school can manage, mitigate, prevent, or eliminate these risks.
What are schools responsible for?
Schools are responsible for informing parents and carers about the use of apps and web‐ based learning tools via:
- parent information notices
- collecting valid consent and
- providing opt‐out forms.
Schools are responsible and accountable for the personal information they collect even when the information is held by an external service provider or contractor operating in Australia or overseas. Terms and privacy policies are unique to each app and web-based tool, making it important for schools to carefully examine these to check adequate privacy protection are in place. When an app or tool originates overseas, data will be transferred to that country and become subject to that country’s laws meaning battles must be fought in overseas courts and they may provide less privacy law protection.
The first step towards a privacy assessment can be as simple as reading the Terms and Privacy Policies of the apps and online tools currently being used by the school to check they are privacy-centric and – like schools – committed to protecting the data of children (versus making money off the collection of data in some form today, or at a later stage).
How do schools select the technology they use?
From an outside-in perspective, the good news is I am seeing more private schools making technology decisions based on privacy instead of the cost benefit or simply wanting the latest innovative “shiny new toy”.
However, a 2020 study conducted by the Office of the Victoria Information Commission (OVIC) highlighted that many public schools were not aware of a requirement to complete a PIA for all apps and web-based learning tools implemented by the school and, therefore, had not conducted a PIA resulting in the purchase of technology products that were not privacy compliant. The study also uncovered that most decisions made around the purchase of technology at schools were mainly focused on financial versus privacy considerations, not always considering the privacy or data security implications and inadvertently relinquishing data for cost benefit without considering what they were “giving away” for commercial concessions. The research concluded that at these schools’, privacy was not a priority as many products were being chosen because they were free.
What is that old saying again? ‘If you are not paying for the product, you are the product!’.
Such insights should ring loud warning bells for any school business manager or administrator, and ultimately parents, and make them question what technology is being used at their school and whether a child’s privacy is at stake?
Should schools conduct PIAs on themselves?
Yes. When my company gets asked to fill in PIAs, I also enquire “Has the school also conducted a PIA on say, Facebook, Google, YouTube, Canvas or SeeSaw? What existing technology embedded at the school requires a PIA to ensure the school is protecting children’s data across the board, not just with a new photo management platform?”.
Focusing on an intense due diligence program during Covid just for new technologies means schools are failing to look in the rear-vision mirror to see what pre-pandemic decisions made (as this US article shows) are still affecting a child’s privacy today. Doing PIAs this way is a half-baked approach, especially as many of the big tech or overseas technologies used at schools are currently in the news being accused of, or facing billion-dollar fines for, poor child data handling practices.
Sometimes referred to as a Privacy Matrix, it may sound like a time-consuming exercise but conducting a one-off overall PIA assessment can do a world of good to push a school from being non-privacy to privacy compliant and reduce risk. Such information helps schools streamline privacy notifications to parents by using content from the matrix to create their notifications for online services and share this notification on their website to keep current and prospective parents informed of systems used in the school.
PIA analysis will also help assess a school’s level of privacy control (i.e., policies, procedures, and structures) currently affecting accountability for privacy compliance, and describe and de-mystify privacy implications to maximise privacy protections.
Key question to ask when conducting a school PIA:
- What technologies do we currently use that collect and store personal information of students and parents? Do their terms and privacy policies align with ours? Are they based local or overseas? What do they do with this data once they get it? How long do they promise to store this data?
- Who authorises the purchase of new technologies and how is this process done? Is it structured and fair? Does it make privacy a priority? Do we compare apples with apples when it comes to each provider’s security and privacy obligations to us?
- Is all the personal information currently collected on students necessary? Is the data accurate, complete, and up to date?
- How do we ensure we build greater transparency in notifying and seeking valid consent from parent/legal guardians before giving access to students?
I hope you agree that 2021 must be ‘the year’ to make privacy a priority for our children to protect them from the increased harm occurring online during this pandemic and lead by example. Thank you for reading – Colin Anson.