E-learning platform, privacy

Providing safe educational technologies – a guide for educators

The current response to the Coronavirus is making massive changes to all our lives, but it’s also accelerating various existing trends. One of these has been to move education online, due to the closure or suspension of schools and universities.

Educators have had to move incredibly rapidly, in order to get something that works well enough, often with very limited (or no) additional resources. This can mean that concerns around privacy, ethics and data protection can get shelved. At the same time, this is an opportunity for educational technology developers and providers to expand into this new market.

In response to this challenge, civil society groups have issued an open letter to policymakers, data protection authorities and providers of educational technologies, reiterating that “every child has the right to a safe, open, and inclusive education, free from commercial exploitation, that enables their full and free development into adulthood and promotes human flourishing.”

They are expressing a very valid concern that the rush to provide online education risks undermining learner’s rights and children’s rights at unprecedented speed and scale.

At Trilateral, we recently concluded a three- and half-year long research project, where we built privacy into the design of a learning technology platform. The DEVELOP project gave us the opportunity to go into great depth about how you can build educational technologies that respect privacy. It can be done.

The project concluded with some guidance on the main privacy and data protection issues associated with educational technologies, and a privacy and ethics guide for organisations looking to procure educational technologies. This guidance is not exhaustive but is intended to support such organisations acting in an ethical and privacy-respecting manner. We think it’s certainly worth sharing in the current context.

Learning platform privacy checklist

If you are looking to adopt a new educational technology, please view a helpful checklist below:

Understanding the learning challenges

Have a clear understanding of the learning challenges that your organisation and its students/learners face. This will act as a focus when looking for technological solutions, and help you not be distracted by additional features or services. Be wary of solutions looking for problems.

Engage in a structured conversation about privacy

Engage the vendor in a structured conversation about privacy and data protection. This will help you to determine how seriously they take these issues.

  • Can the technology vendor tell you about user privacy within the potential system?
  • Can the vendor provide any guidance on the key questions associated with a data protection impact assessment?
  • Can the vendor tell you where personal data is stored?
  • Can the vendor tell you about the identities and purposes of third-party services they reply upon?
  • Can the vendor support you in developing a privacy policy for the service or system? When you have to develop a privacy policy, will the vendor be able to provide you with the information you need?

Assess how personal data are managed

Consider the legal basis that you would rely upon for the collection and processing of personal data for the operation of the system. Under the GDPR, the options are:

  • Consent: clear consent from the individual user to process their personal data for a specific purpose.
  • Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
  • Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
  • Vital interests: processing is necessary to protect someone’s life.
  • Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law (for many schools it will be this).
  • Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.

If you will rely upon the consent of students/learners to process their personal data within the service, you need to be sure that they are able to meaningfully give consent. This will not likely be valid consent if they are required to use the service (e.g., if all assessments will be done through this system with no alternative options) or if they are employees. In this context, it may be better to identify an alternate ground for processing personal data.

Assess the data protection impact and features

  • Conduct a Data Protection Impact Assessment (DPIA) prior to the adoption of the technology-enhanced learning technology (there’s detailed guidance on this in the report).
  • Include the privacy requirements derived from the consultation and the DPIA into a formal Request For Proposals/Projects with technology vendors.
  • Find out if the technology/platform/service includes any privacy-by-design features. Are these documented?

Identify the business model being used to provide the service

  • Exercise some caution with for “free” products that are being subsidised by the extraction of value from data. Does this trade-off risk some of your organisational values?
  • Is student data being used for other purposes? It is very possible that student/learner data is being used to train and refine a machine learning model. Are you, as an organisation, happy with this trade-off? Are you getting appropriate compensation for organisational data?
  • Is student/learner data being monetised in any way?
  • What data will be retained by third parties if your organisation (or a learner) stop using the technology?

Can users make their own decision?

Find out if the system/platform/service allows users to make their own decisions about how much information to share with the system, and what personal data to give up?

Understand how the system uses analytics, automation, algorithms, big data, or machine learning.

  • Can the vendors explain how any algorithmic features within the system work?
  • Do you have a clear picture of how these operations can be communicated to students/learners?
  • Do you have a clear picture of how these operations can be communicated to staff, particularly those with management responsibilities, and who would have to deal with any queries or complaints?

Does the system/platform/service allow data subjects to exercise their rights under the GDPR?

  • Can learners easily access their personal data in the learning technology, including any calculated or derived scores or assessments, in a commonly used file format, and easily transfer these to a competing system?
  • Can learners easily rectify any incorrect personal information held about them?
  • Can learners request the erasure of their personal data held in the system?

Take into account learners’ perspectives

Consult with potential users of the system and your wider community to understand:

  • Their needs and desires for using the system – Does the system do something that will be useful for the learners/students themselves? Or does it largely support institutional priorities?
  • Their concerns about how the data they provide to the system will be used.
  • Their perspective on the proportionality of the system and on any trade-offs being made in relation to personal data.
  • Their perspective on the proposed terms of service

Download the full report here:

Privacy and ethics – Good practice guidance in developing technology-enhanced learning platforms

For more information contact our team:

David Barnard-Wills, Senior Research Manager at Trilateral Research

 

 



‘Risk Assessment Report and Methodology’

You can view the Executive Summary and Table of contents of the Project Solebay Risk Assessment Methodology Report.

Please sign up to the Solebay mailing list to download the Full Solebay project report.