Privacy is incorporated into the daily activities of many of our employees, and safeguarding data for customer benefit is close to our hearts. In honor of the World “Privacy Day” on 28.1. we are launching a series of thoughts from Sanoma’s Privacy Champions. First we would invite you to read John-Arthur Berg’s five takeaways on privacy during remote working in itslearning. Read more about our privacy work, as part of our sustainability commitment at Sanoma.
By John-Arthur Berg, itslearning
For nearly two years, educational institutions around the world have had to adapt and improvise due to the global Covid-19 pandemic. Remote and blended learning became critical. Some systems were more prepared than others.
School systems with a mature digital infrastructure in place were better prepared. Others had to scramble to procure and implement solutions in a matter of days. Shortcuts were taken and assessment of privacy concerns were often bypassed.
Remote learning is still a big part of education in 2022 and will be with us for the foreseeable future. It is important then to review the events of the past few years from the point of data privacy. Here are some takeaways.
A global pandemic does not mean we can relax data privacy measures
For a while, people seemed to believe that the emergency trumped data privacy. There was a rush to acquire digital tools and content to help students with home schooling (remote learning). Suppliers that, perhaps normally would not get through the scrutiny of a data privacy review, saw a tremendous rise in interest from educational institutions. This was for the greater good, right?
But, it quickly turned out that even services that were essential for dealing with the global pandemic had to follow the basic principles of data privacy. The Norwegian government was quick to launch a contact tracing app to help control the spread of the virus, but the data protection authority was even quicker to shut it down. A global pandemic is not a reason for being relaxed about data privacy measures.
When the importance of personal data and the systems that process them go from “nice to have” to “critical”, the importance of data protection increases substantially. A few years ago, if a teacher’s account was hacked and deleted, they could figure out another way to run their class. But during the pandemic, that could mean that two dozen children won’t receive any education for days. The need for data protection is assessed against the impact on people when something critical like this happens.
Learning point: You need to strengthen your data protection protocol in times of crisis.
Data privacy is also about availability
During the early stages of the pandemic many suppliers were hit with sudden spikes in usage of their systems. Not all vendors were able to support the increased need from their existing customer base. In some cases, it took days or even weeks for these vendors to regain availability.
Most people would associate a data breach with someone hacking into software and stealing data. But in terms of GDPR, a prolonged loss of the availability of data can also be considered a data breach. It depends on how it impacts your users. If a system went dark for days on end, materially impacting the delivery of education, it should be considered a data breach. The safeguards that systems and vendors can offer against availability breaches should be part of any data privacy assessment.
Learning point: When assessing your vendors’ security measures, consider their capability for availability and continuity during unexpected, prolonged peak loads.
Many institutions still struggle with basic security measures
2020 saw a new phenomenon (at least for schools) dubbed “Zoom bombing”. By allowing unauthenticated access to video conferencing tools, malicious attacks were launched by guessing the URLs of meeting rooms. At best it disrupted ongoing remote learning: at worst it exposed students to inappropriate content and behaviors. (Zoom has since added additional measures such as the security button to prevent Zoom bombing.)
Even institutions that only allowed authenticated users onto their systems were not immune to hacks and data breaches. Phishing, the concept of luring users to give out usernames and passwords by portraying a legitimate service, was widespread. This is an example of why having username/password authentication is not enough, and why data protection agencies advise that staff accounts in digital learning environments must be protected with multi-factor authentication. (You can read more about why passwords are not enough in my earlier blog post.)
Learning point: Review your basic security measures. Make sure you enforce appropriate authentication for your learning services.
Many organizations are still not aware of the rights of their students and teachers
Moving to remote learning introduced a lot of changes in many organizations. New systems were brought in and more personal data was collected. For some organizations, you could even argue that the purpose of the processing of personal data changed. But in this process, many organizations let slip the fundamentals of adhering to GDPR.
All users of a digital learning environment have data privacy rights. Perhaps the most important is transparency around how their personal data is being processed. If during the pandemic, you changed the way personal data is processed, it should be transparently documented and easily available for all stakeholders including your students (and parents).
Learning point: Do a reassessment of your “GDPR implementation”. Make sure you have the competence in your organization to appropriately protect personal data and respect the data privacy rights of your users.
But don’t let data privacy issues stop remote learning
Data privacy is a fundamental right, but so is education. So, data privacy should not be used as an excuse to discontinue online education when an event like this pandemic makes it impossible for schools to remain fully open. Data privacy should not be seen as an obstacle that puts us back into the pre-digital “dark ages”, but as a quality assurance tool for ensuring that digital services can be delivered in a safe and reliable manner.
Once this pandemic is over, it is important not to get complacent. Let’s assume something like this can happen at anytime. Prepare plans, infrastructure and vendor contracts to ensure that if another unforeseen incident shuts down schools in the future, you will already have a data protection friendly infrastructure in place that allows education to continue even when schools are closed.
Learning point: Set up a “school continuity plan” that will facilitate a smooth and data privacy friendly move to remote learning.
Here is a checklist from itslearning to ensure GDPR compliance at your school. Watch the free itslearning webinar to learn more about how you can protect data at your educational institution.