During the COVID-19 pandemic, many industries including the education sector, have taken swift action to adjust and adapt. Earlier in the year, we covered issues that organisations must consider when implementing additional measures such as temperature screenings. However, as time passes, and more sectors must resume operations while living with COVID-19, further privacy and data protection concerns are becoming apparent. In this piece, we review an emerging blind spot that educational institutions may fall foul of.
In many cases, when a breach of data protection and privacy rights occur, it is not always intentional. With the rapid advancement of online learning environments in response to the COVID-19 pandemic, it is more likely than not that some gaps within processes and procedures may have arisen. These may range from minor non-compliances to practices which may, on reflection, potentially be considered to be surveillance. The very nature of the technologies which enable online learning means that personal data will be collected.
Many systems allow visibility of this data as it is collected. Long before COVID-19, many employers also faced similar growing pains when new technologies to assist in productivity could be potentially misused, leading to employee over-surveillance. However, the issue that educational providers face is ensuring that sufficient policies and guidelines are put in place to prevent the unlawful use of this data. For instance, some data regarding attendance or furthermore the attention paid by a particular student may be used as a metric for student performance. Organisations must decide how this data should be used, whether it is proportionate, and in turn communicate their position regarding the processing of this data to students.
Providers of education should continue to monitor these key areas:
COVID-19 track and trace: In addition to adhering government guidelines, all controllers must assess on a case by case basis that the processing of data in place is proportionate.
Support services for students: Particularly where special category personal data is processed, organisations should assess whether they have ensured that additional safeguards are in place.
Fair Grading: Grades may become influenced by additional data which is now available to the educational institute which would not otherwise have been available pre COVID-19. The controller should provide additional guidelines to staff on the use of this personal data generated by the student.
Video technology: Earlier in the year, the use of video technology proved to be a contentious issue, highlighting the need for adequate due diligence and the proper implementation of programme level security measures. While video technology has proved necessary in the delivery of online education, it poses risks to both the student and teacher alike. It is imperative that all settings and visibility of content is assessed to prevent any future incidents such as the Babylon Health breach.
As educational institutions find their areas of responsibility changing in unexpected ways, we advise organisations to undertake an overarching assessment to identify any high-risk processes or blind spots. Completing a Data Protection Impact Assessment for these new forms of processing can provide a framework for thinking through these issues and identifying potential risks. For some processing activities, they may even be required.
Trilateral’s Data Governance and Cyber-Risk Team offer data governance services that can help your organisation develop policies and procedures to mitigate emerging risks. Trilateral can help audit existing practices, perform gap analyses, and offer compliance support. Our support services will help your organisation to protect individuals’ fundamental rights, building trust among your website users and ultimately, your customers. Please feel free to contact our advisors, who would be more than happy to help.