Five important data privacy takeaways from 10 months of remote and blended learning


Posted on

John Arthur Berg

John-Arthur Berg, itslearning

For almost a year, educational institutions around the world have had to adapt and improvise due to the global Covid-19 pandemic. Remote and blended learning became critical. Some systems were more ready than others.

School systems with a mature digital infrastructure in place were better prepared. Others had to scramble to procure and implement solutions in a matter of days. Shortcuts were taken, and assessment of privacy concerns were often bypassed.

Remote learning is still a big part of education in 2021 and will be with us for the foreseeable future. It is important then to review the events of the last year from the point of data privacy. Here’re some takeaways.

A global pandemic does not mean we can relax data privacy measures

For a short while, it looked like many believed that the emergency trumped data privacy. There was a rush to get hold of digital tools and content to help students with home schooling (remote learning). Suppliers that, perhaps normally, would not get through the scrutiny of a data privacy review saw a tremendous rise in interest from educational institutions. This was for a greater good, right?

But, it quickly turned out that even services that were essential for dealing with the global pandemic had to follow the basic principles of data privacy. The Norwegian government was quick to launch a contact tracing app to help control the spread of the virus, but the data protection authority was even quicker to shut it down. A global pandemic is not a reason for being relaxed about data privacy measures.

It is actually the opposite.

When the importance of personal data and the systems that process them goes from “nice to have” to “critical”, the importance of data protection increases substantially. A year ago, if a teacher’s account was hacked and deleted, they could figure out another way to run their class. But in the midst of the pandemic, it could mean that two dozen children do not receive any education for days. The need for data protection is assessed against the impact on people when something critical like this happens.

Learning point: You need to strengthen your data protection protocol in times of crisis.

Data privacy is also about availability

During the early stages of the pandemic many suppliers were hit with sudden spikes in usage on their systems. Almost every provider had stability issues, including itslearning which saw bandwidth needs tripling. Unlike us, some vendors were simply not able to support the “new” need from their existing customer base. In some cases, it took days or even weeks for these vendors to regain availability.

Most people would associate a data breach with someone hacking into the software and stealing your data. But in terms of GDPR, a prolonged loss of the availability of data can also be considered a data breach. It depends on the impact it has on your users. If a system went dark for days on end, materially impacting the delivery of education, it should be considered a data breach. What safeguards systems and vendors can offer against availability breaches should be part of any data privacy assessment.

Learning point: When assessing your vendors’ security measures, consider their ability for availability and continuity during unexpected, prolonged peak loads.

Many institutions still struggle with basic security measures

2020 saw a new phenomenon (at least for schools) dubbed “Zoom bombing”. By allowing unauthenticated access to video conferencing tools, malicious attacks were launched by guessing the URL of meeting rooms. At best it disrupted ongoing remote learning, at worst it exposed students to inappropriate content and behaviors. (Zoom has since added additional measures such as the security button to prevent Zoom bombing.)

Even institutions that only allowed authenticated users onto their systems were not immune to hacks and data breaches. Phishing, the concept of luring users to give out usernames and passwords by portraying as a legitimate service, was widespread. This is an example of why having a username/password authentication is not enough, and why data protection agencies advise that staff accounts in digital learning environments must be protected with multi-factor authentication. (You can read more about why passwords are not enough in my earlier blog post.)

Learning point: Review your basic security measures. Make sure you enforce appropriate authentication for your learning services.

Many organizations are still not aware of the rights of their students and teachers

Moving to remote learning introduced a lot of changes in many organizations. New systems were brought in and more personal data got collected. For some organizations, you could even argue that, the purpose of the processing of personal data changed. But in this process, many organizations let slip the fundamentals of adhering to GDPR.

All users of a digital learning environment have data privacy rights. Perhaps the most important is transparency around how their personal data is being processed. If you in the midst of the pandemic changed the way personal data is processed, it should be transparently documented and easily available for all stakeholders including your students (and parents).

Learning point: Do a reassessment of your “GDPR implementation”. Make sure you have the competence in your organization to appropriately protect personal data and respect the data privacy rights of your users.

But don’t let data privacy issues stop remote learning

Data privacy is a fundamental right, but so is education. So, data privacy should not be used as an excuse to discontinue online education when an event like this pandemic makes it impossible for schools to remain fully open. Data privacy should not be seen as an obstacle that puts us back into the pre-digital “dark ages”, but as a quality assurance tool for ensuring that digital services can be delivered in a safe and reliable manner.

Once this pandemic is beaten, it is important to not get complacent. Let’s assume something like this can happen at anytime. Prepare plans, infrastructure and vendor contracts to ensure that if another unforeseen incident shuts down schools in the future, you will already have a data protection friendly infrastructure in place that allows education to continue even when schools are closed.

Learning point: Once the pandemic is behind us, set up a “school continuity plan” that will facilitate a smooth and data privacy friendly move to remote learning.

At itslearning, we are committed to keeping data safe. You can learn more about our GDPR commitment on this page: Your data matters.

Watch our free webinar recorded on Feb 3, 2021 to learn more about how you can better protect data at your educational institution. You will also receive a checklist to ensure GDPR compliance at your school.

Watch On Demand

Remote learning starter kit image

Free Remote Learning Starter Kit


Recent Posts