itslearning recently announced a partnership with Google for Education, raising a few questions about data privacy. As a Data Protection Officer, I am not involved in the commercial or strategic decisions of itslearning, but I do get asked for opinions on the data privacy implications of most things we do. For the sake of transparency, I will share my thoughts on the subject.
Let’s consider itslearning cloud integrations in general (itslearning also supports integrating with Office 365 and Dropbox). Cloud services usually come in two different flavours, and although they might look identical, they are very different beasts from a data privacy point of view.
Vanilla flavour: An enterprise solution “sold” to the (educational) institution.
Liquorice flavour: A consumer solution that you sign up for yourself.
(There is also a third flavour – a result of some companies trying to mix the two flavours – but from a GDPR point of view, this leaves a bad taste in my mouth).
Let’s consider the vanilla flavour first. If you, as a teacher or student, receive a Google (or Microsoft) account from your school, it’s going to be vanilla. What this means from a GDPR point of view is that the educational institution is the data controller (owns/controls all data) and Google is the data processor. Google can only process data as instructed by the institution. In simple terms, this should mean that Google will keep the personal data walled off from their chocolate flavoured services (consumer services), and won´t directly try to monetize on your personal data.
This doesn´t necessarily mean that everybody likes vanilla. Each institution that signs up for such services becomes a data controller and has significant data privacy obligations to their end users. In the end, the institution will have to determine if the service fits their purpose and offers an appropriate level of data privacy.
For the liquorice flavour, there are no intermediary institutions that take care of data privacy rights. Users contract directly with the service provider, who under GDPR becomes a data controller. The service provider will determine the purpose of how your data is processed and will often try to monetize on your personal data. (They are required to be transparent about it; check the terms and conditions of their privacy statement.)
Regarding the partnership between Google for Education and itslearning, the integrations are built around Google’s vanilla-flavoured services. This is a solution for institutions that have already signed up for G Suite for Education, have assessed and concluded that Google offers an appropriate level of data privacy and security, and have signed a legally-binding data processing agreement. itslearning will not suddenly start to process our customers’ personal data with Google under this new arrangement.
But if a customer of itslearning has signed up for G Suite for Education, and decides to make use of the integration capabilities offered by itslearning, is personal data transferred over to Google’s control? No. The little data that is moved to G Suite for Education is still under the control of our joint customer. It cannot be independently processed by Google. It is also worth mentioning that the only Personal data itslearning currently moves to G Suite for Education is names of users – data that your institution has probably already provisioned G Suite with, to give you an account.
itslearning also offers integrations to some liquorice-flavoured services. If you use Dropbox, and you want a convenient way to upload a file to itslearning, it can be done directly from Dropbox. But with the liquorice flavoured services, itslearning never gives out any personal data.
To sum it up: customers of itslearning decide if it is appropriate, or not, to use cloud service integrations in the platform. itslearning does not pass on personal data to vendors that the customer has not already approved. Customers can always opt for a “flavour-free environment” and turn off the option to integrate with cloud services altogether.
This is the sixth blog post penned by Data Protection Officer (DPO), John Arthur Berg, itslearning