The ABC recently reported that Human Rights Watch (HRW) analysed 164 educational apps and websites used in 49 countries to track where the data of hundreds of millions of children worldwide ended up during periods of COVID-19 lockdown and remote learning.

The HRW findings showed that 89 per cent of the educational technology, or "ed-tech", products used globally could put children's privacy at risk. Many of the online products that schools required their students to use to keep up with their lessons and their classmates gained access to the students' contacts and locations and some even monitored their keystrokes. Of greater concern is that HRW discovered that this accumulated data was shared with 200 ad-technology (ad-tech) companies.

According to the ABC, one such example was the Adobe Connect app used by many schools for videoconferencing and screen sharing. The application had access to students' cameras and microphones, and HRW identified code that allowed it to collect phone numbers.

If this doesn’t frighten you, there are a raft of other companies and apps noted in the article that breached their own privacy policies and requirements by recording data of the users including their exact geo-location and times, their contact lists “as well as things like who they're hanging out with, and where they go to school”.

This is not an uncommon phenomenon. For those that use Google or Facebook, you may have noticed a slew of advertisements appearing as pop-ups or in a scroll for an item that you may have been looking to purchase online a week or two earlier? There is clearly ad-tech data collection software connected to some of these online platforms.

Some people may argue that, when online apps are used by students, there is a tacit approval to collect their data and even their personal information. However, should there be a clear understanding and agreement regarding what data is being collected, what it is being used for, where it is being stored, how long it may be kept and so forth, in line with the 13 Australian Privacy Principles (APPs).

Some schools asked parents to sign off on privacy statements that advised that, when their children logged on to these ed-tech apps, data was to be collected and stored, but did the schools or the parents know exactly what was being collected and how it was going to be used?

Monitoring Software and Privacy

Channel 7 recently released an article that noted that up to 90 per cent of Australian companies put spyware or ‘tattle ware’ on their employee’s company-provided computers. This is not new. Many companies will have an ICT policy that advises staff that whatever they do on company IT equipment can be monitored. They also install monitoring software on their devices to ensure that company policies are followed and that, in the event of a potential breach of security, they can track and manage the breach before it becomes a serious problem.

According to the report, these spyware software applications can monitor keyboard use, mouse movements and use location tracking software. Gadget Guy’s Val Quinn told 7 News that:

“They can open up your security camera or WiFi camera and can use your phone’s GPS to see where you are or key loggers to see what you’ve been typing.”

However, when employees use company-provided equipment, even when working from home, do they know exactly what is being monitored, stored and then used?

If this technology is available to monitor employees’ use of their IT equipment, it is not too far-fetched to believe that it can also be done by ed-tech companies that provide software for school and student use or even by the schools themselves.

According to the Centre for Democracy and Technology, there are two main types of monitoring software that can be used by organisations on their IT hardware:

• monitoring software installed directly on a device, which has access to more of the device’s information
• browser-based software, which monitors student content and web activity and is stored by an online service. 

Both raise questions about the collection and use of data, but:

“device monitoring is more pervasive than browser-based monitoring which is why it presents a greater risk to students, especially those who are more likely to depend on school-issued devices”.

There are also educational uses for monitoring software. In the post-school (university) environment, there have been discussions in recent years about how to monitor student engagement in a virtual learning environment (VLE).

This article from The Campus, explains how universities can use software or ‘monitoring tools’ that provide insights into student participation and performance that then enables lecturers to integrate more appropriate learning and engagement strategies into their teaching and learning plans.

Schools and Privacy

With the numerous changes in technology and the changing ways that schools collect, store and manage personal information (PI), most schools genuinely try to ensure that their processes and procedures remain compliant with the Privacy Act (1988) and the APPs.

Also central to compliance, most schools ensure that their policies and procedures are updated and in place regarding the use of ICT and information security, as well as human resources policies such as workplace surveillance, email and internet monitoring, social media usage and staff training.

However, are schools aware that some of the educational apps that they signed up to use and required their students (and staff) to use during periods of remote learning may not have been as clear in their data collection statements and requirements?

In addition, if they use any type of monitoring software on school-issued computers and equipment, have they made all data collection requirements (as required under the Privacy Act and the APPs) explicit in their privacy notices so that students and parents can give informed consent regarding what data is being collected and stored?

If schools manage this situation effectively by undertaking a formal due diligence process for each educational app that they would like their staff and teachers to use, they will quickly identify the apps that collect and/or store student data and decide whether or not this risk is acceptable for their purposes. This is already happening in many schools around the country and apps are being carefully scrutinised both for educational purpose and for privacy issues.

In addition, if schools ensure that their privacy collection notices regarding the use of school IT equipment also include details regarding any data that may be collected by the approved education apps, then they can be more assured that the parents/guardians and students are truly giving informed consent for the collection, storage and use of the data.

Conclusion

Schools know that privacy is a community expectation, and that staff, parents and students are more aware of their rights with regard to the collection, storage and use of their personal information.

However, do schools know, and did the students and parents know, that personal information may have been collected via ed-tech apps, and that, in some cases, it was also being shared with other companies and possibly used for purposes that were not in the best interests of children?

With the Privacy Act currently under review, I would argue that we need it to include specific rules on the collection and use of children's personal information through online apps and technology. These rules would need to ensure that their personal information was only used in ways that were in their best interests.

In the interim, schools need to take charge of their privacy obligations including in the online world and keep them in hand through due diligence processes in vetting educational apps (ed-tech) to ensure that they keep their students and their students’ data safe in cyber-space. Given that there have been several instances where schools have had to rely on online learning over the last two years, annual audit questionnaires should be completed for each educational app that is being used to ensure that changes to any of the ed-tech’s privacy policies or conditions which may expose personal information to greater risk, are not passing unnoticed.

By doing this, schools will get the best of both worlds by ensuring that their students are able to continue with their learning through the use of safe educational apps and that their privacy will be protected. All in all, a symbiotic win-win situation.