MET:Privacy in Design

Created by Matthew Hull (2014)

Privacy cloud. Created in Wordle.net

General Principles

As educators move into the realm of e-Learning they have a need to not only design learning based on best practices, and considerations of current research, but also to be aware of Provincial and Federal privacy laws surrounding the of students personal information. Across the educational spectrum we have seen a rapid growth of e-Learning programs, as well as an explosion Web 2.0 technologies. Web 2.0 has traditionally been defined as a web-based tools that allow authors to collaborate and actively create content, generate knowledge, and share online ^[1]. The implications for privacy, and the use of modern e-Learning technologies, such as web 2.0, is the storage of personal information on data servers outside of the control of the institution. Federal and Provincial governments have enacted legislation with the intent of creating a baseline protection of personal information within public bodies. Before any planning can be done with considerations of privacy, it is important to understand what is meant by personal information. Bradley Weldon, a Policy Analyst for the office of the Information & Privacy Commissioner for British Columbia defined personal information as, "recorded information about an identifiable individual" ^[2]. The concept of identifiable is further defined as information that^[2]:

is specifically about someone
may or may not include descriptions of people
may appear in various formats (email, photo, voice record)
any unique numerical identifies (SIN#, student #)
was collected for the purpose of delivery service

Most privacy legislation is concerned about information for which the public body has custody over. This is not necessarily information that is owned by the body, but rather represents a contractual obligation to maintain and protect personal information on their clientele.

Attitudes Towards Privacy

Smith, Millberg, and Burke (2000)^[3], following a study on attitudes towards privacy on the internet, discovered four general categories of concern:

Collections: There is a large amount of Raw data that is collected through the use of online media, and email storage
Third-Party Use: There appears to be little control, or knowledge of the sharing or selling of personal information to parties other than to whom you granted the information. For example, many times user agreements will state that the company maintains the right to share your information with it's subsiduaries, however, does not inform you who those groups are, or allow you to select which groups you approve of.
Access: What are the security measure put into place to ensure that the data is securely stored, and what is in place to prevent unauthorized access.
Errors: What methods exist to safeguard, or change, data that was inputted inaccurately, or deliberately.

Although public research polls [1] in the US have shown that 84% of American adults are concerned about the implications of 3rd party entities finding information about them or their family, many of these concerns vary based on occupation and academic departments ^[3]. For example, typically people involved in the arts and sciences, nursing and education were more concerned about privacy than those involved in business ^[3]. Where as University Employees were the most concerned about the protection of student information ^[3].

During a recent survey undergraduate students were asked about the web-based services that they had used throughout their semester. It is interesting to note that the majority of students mentioned that the tools had been assigned by their professor.

Web-Based Technology Use in Courses	Percentage Using Technology
Web-Based word processor, spreadsheet, presentation, and form applications (Google Docs, iWork, MicrosftOffice Live Workspace, Zoho, etc.)	36.2%
Wikis (Wikipedia, Course wiki. etc.)	33.1%
Social networking websites (Facebook, MySpace, Bebo, LinkedIn, etc.)	29.4%
Video-sharing websites (YouTube, etc.)	24.3%
Web-based calendars (Google Calendar)	17.4%
Web-based citation/bibliography tools (CiteuLike OttoBib, etc.)	17.2%
Blogs	11.6%
College study support	10.9%
Photo-sharing websites (Flicker, Snapfish, Picasa, etc.)	5.4%
Micro-blogs (Twitter)	4.3%
Online virtual worlds (Second Life, Forterra, etc.)	1.4%

Source: Shannon D. Smith and Judith Borreson Caruso, with an introduction by Joshua Kim, The ECAR Study of undergraduate Students and Informaion Technology, 2010 (Research Study, Vol. 6), Boulder, CO: EDUCASE Centre for Applied Research, 2010, available from http://www.educase.edu/ecar)

Higher education in particular has seen a large shift to cloud based computing which has created a pedagogical shift towards student centred learning and conversation, and away from faculty-driven transmissive education. As exciting and promising as this shift is, institutions are encountering new challenges in their mandate to protect personal privacy. ^[3]

Potential Problems and Implications

As legislation is particularly interested in the protection of information problems typically arrive when institutions are looking at either sharing information, even if just for research, or the use of Cloud Computing. Cloud Computing is generally defined by these three applications: Software as a Service, Platform as a service, Infrastructure as a Service ^[2]. The use of cloud computing, in any of these scenarios, is attractive to many institutions because of the possibility to lower infrastructure costs, increase the flexibility of use, and potentially lower administrative burden. However, the difficulty particularly comes into play in Canadian Jurisdictions. A large number of current Cloud Computing services are offered from companies based in the United States. According to many Privacy acts, all access to information must be with written consent of the individual. The Patriot Act, of the US, however maintains that the US government has the right to access any data at any time if it resides within their geographic jurisdiction. Although it is possible to receive written consent, identifying that the individual is aware of this concern, the issue becomes even more complicated because the consent must be for all of the individuals with personal information on the record. For example, if students were invited to write a family history in Google Docs, teachers would be required to request permission of each individual that they mention in their family history - needless to say this can be a rather difficult operation.

Considerations for Design

When considering the design of e-Learning instructors have the responsibly to ensure that they are not only providing a pedagogically sound valuable educational experience for their students, but must also ensure that they are in keeping with privacy legislation to protect the personal information of their students. As we move forward with the implementation of various cloud-based solutions, and e-Learning environments, privacy will continue to be problematic. Three strategies that would be of value to consider would be ^[3]:

legal, policy, and guidelines - consult with your institution regarding the availability of current policy that deals with on-line learning. For example, many institutions are creating policies that set guidelines for the use, and creation, of social media accounts to ensure that they faculty remain cognizant of the importance of privacy. Also ask about the availability of student consent forms that can be submitted prior to beginning an assignment (see resources for samples of consent forms. Finally some institutions (i.e. Cornell University) strongly encourage their instructors to all their students to opt out of using Web 2.0 tools to ensure that students are not required to use these collaborative tools, and potentially leave their information open.
technical - discuss the availability of in-house storage solutions. Quite often the infrastructure is in place to support local versions of online software, but institutions do not adopt them as they are not aware they are needed. For example, many institutions have localized copies of WordPress Installed to allow teachers and students to create personal sites/blogs without having to pass on storage to a 3rd party system. This feature is also available for mainstream programs such as Google, VoiceThread, and Yammer.
and social and educational - Though the use of social media, and Web 2.0 tools, is becoming generally accepted among todays students, teacher still have, and always will have, the reposibility to teach responsible and safe use of these technology. Cornell university, for example, has put together a policy for students to consider when setting the privacy restrictions on their personal Faceboovk page, and at the same time reinforces the importance of privacy when they restate their no-monitoring policy. The University of British Columbia (UBC) has setup a site entitled the Digital Tattoo Project to engage students and their peers in discussions surrounding digital privacy, identity and rights. Thus allowing the institution to engage in meaningful conversations surrounding the topic of online privacy.

Julia Hengstler in her primer entitled A K-12 Primer for British Columbia Teachers Posting Students' Work Online presents an overview of six considerations that teachers should take into account when planning for implementing e-Learning in their classrooms^[4]:

Consideration 1: Copyright & Ownership. It is important to understand that under Canadian law original work authored by the student is the property of that student. Therefore teachers must consider the implications of posting.hosting that data on services without consent of the author, or parent if the student is under age.
Consideration 2: Identifiability, Content & Risks. Personal information is any information that can be used to identify a student. This information may be contained in plain text, or it may be held in the meta data of a file (the Created By field in a Word document).
Consideration 3: Storage Location & Risks. Remember that when anything goes online, even when it is secured, it is only a copy-and-paste away from being made public. Instructional staff need to ensure that when they are aware of the inherent risks associated with any online storage space, and that even locally secured storage has risks.
Consideration 4: Explicit Informed Consent & Risks. The issue of informed consent varies from province to province, but the basic issue is that parents must not only understand what they are giving consent to, they must be given sufficient notice and knowledge of the purpose and implications surrounding the request. These request are typically provided in written form. it is also valuable to note that students and parents must have the right to deny permission, and educators should b prepared for those circumstances.
Consideration 5: Safety & Protection Plan. Part of the planning for online engagement is the creation of a plan of how to respond to an e-safety incident. This may be represented as a flow chart, or a simple document outlining policies and procedures. This information may be shared via the schools Acceptable Use Policy, or through other means.
Consideration 6: Media Waiver Non-Coverage. Though many schools have existing school media waivers, it is unlikely that they will be sufficient to cover all circumstances. Remember, informed consent needs to be specific to the use of the media. A generic waiver does not specifically outline the purpose of the activity, not does it inform sufficiently the media type that will be used.

Legislation

Though formal privacy law was first introduced in to Canada in 1977 when data protect provision were first introduced to the Canadian Human Rights Act, privacy wasn't mentioned until 1983 when Privacy Act formally mentioned the collections, use and storage of personal information. The federal government has enacted two pieces of legislation that govern the protection of Privacy. The Privacy Act, which governs the actions of public bodies, and Personal Information Protection and Electronic Documents Act or PIPEDA, which governs the collections of personal information by the private sector. Both of these acts maintain the standards for collection, and storage of personal information, as well as the means to address inaccurate information.

Following the introduction of federal law the Provinces began to introduce their own Privacy laws that at minimum were as protective as their federal counterparts. These provincial laws govern the collection, storage and distribution of personal information within public bodies. As e-Learning advances there will continue to be adjustments and clarifications that will be needed for continued application of privacy laws.

In 2012 BC School District 23, Central Okanagan, decided to move towards a cloud based solution to provide storage space and student emails for their students. In order to have this approved the School District went through a Privacy Impact Assessment (PIA), and consulted with the Office of the Information & Privacy Commissioner (OPIC), and determined that with signed parental consent it would be appropriate to go with the Microsoft office online solution. (Microsoft Case Study)

Access to Information and Protection of Privacy Act - Yukon, Northwest Territories, Nunavut (Federal Privacy Act)

Legislation by Province

Freedom of Information and Protection of Privacy Act - British Columbia
Freedom of Information and Protection of Privacy Act - Alberta
Freedom of Information and Protection of Privacy Act - Saskatchewan
Freedom of Information and Protection of Privacy Act - Manitoba
Freedom of Information and Protection of Privacy Act - Ontario
Loi sur l'accès aux documents des organismes publics et sur la protection des renseignements personnels - Quebec
Access to Information and Protection of Privacy Act - Newfoundland
Protection of Personal Information Act - New Brunswick
Freedom of Information and Protection of Privacy Act - Nova Scotia
Access to Information and Protection of Privacy Act - Yukon, Northwest Territories, Nunavut (Federal Privacy Act)

Stop Motion Artifact - Personally Identifiable Information

Click here for the stop motion

Resource/Further Reading

File:BC-Privacy-Laws-Bradley-Weldon.pdf
Privacy
Cloud computing, Social media, and Privacy a presentation by Bradley Weldon, a Policy Analyst for the office of the Information & privacy Commissioner for BC, to the Educational Resource Acquisition Consortium (ERAC)
File:Primer on Posting Minor Students Final.pdf
Informational Posting by VIU staff on Privacy in education
File:Adult permission letter to post personal information on Internet.pdf
Sample consent form for an adult
File:Parent permission letter to post student stories on Internet.pdf
A sample consent form for students
File:Permission letter for using non-Canadian Internet services - Capzles.pdf
A sample consent form for students
File:Permission letter for using non-district within Canada Internet Services.pdf
A sample consent form
File:FIPPA cheatsheet.pdf
A condensed informational sheet on BC FIPPA
A resource for teachers on the basic principles of FIPPA, and how it may relate e to their classroom teaching
http://www.aplatformforgood.org/resources/c/privacy-policies A concatenated list of social media privacy policy

References

↑ Connolly, T., M., Hainey, T., Baxter, G., Stansfield, M., H., & Gould C. (2011) Web 2.0 Education: An valuation of a Large-scale European Pilot. Next Generation Web Services Practices (NWeSP), 2011 7th International Conference. 511-516. DOI:http://dx.doi.org/10.1109/NWeSP.2011.6088232
↑ ^2.0 ^2.1 ^2.2 Weldon, D. (2012) "Cloud Computing, Social Media, and Privacy" (PowerPoint Slides). Available at http://etec.ctlt.ubc.ca/510wiki/images/5/5e/BC-Privacy-Laws-Bradley-Weldon.pdf
↑ ^3.0 ^3.1 ^3.2 ^3.3 ^3.4 ^3.5 Diaz, V., Golas, J., & Gautsch, S. (2010) Privacy Considerations in Cloud-Based Teaching and Learning Environments. EDUCAUSE Learning Initiative. Retrieved from https://net.educause.edu/ir/library/pdf/ELI3024.pdf.
↑ Hengstler, J. (2013). A K-12 Primer for British Columbia Teachers Posing Students' Work Online. Vancouver Island University. Nanaimo BC. Retrieved from http://jhengstler.wordpress.com/2013/05/17/a-k-12-primer-for-british-columbia-teachers-posting-students-work-online/

Stop Motion References

Hengstler, J. (2014, April 24). The Compliance Continuum: FIPPA & BC Public Educators. Retrieved January 4, 2017, from https://jhengstler.wordpress.com/2014/04/24/the-compliance-continuum-fippa-bc-public-educators/

Ohm, P. (2009, August 13). BROKEN PROMISES OF PRIVACY: RESPONDING TO THE SURPRISING FAILURE OF ANONYMIZATION. UCLA Law Review, 57, 1701-1777. Retrieved January 4, 2017, from http://www.uclalawreview.org/broken-promises-of-privacy-responding-to-the-surprising-failure-of-anonymization-2/

Schwartz, P. M., & Solove, D. J. (2011). Pii problem: Privacy and a new concept of personally identifiable information, the. NYUL Rev., 86, 1814.

[connolly-1] Connolly, T., M., Hainey, T., Baxter, G., Stansfield, M., H., & Gould C. (2011) Web 2.0 Education: An valuation of a Large-scale European Pilot. Next Generation Web Services Practices (NWeSP), 2011 7th International Conference. 511-516. DOI:http://dx.doi.org/10.1109/NWeSP.2011.6088232

[Weldon-2] 2.0 ^2.1 ^2.2 Weldon, D. (2012) "Cloud Computing, Social Media, and Privacy" (PowerPoint Slides). Available at http://etec.ctlt.ubc.ca/510wiki/images/5/5e/BC-Privacy-Laws-Bradley-Weldon.pdf

[EDUCASE-3] 3.0 ^3.1 ^3.2 ^3.3 ^3.4 ^3.5 Diaz, V., Golas, J., & Gautsch, S. (2010) Privacy Considerations in Cloud-Based Teaching and Learning Environments. EDUCAUSE Learning Initiative. Retrieved from https://net.educause.edu/ir/library/pdf/ELI3024.pdf.

[hengstler-4] Hengstler, J. (2013). A K-12 Primer for British Columbia Teachers Posing Students' Work Online. Vancouver Island University. Nanaimo BC. Retrieved from http://jhengstler.wordpress.com/2013/05/17/a-k-12-primer-for-british-columbia-teachers-posting-students-work-online/

[1]

[2]

[3]

[4]