Protecting student privacy

“No one shall be subjected to arbitrary interference with [his or her] privacy.”
- The Universal Declaration of Human Rights, United Nations, 1948

New Zealand’s schools work hard to earn the trust of their communities. As part of the important work they do, schools need to collect and hold a large body of confidential and private information about children and their families.

The 2020 Communications Trust ICT in Schools survey suggests that if digital records and email are not already used extensively in every New Zealand school, they soon will be.

In recent years some schools have taken a step further, and are starting to send information to computing services outside the school grounds for storage and processing.

In the hands of teachers who have been supported with skills development and the freedom to innovate, new devices and cloud services present wonderful opportunities to prepare students for the future.

“The rise of new computing services is a huge enabler for schools. It allows for more efficient provision of services compared with on-site hardware, and a wider range of services can be brought into the school,” says Jordan Carter, Acting Chief Executive of InternetNZ.

However, as with most new innovations, there are new risks to understand.

Schools need to learn about what is happening behind the scenes. They need to ensure that their staff have the knowledge and tools they need to work in this environment. Schools may not be fully aware whether data is safe, or even that they might have lost control of it.

Jordan says, “The most important way to deal with these challenges is open and up front discussion in school communities and with providers. Know what is offered, and on what terms, from service providers - especially in terms of data security and privacy, and commercialised use of data. Demand clarity from providers in their answers - plain English explanations and clear documentation.”

“It will be useful to for schools to canvass a wide array of options and the pros and cons of each service option, where privacy and data safety concerns exist, but also be careful not to idealise the status quo – school-hosted services could have downsides on the privacy and security front too.”

The importance of privacy

Privacy is known to be a top concern for New Zealanders.

• Loss of privacy is the third most serious concern for New Zealanders when it comes to the online challenges, after child predators and identity theft. (UMR Research for NetSafe/AVG in 2011)
• Awareness of online privacy issues is increasing rapidly in New Zealand, with the number of people unwilling to use the Internet from a public location jumping from 9% in 2009, to 51% in 2012. (Statistics NZ survey on Household Use of Information and Communications Technology, 2012)
• Concerns about privacy have increased significantly in the last couple of years, and are at their highest point in a decade. (UMR Research for the Office of the Privacy Commissioner, 2012, PDF)
• 88% of New Zealanders surveyed agreed that ‘It's extremely important that businesses tell me what they are doing with my personal information’. (UMR Research for the Office of the Privacy Commissioner, 2012, PDF)

At Microsoft, we were interested to find out more about what New Zealand parents want for their children’s privacy at school, so we asked Curia Market Research to survey 400 parents about their expectations.

Of the parents in the survey, 95% want schools to require providers of computing and Internet services to commit by contract that they’ll only use student data to deliver services to schools, not for the companies’ own purposes.

The survey indicated that 97% of parents want schools to ensure student data is used only for education, and not for commercial exploitation.

A full 99% of parents indicated their belief that schools’ duty of care should apply to the computer and Internet environment they provide for student learning.

Law and Ethics

Schools often have to make decisions “in loco parentis” . That is, schools make decisions in the place of a child’s parent or guardian – and boards of trustees, principals, and teachers have a corresponding duty of care towards students.

In her Privacy in Schools book, Kathryn Dalziel says, “Schools should only use personal information for the purpose for which it was collected.”

“The starting point is that a school must look after students’ information and not release that information to third parties.”

The book includes a sample privacy consent form based on principle of obtaining consent for new uses of student data from a student’s parent or guardian.

The New Zealand School Trustees Association Guidelines for Boards of Trustees: Privacy Act (PDF) pre-dates the widespread use of outsourced IT services in schools, but includes the following recommendations for boards of trustees:

• “With the increased use of computer-based human resources information systems, it is appropriate to make specific recommendations regarding software security. The factors to be considered include […] training of staff in the use of the system and their responsibility to maintain information privacy.” 
• “The use also of information systems and websites can further extend the need for broad based policies to ensure safeguards for staff and students personal information.”

The New Zealand Teachers Council Code of Ethics says that teachers “will strive to … protect the confidentiality of information about learners obtained in the course of professional service, consistent with legal requirements.”

The Office of the Privacy Commissioner published Cloud Computing - A guide to making the right choices (PDF) in February 2013.

Relevant topics include:

• “Know exactly what you're signing up for.”
• “Be as up front with your clients as you can.” In the school context, the “clients” would be students and their parents or guardians.
• “Use and disclosure - who sees the information and what will it be used for.”

The Office of the Privacy Commissioner’s guidelines note: “Any use of personal information should be directly related to the purpose for which you've got the information in the first place. If it's being used for a new purpose, that should almost always be authorised by the person the information is about. ”

Most school students are minors, so it is not necessarily appropriate to expect them to fully understand or agree to contracts and privacy statements. There is no exception for services that are “free” for schools to use. Although “free” services are more likely to be adopted without formal processes, governance considerations on topics like privacy are the same as for paid services.

School Governance

Schools can take steps to ensure that outside providers, including cloud service providers, provide the information and contract terms that schools require to meet their own governance needs. It is important that schools consider all the choices they have.

The Office of the Privacy Commissioner’s cloud computing checklist provides a useful starting point for schools. The guidelines suggest that, “You may not have much clout when it comes to negotiating contract terms, but you probably have a choice of providers – compare the protections they’re able to offer.”

Schools can protect student privacy by demanding a firm contractual commitment from providers that there will be no new use of the data, such that schools can be assured that they have met their obligations.

This will be relevant for schools to take advantage of Privacy Act section 3(4)(c) where information stored or processed outside the school may still be deemed from a privacy law standpoint to be held by the school, without legally requiring further consent from the parents or guardians of students (although notification would still be good practice).

Reducing the risk of human error with email

Email mistakes are one of the top privacy risks that schools face.

There’s nothing difficult about the policies and training for being careful with email. The rules for email are essentially the same as for other communications. However, the ease with which vast amounts of data can be leaked is greater. People often assume that email communications are more private and secure than they really are. That means staff need to be reminded periodically about the importance of being careful.

While policies, training, and good database controls are important, people will continue to use email as a convenient mechanism to share data, and mistakes do happen.

Human error relating to email can be greatly reduced with today’s data loss prevention technology that can be configured to intelligently scan emails and attachments before they leave the school, to warn staff if they are sending email outside the school with personal information such as credit card details, phrases like “in confidence”, or email addresses.

We encourage schools to keep up to speed with privacy-enhancing technology. We believe that if it’s affordable, effective, and easy to deploy, then it makes sense for schools to do so. Microsoft Exchange 2013 (on premises) and Office 365 (cloud) both have the option for data loss prevention, and there are also solutions from other providers.

As boards of trustees and schools are making critical decisions about the technology services they bring into schools, they need to be asking vendors the right questions and putting protections in place to safeguard both students and teachers.

How can providers respond?

Cloud service providers should be transparent in how they use student data to support schools in obtaining any required parental consent for the collection, new uses and sharing of that information.

“Privacy is a top priority for Microsoft,” says Jeff Healey, Public Sector Director, Microsoft New Zealand Limited.

“In general service providers will have no difficulty making strong commitments to schools on privacy, so many people would be surprised at the possibility that student data could be deliberately mined for a provider’s own benefit and commercialised in various ways,” he explains. “However, that’s a very real possibility today as new business models based on data mining and advertising are emerging.”

“In today’s environment it is very important that schools ask every provider, in New Zealand and overseas, how the data they collect from you and your students will be used. It needs to be clear in the contract because that might be all you will have to fall back on.”

“Microsoft offers many of our Office 365 cloud services to all New Zealand schools free of charge so that staff and students can use email and collaborate on documents from any web browser. Even though these services are free for schools, I can confirm that Microsoft makes a firm commitment that the company will only use the Office 365 customer data (including teacher and student personal information) to provide the services, and that customer data is not shared with other services for advertising purposes.”

“To be open and transparent about these services, we recently prepared a standard response to the Office of the Privacy Commissioner’s cloud guidelines, and we welcome enquiries from schools.”

The standard response for Office 365 can be found at: https://aka.ms/NZprivacyOffice365 (PDF)

Article by Waldo Kuipers, Corporate Affairs Manager, Microsoft New Zealand Limited.