Privacy Act and Third Party Software Revisited

flickr photo shared by rosefirerising under a Creative Commons ( BY-NC-ND ) license

During our class this week for EC&I 833, the Local Authority Freedom of Information and Privacy Act (Privacy Act) came up in regard to using “third party” (not hosted/run by the institution itself) software in schools. Since this is one of the things I’ve researched before and paid attention to, I promised Angus and Alec I would post about it and share what I know, especially as it relates to the University of Regina. The information below is based on previous research and on information provided to me by Glenys Sylvestre, the Executive Director, University Governance and University Secretary, from her inquiries to legal counsel on the topic. *This is not intended as legal advice nor is it a verbatim copy of the communication. This information is intended as my personal recommendations for how to proceed responsibly, so please ensure that you consult the appropriate people for your institution*

First of all, there are no specific legislations in Saskatchewan that restrict what technologies can be used for education or where student information can be stored. Other provinces in Canada do have those legislations (specifically British Columbia and Nova Scotia). So technically, any public body (like a school) in another province could use a service that stores data outside Canada. Those bodies are, however, required to ensure that the security and protection of that data is comparable to what would be received here (aka the data should be properly protected, not publicly posted, and every effort should be made to ensure it isn’t released, stolen, or sold).

With that in mind, however, that doesn’t let instructors or the institution off the hook entirely to use whatever websites or apps or software they want. The Privacy Act does say that information cannot be used for anything other than the purpose for which it was collected without consent. That means that no employee at the University of Regina can release student (or other employee) data or even use or access it except for the purpose for which it was collected without consent. Stay with me, I’m going somewhere with this. The Privacy Act specifically states

Personal information about an identifiable individual is protected under the Act and will not be used or disclosed except for the specific purpose for which it is collected or in accordance with one of the exceptions in the Act or the Regulations.

All the information the university has can easily add up to being enough to identify someone (e.g. a name plus an email address suddenly makes that person much more identifiable, let alone if you add in a birthdate, an address, a gender, etc). Now think about what information most sites request you provide. Yup, most sites, to register, require you to provide at least a name and an email address. By providing that information, the user is no longer anonymous, especially if that information is their U of R email address which includes their username for the U of R system.

From there, it is an easy step to see how requiring students to use third party software is considered a risk. At least if it is done without consent. Technically, the use of the software or website is viewed as consent, so often students are left uninformed about their rights which is not a great way to operate. Even with consent, however, how informed is that consent? Has the instructor actually read the terms of service? Do they know what could happen to the data students are being asked to give away (and that includes a lot more than just name and email address – usually it includes performance on tests, papers, blogs, answers to questions, navigational behaviour, photos, etc)? So what that means is that instructors (or staff) are best served by suggesting that students can use a pseudonym to register for third party websites or software to prevent releasing their information (this is what McMaster instructs students to do after being sued over the use of Turnitin specifically). Moreover, students have every right to request an alternative for any third party website or software and instructors are required to provide one.

Best of all would be for instructors to have frank conversations with their students about the whole issue but often that is left out in the name of expediency. The assumption, all too often, is that if a student doesn’t want to do something they can and should drop the class. Don’t like Turnitin? Drop the class. Don’t want to use the publisher website? Drop the class. Not a fan of public blogging? Drop the class. That is no longer a viable option. The use of third party software/websites is becoming too ubiquitous, even “required” in some departments and faculties.

To sum up, an instructor can request students use third party software (e.g. publisher’s website, Google Docs, WordPress, Facebook). They should give students the option of using a pseudonym to avoid releasing identifying personal information (better is to just recommend students use a pseudonym unless there is a very good reason for not doing so). And students must always be able to decline using the software/website and be provided with an alternative.

flickr photo shared by PropagandaTimes under a Creative Commons ( BY-NC-ND ) license

It’s a sticky situation. There are so many fantastic Web 2.0 options out there and so often we both take privacy for granted AND take for granted that it doesn’t exist. Yet as employees of public institutions and as educators, it is our job to protect students, giving them tools and knowledge to protect themselves. Options like “Domain of One’s Own” are a start in educating students about their rights and giving them more control of their own data (but it would be nice if there were a comparable Canadian option).

When you get down to it, the entire point is that data is important and we should all treat it as such, even in a world where we agree to Terms of Service without reading them*, uploading without thought, and assuming we live in a modern version of the Panopticon. Data is worth something, though (not the least of which is money). We should really stop treating it as meaningless and start making informed decisions as well as teaching our students to do the same.

* If you are looking to understand Terms of Service, you can always check out Terms of Service; Didn’t Read to get an evaluation of the terms for many existing sites. They even have a browser extension now. Also, it looks like they are looking for help. That might be a fantastic digital citizenship project!

One thought on “Privacy Act and Third Party Software Revisited”

  1. Your post is great! On the Canadian Cloud blog site it says “As with any new program that involves the handling of personal information, the organization should undertake a privacy impact assessment.” It got me thinking about Saskatchewan’s eHealth and the CHIP pilot project that I am involved in. I am providing a lot of personal private information about myself and my children (above and beyond name and e-mail). The conversation in our focus groups has been more around the functionality of the website, not privacy at all. You now have me looking into the privacy protection that they have in place. – Thanks for opening my eyes up to this.

    Looking forward to reading “Terms of Service; Didn’t Read” and your past posts about this.

Leave a Reply

Your email address will not be published. Required fields are marked *