Personal Information Protection and Digital Technologies in Ontario Schools

Ontario K-12 classrooms increasingly use digital applications and platforms. Consequently, private companies collect more personal information, posing a potential threat to student privacy. Current privacy legislation does not specifically address education technology or its use by children, and current policies and practices do not sufficiently support schools and teachers. Because educational practices and legislative compliance are variable, Ontario schools cannot provide students with consistent personal information protection.  
This brief considers a privacy pledge, provincial legislation, and a Ministry of Education commission as policy alternatives. In the interest of supporting student privacy, adapting to changing conditions, and providing both clear standards and flexibility to stakeholders, this brief recommends that a Ministry of Education commission be created to review and approve digital applications and platforms for classroom use.


Scope of the Issue
Even before the current pandemic, digital applications and platforms were prevalent in schools. In 2019, 97% of Ontario elementary schools and 100% of high schools reported communicating with students using technology, including: email, class websites, web applications, and online classrooms (Kapoor, 2019, p.2). Interactivity of online platforms generates more data, which can be processed in greater detail (Zeide, 2017). Specifically, applications and platforms may collect information about when and how students interact with the platform, assignments and grades, and posts and communications (Reidenberg & Schaub, 2018). Massive data collection, and the profiles created with this data, pose privacy risks (Reidenberg & Schaub, 2018). These technologies collect more information than traditional classroom practices, posing a new threat to student privacy.
Private sector organizations, including those that provide education technologies, are covered by the Federal Personal Information Protection and Electronic Documents Act (PIPEDA).
According to the rules set out by PIPEDA, organizations must: identify the purpose for collection, gain meaningful consent, collect only necessary information, retain information only as long as necessary, and be transparent about their information practices (OPC, 2019 participated in a 'sweep' of educational applications in 2017. This sweep found that more than a third did not seek consent, and more than a third of the apps did not enable deletion of personal information (OPC, 2017a). Both contravene PIPEDA (OPC, 2017a). If PIPEDA is insufficiently enforced, children and teenagers are unfairly burdened with protecting their own privacy from intrusive personal information practices (Fric, 2014).
The Municipal Freedom of Information and Protection of Privacy Act (MFIPPA) covers personal information in Ontario schools (IPC, 2019a). MFIPPA defines the appropriate treatment of personal information (MGCS, 2018). Information is personal if an individual can be identified from that information on its own, or, in combination with other information (MGCS, 2018, p.133).
School boards are accountable for online education services used in their schools. They must verify these services do not collect, use, or disclose student information improperly (IPC, 2019a, p.34). Again, compliance cannot be assumed. The IPC observed that some online applications iJournal, Vol 6, No. 2, used by schools collect and retain information for their own purposes, track students, use information for marketing, and sell information, all of which may not comply with MFIPPA (IPC, 2016). Another source of variation is the behavior of individual educators. The IPC notes that Ontario educators often use online education, evaluation, and communication tools without knowledge or approval of the school or school board (2016). The IPC directs teachers to consult with the school and/or school board before using online services (2016). Unfortunately, a study found less than half of teachers felt sufficiently supported by their school/district in using networked technologies (Johnson, Riel, & Frose-Germain, 2016, p.43). Thus, there is variation between boards, between schools, and even between teachers.

Directions from the Ontario
This report finds unreliable handling of personal information by education technologies and inconsistent technology use in classrooms combine to create unreliable privacy protection. Current policies and practices do not adequately protect student personal information, and it is in the public interest that student privacy is sufficient and consistent.

Stakeholders
This brief considers five stakeholder groups. First, the school boards are given most of the responsibility for evaluating applications and platforms and protecting student information, as mentioned. This is challenging for smaller school boards. Therefore, clearer external guidance is in their interest. Second, teachers have an interest continuing to shape their own classroom practice through technology selection (Young, 2018). However, they lack actionable guidance for these selections. Currently, some school boards, schools, and teachers are providing consent on behalf of students, which they are not authorized to do (Burkell et al., 2020).
Children, parents, and privacy advocates are considered as the third group because they share interests in student privacy and serviceable education. The United Nations' Convention for the Rights of the Child (1989) bestows children with the right to participate in decisions that affect them in addition to protection from privacy interference. However, Burkell, Bailey, and Regan argue that this right is not currently respected (2020). PIPEDA requires that children give meaningful consent, and the OPC notes that this requires adapted processes if the children are 13 to 17 years old, or, parental consent if the children are under 13 years old (OPC, 2017a). Despite adapted consent processes, teenage consent is unlikely to be meaningful. A MediaSmarts study found that when teenagers agree to terms of use, they do not perceive themselves to be giving consent (McAleese et al., 2020). Parental consent is also not meaningful, because they feel unable to opt out of using platforms (Desson, 2018). Furthermore, they worry schools cannot protect student personal information (Pfeffer-Gillett, 2018, p.105). As such, parents and students have little influence over the technology they must use.
The fourth group, the provincial government, currently sets the guidelines for the use of personal information. The fifth group, private sector application and platform producers, are driven by profit motivations (Selwyn, 2018). Currently, industry choices have extensive control over student information protection. Selwyn argues that policy for technology in education always involves the private sector, because state agencies do not have the necessary resources to build these tools (2018). This group's interests do not necessarily align with the public interest, but they must be considered.

Privacy Pledge
One alternative comes from the Student Privacy Pledge, which is an American set of standards for education technology providers to voluntarily adopt. Since it was introduced in 2014, more than 300 companies have signed (Pfeffer-Gillett, 2018). The pledge protects student information through purpose limitation and required procedures for handling information (Pfeffer-Gillett, 2018). However, a comparison found that signatory companies were no less likely to be in violation of the pledge standards than non-signatory companies (Pfeffer-Gillett, 2018). With no meaningful oversight or enforcement, the pledge allows companies to gain public approval and disclaim liability for data use that violates the pledge (Pfeffer-Gillett, 2018). While this suits private interests, it does not empower teachers, guide school boards, allow the provincial government to maintain control over privacy standards, or protect students. iJournal, Vol 6, No. 2, Bill C-11 (2020), the Digital Charter Implementation Act, proposes the Consumer Privacy Protection Act, a replacement for PIPEDA that makes significant changes, and the Data Protection Tribunal Act, to oversee enforcement. The CPPA would introduce a requirement for plain language when asking for consent, which could increase the likelihood of meeting the requirements for meaningful consent, but still does not address children specifically. Through the creation of a specific enforcement body, the DPTA would likely increase compliance with legislation. However, the proposed acts would be broad, and therefore require significant translation and guidance for effective implementation in the classroom, where technology decisions are made by a complicated network of students, parents, teachers, schools, and school boards.

Provincial Legislation Targeting Education
A second alternative is supplementing provincial legislation with additional regulation for children's data. Regan and Bailey (2020) suggest regulatory initiatives prohibiting corporate use of data from learning processes (p.77-78). Selwyn argues that effective state governance is possible if institutions are knowledgeable about digital technology in education (Selwyn, 2018).
One example of direct government regulation is the US Student Digital Privacy Act, which was introduced to congress in 2015 to ensure data collection was only for educational purposes (Fitzpatrick, 2015, p.311). Such legislation may be too inflexible for the constantly changing trends in education technology, leading to inadequate protection for students. This alternative also does not guide teachers or school boards.

Ministry of Education Commission
A third alternative is the creation of a commission within the Ministry of Education to approve education applications and platforms. This is based on a report from the 40th International Conference of Data Protection & Privacy Commissioners, which outlines recommendations for improving e-learning platforms and suggests educational authorities create, "policies and procedures to approve platforms" (ICDPPC, 2018, p.3). This would be an ongoing project, where individual applications and platforms would be evaluated as required, and therefore, more adaptable to changing technological circumstances. This alternative would provide much-needed guidance to school boards and teachers. Centralizing the approval of education technologies would also increase student privacy, because larger collections of school boards have leverage to negotiate privacy protections that individual school boards lack . Technology providers would benefit from clear approval across the province. Finally, with a list of approved applications