Personal Data in Remote Teaching
As the world copes with the Coronavirus (COVID-19) epidemic, teachers everywhere are navigating new challenges and interruptions in order to get their classes online. At best, learning environments are easily transferred to virtual teaching methods. At worst, severe alterations to the ways courses are delivered, new technology, processes, and expertise are required.
But, however easy or difficult the transition to online teaching may be, it’s critical to take stock of your data practices. Working in new education environments, using new technology, and adapting teaching processes can all have serious implications for your data responsibility.
The Back to Basics: Data Responsibility for Remote Teaching Series provides a foundation to base constructive dialogue regarding data privacy and protection for remote teaching. This series will get you up to speed on what you need to know on data privacy and responsibility. It outlines useful definitions and terminology, for instance the distinction between personal and confidential data, and offers insights into how to be responsible with data under any circumstance.
In this first update, we elaborate on the different categories of data set out by the EU’s General Data Protection Regulations so you know what data you’re handling. We also offer concepts and scenarios to contextualise data and identify potential areas for concern.
Key messages for teachers:
Use the tools that are provided by your education institution.
Try to generate and collect as little personal data as possible when using these tools.
Do not process sensitive data unless you have gotten the go ahead from a Privacy Officer and/or relevant GDPR decision-maker.
Explanations: What are personal, sensitive and confidential data?
If we break it down, personal information is any form of data that can be used—directly or indirectly—to identify an individual person (or, data subject). Sometimes you can identify them directly with a single data source, and other times it takes a combination of data points to be able to identify this data subject — but if it’s possible to identify an individual in any way, this makes it personal data.
Examples of personal data:
- Email address (which includes names or any other identifiable information)
- Identification card number
- Location data (for example the location data function on a mobile phone)
- Internet Protocol (IP) address
- Internet cookie ID
- Advertising identification codes in mobile phones
Sensitive information (‘special categories of personal data’) has a formal definition within General Data Protection Regulation (GDPR). This data cannot be processed unless one of the exceptions of the law applies. If you think you need to process this information, you must go to your Data Protection Officers before any processing begins to ensure you do so in a lawful way. Sensitive data refers to the following:
- Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs
- Trade-union membership
- Genetic data, biometric data processed solely to identify a human being
- Health-related data
- Data concerning a person’s sex life or sexual orientation
(Business) Confidential Data
Defining what confidential data is a little trickier. It depends on what your organisation considers to be confidential. It encompasses data that your organisation would not want anyone in the general public or outside of your organisation to access. It is usually information such as financial documents, internal correspondence and legal contracts.
When does remote teaching encounter personal, sensitive or confidential data?
As a teacher, you encounter data from your students all the time. Handling personal data is an inherent feature of being a teacher. From attendance lists to the personal anecdotes shared in lectures, personal and sensitive data cross the classroom in many forms. Some of this data is stored (e.g. in assignments) however, some is not stored (e.g. verbal conversations in classrooms).
Yet, in remote teaching and when using new technologies to deliver your classes, a lot more personal data can be generated and stored. Often there is more data than is actually needed or even known about. This can occur both knowingly and unknowingly. To make the transition to the online classroom safer, make yourself aware of the data that is generated, use the tools approved by your institution, and follow available guidance. This way, you can be data responsible from the get-go without having to take on too much responsibility yourself (your institution will have done a lot of the work on assessing the data privacy risks).
Consider that some new forms of personal data will be a necessary component of this new way of teaching, however some of it will not be necessary. Teachers, technical tool experts and privacy specialists need to work together to reduce the amount of unnecessary data generated and collected.
Why is it important to keep this in mind whenever teaching remotely?
Determining how much personal data you are generating through remote teaching can be difficult. Privacy policies and terms of service are complex and often use opaque language. This is why it’s important to rely on the tools provided by your education institution. Otherwise you will need to decipher these documents and their implications for data privacy in your teaching alone.
Having awareness of where and how data is being generated is key to critically analyse how much personal data a teaching method is producing and how this can be reduced to only the absolutely necessary or unavoidable. This requires ensuring that teachers have the skills and knowledge to gain this awareness as well as participate in constructive dialogue with privacy experts regarding both their teaching needs and the date involved with these needs.
Data Responsibility in Education - How can the Centre for Innovation help?
Staff trainings on sensitive/personal data and tool use in education
Virtual trainings on topics such as: “What is sensitive/personal data” or “How to use tools in a way that protects sensitive/personal data”
Personalised training and advice for management on data responsibility oversight
Topics include: How to empower your staff to make good decisions, how to use the Holistic Data Responsibility Framework in your workplace
Data Responsibility strategy drafting, advice and review
Could include: Reviewing existing strategy, identifying gaps in guidance & policies, recommendations for implementation
Get in with us touch at: c4idataprotection[at]sea[dot]leidenuniv[dot]nl