Privacy in education: DPA identifies trends, risks, and developments in the sector

May 4, 2022 | Blog

In late 2021, the Dutch Data Protection Authority (DPA) published a paper on trends and risks, with recommendations regarding the protection of personal data in the context of digitisation in the education sector. In this blog, I will take a closer look at some of those trends and risks. I will also discuss a number of (recent) developments.

DPA: trends and risks

In its paper, the DPA first deals with the monitoring of pupils and students, pointing out that educational institutions have more and more data at their disposal through the use of new applications such as adaptive learning resources and learning analytics. Because that data contains information about students’ behaviour and development, it entails risks, for example if it is misinterpreted or misused.

The DPA also notes the increasing exchange of student data within partnerships and data/information hubs to which various (public) parties are connected. The DPA notes that it is important for students to be able to see who their personal data is provided to.

The DPA points out, furthermore, that many essentials in digitised education are supplied by big suppliers (tech companies), which exercise a certain power within the market because of their dominant position. The DPA states that that power, the lack of transparency at these companies, and a lack of knowledge, especially at small educational institutions, make it difficult to determine what the correct data protection safeguards are and if necessary enforce them as regards the supplier.

Various recent developments show that the problems regarding dependence on big-tech companies apply not only at small educational institutions but are currently relevant for the entire education sector.

Some recent developments in the education sector

Statement on National Approach to Digital and Open Learning Resources

The Universities of the Netherlands (UNL) (the umbrella organisation of the fourteen Dutch public universities), the Netherlands Association of Universities of Applied Sciences (VH), and SURF (the ICT cooperation organisation of educational and research institutions in the Netherlands) have signed a Statement on the National Approach to Digital and Open Learning Resources. An important focus of the statement is the control that educational institutions wish to exercise (once more). This covers, among other things, the collection and use of personal data collected in education, on both students and staff. For some time now, there has been criticism from various quarters of some aspects of the protection of personal data in education, including the dependence on big-tech companies.

Dependence on big-tech companies

Since the Covid-19 pandemic, an enormous amount of attention has been paid to dependence on big-tech companies in education. Last summer, for example, a professor at Utrecht University argued for a government-developed alternative to the applications currently provided by such companies. The National Consultation Body on Co-Determination at Universities (LOVUM) has also adopted a similar view by stating that the higher education sector should take greater control and develop some software itself once more.

Various frequently utilised applications provided by big-tech companies in (higher) education have recently been the object of negative coverage in the media, including Zoom, Microsoft Teams, and Proctorio.

Zoom

In May 2021, a Data Protection Impact Assessment (DPIA) commissioned by Dutch universities and the government concluded that there were nine major and three minor data protection risks affecting Zoom users. In the light of this assessment, Zoom put a considerable number of measures in place and promised to implement more. A new DPIA that was published last month showed that Zoom had eliminated all the major data protection risks. There are still six minor risks, but universities and institutions are said to be able to take measures against these themselves. In the end, Zoom concluded a new contract with the Dutch universities and the government.

Microsoft Teams, OneDrive, and SharePoint

There was also a recent study of the privacy risks associated with Microsoft Teams, OneDrive, and SharePoint. The study found that Microsoft had taken measures to eliminate six major data protection risks but that organisations should not use these cloud services to exchange or store sensitive or special personal data. The major risk in that regard is due to US intelligence legislation. Although Microsoft applies its own encryption to all of its customers’ data during transport over the Internet and to stored files, there is still a risk that access to that data can be demanded under US law. In fact, if Microsoft has access to the key used to encrypt data, it can be compelled to decrypt and disclose the data. The fact that this is probably largely a theoretical concern does not make any difference. Microsoft needs to make more adjustments and improvements so as to reduce this remaining major risk and six minor data protection risks. The study also notes that the most important measure that organisations in Europe can take themselves against the aforementioned risk regarding American intelligence services is to encrypt the data with their own key, to which even a supplier such as Microsoft does not have access.

Proctorio

We previously wrote about a ruling by the Amsterdam Court of Appeal, which found that the University of Amsterdam could continue to use the Proctorio software program when holding examinations. Late last year, however, it became known – after an investigation by ethical hackers – that Proctorio had a leak, which made it easy to hack tens of thousands of Dutch students. Questions were then asked in parliament by the GroenLinks party about the use of Proctorio by educational institutions, arguing that the program should only be used in exceptional cases.

Early in 2022, the Minister of Education, Culture and Science, Robbert Dijkgraaf, provided answers to the parliamentary questions. He responded, in fairly general terms, to the view that Proctorio should only be used in exceptional cases by noting that the use of e-proctoring can only be a suitable option for examinations if there is no good alternative. In addition, he noted that the use of e-proctoring can offer a solution for students who cannot physically attend the institution. The minister’s response seems to indicate that he does not want to interfere too much with personal data in education (i.e. the protection of such data). Among other things, he stated: “It is the responsibility of higher education institutions to deal effectively with the issue of privacy. They do not account for this to the Ministry of Education, Culture and Science.” According to the Minister, it is up to the educational institutions to discuss the security of the software with the software suppliers.

Whether the institutions will actually become less dependent on big-tech companies remains to be seen. Despite various criticisms and studies, and interest on the part of politicians, it does not look like dependence on big-tech companies will decrease any time soon. In actual practice, this will often be a difficult challenge. Nevertheless, it is in any case a positive development that more and more attention is being paid to the use of big-tech companies and dependence on them (i.e. on the applications they provide) and – more generally – that privacy in education also seems to be increasingly a matter for discussion.

Last year, the DPA carried out an investigation into online (video) telephony and online proctoring in education. We wrote about that last year in a blog. In the light of its investigation, the DPA published several recommendations, including on selecting a supplier. The DPA had the following (general) recommendations:

  • select a software supplier that complies with the privacy legislation;
  • consult the lesopafstand.nl website compiled by, among others, the Ministry of Education, Culture and Science and sector organisations;
  • impose requirements regarding the use of pupil/student and staff data. In this connection, it is important to at least ensure that data is immediately deleted if it is unnecessary;
  • conclude a processing agreement with the supplier that contains arrangements that at least meet the requirements of the GDPR. It is important to ensure that the right safeguards are in place when suppliers come from outside the European Economic Area (EEA).

Don’t hesitate to contact Jurriaan Dane if you have any questions about privacy in education.

Sign up for our newsletters