There was a time when I, like many of you, had not considered the personal information that was being collected when using technology tools. My role in the teaching and learning Commons at KPU forced me to reconsider my laissez-faire attitude about such practices. It had not crossed my mind that student data and faculty data were not looked at through the same lens. Even more importantly. I had not considered how my choices might feel coercive to students. My position of power could influence them to use these tools even if they were not comfortable sharing the information that was requested of them. After multiple requests this is the first of a series of blogs to support faculty in understanding the complexities of privacy as it relates to the use of technology in their teaching practice.
KPU is subject to the Freedom of Information and Protection of Privacy Act of BC (“FIPPA”) which creates obligations for KPU to protect the Personal Information (“PI”) in KPU’s custody or control. These obligations are shared by all KPU employees (which includes volunteers) and extend to Service Providers under contract to KPU. When PI is shared with an outside party: Whenever KPU provides PI to a party external to KPU (i.e. a vendor/Service Provider) or requires an individual to provide PI to an external party (i.e. in the case of vendor information technology), KPU needs to ensure safeguards are in place to protect the PI from unauthorized collection, use, disclosure, access, storage, or retention (personal communication, S. Kean, 2020). So, what exactly is considered personal information (PI)? PI includes any information about an individual (except business contact information), this means that all our students’ information is personal and needs to be protected. In the case of technology, this includes information needed to log in to an app or that is provided while interacting with the app itself, the table below lists examples of PI.
|Email address (any email address, including KPU email address for student)|
|“Unique identifiers” such as Banner numbers, SIN, driver’s license etc.|
|Date of birth|
|Home address and/or Phone number|
|Photo, Video or voice recording|
|Sexual orientation and/or gender|
|Employment and/or educational history (including grades)|
|Medical, psychiatric or psychological information|
|Financial information (including credit card number)|
|Racial or ethnic origin|
|User content or participation information|
|Reflections, opinions, thoughts, feelings|
|Religious or political beliefs or associations|
Consequences of not considering privacy.
Both KPU as a public body and individual employees have privacy obligations under FIPPA. When decisions affecting individuals’ privacy rights are made without due diligence, risks to the affected parties can include harms involving their personal safety/security, financial loss, identity theft, embarrassment or other. Risks to KPU include reputational harm and associated losses, remedies imposed by the Office of the Information and Privacy Commissioner of BC (“OIPC”) or other. FIPPA also provides for fines to be levied in both individuals and organizations for privacy offences.
Since all our students’ information is personal under FIPPA, it is our responsibility as individuals and as an organization to protect it as much as possible. So how do we do this?
- Use only KPU supported tools to ensure they have been appropriately reviewed for security and privacy.
- Choose tools that offer Canadian data residency, be careful some Canadian companies use US servers and data residency alone does not ensure FIPPA compliance.
- Contract negotiation as part of the purchase or subscription allows us to require measures from the vendor that address FIPPA compliance.
- Whenever students’ PI is collected, whether by KPU or by a third-party vendor tool used by KPU (whether the use is optional or mandatory) a FIPPA notice will likely be required.
- if the PI is disclosed to anyone (I.e. other students; external parties) written consent from each individual is required; and
- If the PI is stored, accessed, or disclosed outside Canada, written consent from each individual is required, guidelines for use are necessary for some tools to ensure students are protected and the use of these tools by faculty is FIPPA compliant.
In the next special edition blog on privacy concerns for teaching and learning, I will talk more about technology considerations. For additional support please contact email@example.com