BYOD, the cloud and student privacy: What you need to know

The rise of BYOD and wearable technology, in addition to an increase in third-party cloud-based data storage, are new elements that must be considered in the quest to keep student privacy intact.

Yesterday, The Educator outlined the privacy legislation that schools must adhere to, as well as some best practice tips to ensure compliance with this legislation.

When it comes to BYOD and wearable technology (smart watches, fitbits, etc), John Gallagher, senior associate at Clyde & Co, told Education Law Masterclass attendees that the security of organisational data is only as strong as the weakest link. Key considerations include:

  • Balancing security vs student/employee privacy.
  • Ease of use and productivity benefits.
  • Risks of unauthorised access and student/employee privacy.
  • Integration with existing IT security.
  • How the failure to update and manage device security is a key risk. 

There are three key risk areas to be aware of for BYOD & wearables:
 
Security risks

  • More devices on the network means more gateways and more vulnerabilities.
  • Schools have limited capacity to prevent students engaging in risky behaviour online or ensure they have adequate cybersecurity.
  • Lack of device oversight and updates – where are the weak links? 

Legal risks
Schools may be liable if students infringe third-party intellectual property rights.
 
Education risks
Allowing computer-savvy students access to the school’s network creates a heightened risk of academic fraud.
 
Gallagher outlined a best practice approach to managing BYOD privacy risks. He recommended having a simple and clearly defined policy which includes:

  • What devices may be connected to the network
  • Where, when and for what purpose devices may be used
  • Which programs or applications may / may not be used
  • Clearly defined update and device management requirements
  • Clearly defined security requirements (including passwords)
  • Clearly defined repercussions for mis-use

Finally, he recommended that leaders ensure that the policy is understood & enforced

He also suggested schools educate staff and students on cybersecurity risks and risky behaviour online, and also consider technical solutions such as system monitoring software, firewalls or internet filters which prevent access to inappropriate content.

Cloud-based third party storage and third-party learning sites
There are also obvious data privacy concerns around both cloud-based third-party storage and third-party learning sites.
 
When it comes to cloud-based third party storage, Gallagher stressed that schools do not escape their obligation to ensure the security of its personal data by using third-party cloud storage. He suggested it’s critical that school leaders do due diligence on all third party providers:

  • What are their security arrangements?
  • Does their proposed use of personal information align with yours? 

Key privacy law considerations include:

  • Where the cloud based storage provider stores its information
  • If the cloud based storage provider will use the information for any other purpose
  • The cloud based storage provider’s policies on information destruction or de-identification policies
  • How the provide allows access to the information it holds. 

Third-party learning sites, Gallagher said, are another matter. He said the obligations of an educational institution which directs students to provide details to a third party learning site is unclear.
 
To clarify matters, he suggested school leaders consider the following point key point: When it comes to providing access, are you part of the information collection cycle? Further, he suggested leaders:

  • Be clear about their role in the process.
  • Expressly state that they take no responsibility for a user’s use of a third party website.
  • Due diligence – consider the security used by the third party site.
  • IT usage policy – be clear and keep it updated.