There is little doubt in my mind that web 2.0, social media, and cloud computing offer powerful vehicles for teaching and learning—but only if educators use them responsibly, abide by the rules and regulations, and teach their students to do the same. According to lawyer, Pam Portal, “BC’s privacy laws are arguably the strongest in Canada” (Cooper, et al., 2011, “Privacy Guide for Faculty Using 3rd Party Web Technology (Social Media) in Public Post-Secondary Courses”,2). These laws and regulations protect the privacy rights of the individual in British Columbia, Canada. Our unique legal context sets the boundaries for what the K-12 should be doing online with student information, work, and data. If you’re not from British Columbia, or aren’t in touch with what’s happening here, consider us the “Europe” of privacy protection in North America. If you are an American teacher or a Canadian teacher anywhere but in British Columbia–you likely have more permissive regulations in the use of Web 2.0 tools–especially those that are housed in the cloud.
The institution where I work, Vancouver Island University (Nanaimo, BC, Canada), is in the vanguard of addressing privacy issues associated with use of cloud based tools at the post-secondary level in BC education. In 2011, VIU published “Privacy Guide for Faculty Using 3rd Party Web Technology (Social Media) in Public Post-Secondary Courses” with BC Campus, and our Centre for Innovation and Excellence in Learning (under Director, Liesel Knaack) has been running numerous training sessions to raise faculty awareness of their obligations in use of cloud, Web 2.0, and social media technologies—especially with regard to students. As part of that effort, and in discussions with Liesel, I began to develop some resources to streamline how faculty in our Faculty of Education and other post-secondary instructors could meet the new requirements–items like forms to guide instructors, and an information backgrounder to share with students. As BC K-12 educators got wind of what I was doing, I had individuals from BC K-12 schools–public and private, traditional and face-to-face–contacting me to see what knowledge, resources and guidance I could share. At that point I was solidly focused on developing resources I could use with my faculty, and I kept hoping that ‘someone else’ would take on that mantle and deal with providing specific K-12 resources. I happily provided what I had–but it was from the post-secondary perspective. When I shared content, I’d repeatedly ask the recipients to share back what they developed. Many of these individuals were dealing with these issues off the side of their K-12 desks—among many other responsibilities. I checked back with a few of them and their content development had gotten sidelined in one way or another.
Working in a Faculty of Education as I do, I am reminded that I am only a step away from the K-12 context. Our Education students are doing practica in BC K-12 schools–some of them with institutionally loaned equipment—and I need to support their responsible use of technology under current legislation. In September 2013, I will be teaching a course in social media in our new Online Learning and Teaching Diploma (OLTD) Program, and I will need resources to guide my students as educators in responsible use of social media in BC’s K-12 context. Knowing my interests, parents have approached me to describe incidents where students are using social media and cloud based resources in their local schools without any permission forms or information being sent home. One parent described Googling her child’s name only to find a Prezi with scanned family photos and information—yet the parent had never been approached for permission–much less had discussions or handouts on the activity and its potential privacy risks. I have heard numerous accounts of teachers doing great things with Google docs and their classes–using Facebook or Twitter, but when I pause to ask them whether they sent out and obtained written permission slips, I either meet a dead silence or am told, “Oh, our school media waiver covers that.” The likelihood that a school media waiver meets the key criteria set down in our BC law and regulations for ‘knowledge’, ‘notice’, and ‘informed consent’ with regard to these types of activities in these technological environments is slim.
So, last month, I decided that “someone” was going to be “me”. I’ve spent about a month drafting this document I call “A K-12 Primer for British Columbia Teachers Posting Students’ Work Online“.
This document was possible only with the support of these key individuals:
- Liesel Knaack, Director, Centre for Innovation and Excellence in Learning, Vancouver Island University, Nanaimo, British Columbia
- Rebecca Avery, e-Safety Officer, Kent County Council, United Kingdom
- Mark Hawkes, e-Learning Coordinator, Learning Division, Ministry of Education, British Columbia
- Dave Gregg, e-Learning Officer, Learning Division, Ministry of Education, British Columbia
- Larry Kuehn, Director of Research and Technology, British Columbia Teachers’ Federation
- John Phipps, Field Experience Supervisor, Vancouver Island University, Nanaimo, British Columbia
Consider this document Version 1.0. I hope you find it useful and that you feel moved to comment and share your insights for a future version. You are free to duplicate and share it according to the Creative Commons: Attribution-Non Commercial-Share Alike licensing.
Julia
jhengstler's blog 
How do you see this applying to digital communication and digital storage of files like notes taken at meetings and documentation of student behaviour incidents?
So first question is where will this data be stored & how will it be secured? If it’s in BC and the servers where the data is stored are on Canadian soil–the standards are different than when you are using cloud storage where data can be in the US or anywhere in the world. (Please note that there can be ‘private’ clouds run on local BC school district servers, so “cloud” does not always = servers on foreign soil.) Whenever you are documenting student behaviour–there is a high likelihood that even if you left names out, other data like time, place, teacher, action, etc. will be enough to identify the individual. We have to remember that what constitutes “identifiable” information is no longer just a name in conjunction with a picture or address. Also, notes on behaviour or actions of a student are probably going to be of a sensitive nature as well. You have 2 likely vulnerabilities here–identifiable and sensitive. Given my understanding of the regulations in British Columbia (remember I’m not a lawyer!), unless you have specific permission from a parent or caregiver to store that type of data (especially if it’s stored on non-Canadian soil), you have a responsibility to the child and parent/care giver to obtain “informed” consent. For storage of sensitive data online (like student records, etc.), you’d have to check with the Office of Information and Privacy Commissioner for BC’s website. “Cloud Computing Guidelines for Public Bodies” http://www.oipc.bc.ca/guidance-documents/1427 is a good place to start. You will have to do some reasonable risk assessment and be able to relay to the parent/caregiver the benefits and risks in terms s/he will understand so the parent/caregiver can decide to agree or disagree with your data use/storage/access. It should be written permission and with a real signature. You should also have some plan in place to monitor that data is not being inappropriately shared or accessed (e.g. what if you get notification from Google docs that your account storing all this data has been compromised?) & how to deal with an issue should it arise. (e.g. who should be informed–parent/caregiver, principal, etc. & in what order).
As regards meeting notes–assuming that all attendees are adults–I would think you would have a similar duty of care. Are the meetings public in nature already like a school board meeting? If the notes are not generally expected to be public documents, I would say the best route is to again assess whether individuals will be identifiable and whether the data is sensitive, then determine where will this data be stored & how will it be secured. Even password protected sites can be breached–so what will it mean if that data becomes “public”. With that information, you should discuss with attendees that notes will be posted and what the potential benefits/risks are. If data is sensitive & identifiable–and it’s not generally “public”–then I would be obtaining a signed release/permission to post the notes. It would be best to set up a standard notice at the beginning of the meeting that the notes of the meeting will be posted online, etc., it can remind people to keep their “public” persona in place. That said, you may need to make time/place for “in camera” sessions–where you can discuss things that may be sensitive without publishing/posting notes.
Hope that helps. I’ll see if I can get someone from the Office of Information and Privacy Commissioner for BC to weigh in.
Do you see the requirement for signatures, etc. applying only when the information is stored outside of Canada?
I am working on creating a private “cloud” for documenting meetings, behavior incidents, etc. and hosting it either on our local server or with a Canadian web host. The documents are password protected and shared only to specific individuals or groups, using the WordPress addon Buddypress and Buddypress docs. I see the privacy as being more secure than past practise of keeping notes in books and laptop hard drives, both of which present their own particular insecurities. I worry that if we are required to have a high level of consent the tool will be useless for the students who need it most.
I can certainly understand privacy concerns in light of the recent NSA scandal, but I still believe that cloud-based documents are actually much more secure than paper files or documents on local computers.
I make no claims to be a privacy lawyer. Networked storage is significantly different that storage on discrete hard drives. Many of our practices with protecting storage on hard drives evolved only slightly from our paper-based previous experiences. I would consider BC educators’ general security practices around data to be fairly lax. While there are some very privacy/security conscious people, in my opinion they are a minority. Your requirement regarding consent is set out under the guidelines established by the Office of Information and Privacy Commissioner for BC. The BC cloud guidelines predate the US’s NSA scandal by a year or more. Unfortunately, not many BC educators have been informed of the changes–which is why I felt compelled to write this document. I am hoping that we do not need a lawsuit around educators’ use of cloud storage and Web 2.0 technologies to get compliance with regulations that are already in place–or to totally shut down these technologies as viable tools for educators. I think that you should be consulting with a BC School District lawyer who is up to date with all the current privacy regulations and/or consult with the Office of Information and Privacy Commissioner for BC.
Hi, this is Cara from the Office of the Information and Privacy Commissioner for BC. Julia contacted our office through Twitter about this discussion thread. I thought it would be helpful to provide a bit of context as to how FIPPA applies to cloud computing specific to public bodies (which includes K-12 and post-secondary institutions). What follows is largely excerpted from our guidance document, Cloud Computing for Public Bodies (http://www.oipc.bc.ca/guidance-documents/1427).
Under section 30.1 of the Freedom of Information and Protection of Privacy Act (FIPPA) public bodies must ensure that personal information is stored and accessed only in Canada, with some limited exceptions. This includes information in computer logs, backup tapes or cloud-based services.
Public bodies can store or access personal information outside of Canada if the individual the personal information is about has given consent to the public body. The FIPPA regulations (http://www.bclaws.ca/EPLibraries/bclaws_new/document/ID/freeside/155_2012) set out the requirements for consent under s. 30.1(a). According to the regulations, an individual’s consent must be in writing and must specify the personal information for which the individual is providing consent, the date on which the consent is effective and, if applicable, what date the individual’s consent expires. The consent must also specify who may store or access the personal information from outside of Canada, and if it is practicable, which jurisdiction the personal information may be stored in or accessed from. The consent must also specify the purpose of storing or accessing the personal information.
Even if you obtain consent, or a 100% Canadian cloud solution is available, there are still potential risks that public bodies should consider before using the cloud. For example, under FIPPA, public bodies are required to protect personal information in their custody by making reasonable security arrangements against risks like unauthorized access, collection, use, disclosure or disposal. Reasonable security arrangements in the context of cloud computing will usually require a public body to review the security that the cloud provider has in place. Key areas should be reviewed and considered from the perspective of reasonable security, taking into account the sensitivity of the information that is being stored or processed by the cloud provider.
Even when you are not dealing with the cloud or potential access/storage outside of Canada, FIPPA has clear requirements for when and how a public body can collect personal information from individuals. Sections 26 and 27 specify the conditions under which public bodies can collect personal information from individuals.
It sounds like you are working on a potential cloud solution for your organization. If you would like our office to comment on the FIPPA implications of your project, consult our policy on consultations (http://www.oipc.bc.ca/guidance-documents/1432). If you have questions, you can also call us at 250-387-5629 or email info@oipc.bc.ca.
My comments are not intended to be relied on as legal or other advice, and do not fetter or bind, or constitute a decision or finding by the OIPC.
I hope this helps!
[…] you’ve read “A K-12 Primer for British Columbia Teachers Posting Students’ Work Online” from an earlier blog post. If not, you may not be aware that “BC’s privacy laws are arguably […]
IMPORTANT UPDATE re. “signatures” & electronic consent
During my session at BC Digital Learning Conference 2014 the question was raised of whether consent needed to be “in writing”–like pen on paper. I explained that this had been my institution’s practice–but that I would follow up with OIPC BC. After a great phone conversation with Brad Weldon @ OIPC BC, he shared that “in writing” didn’t necessarily mean it had to be pen on paper.
While “in writing” requirements for consent/authorization are found in FIPPA, this requirement is also considered in light of the 2001 Electronic Transaction Act ever since 2007’s Order Order F07-10 (http://www.oipc.bc.ca/orders/912) addressing a case in Mission School District 75.
In Order F07-10 (2007), the electronic form of consent was considered
“valid by virtue of s. 5 of the Electronic Transactions Act, which reads as follows:
5 A requirement under law that a record be in writing is satisfied if the record is (a) in electronic form, and (b) accessible in a manner usable for subsequent reference”
and then goes on to say,
“The requirement of consent “in writing” in s. 6(a) of the FOI Regulation is a “requirement under law” to which s. 5 of the Electronic Transaction Act applies” (http://www.oipc.bc.ca/orders/912)
Of course, you will still need to provide for knowledge, notice and informed consent as usual–but that consent can be obtained through electronic means consistent with the Electronic Transactions Act. If you would like to read more on the Electronic Transactions Act, find it here http://www.bclaws.ca/EPLibraries/bclaws_new/document/ID/freeside/00_01010_01
I’ve discussed the possibility of a support document from OIPC BC to help schools understand what’s viable “electronic” consent. I hope to see something in the near future!
Thank you to Brad Weldon at OIPC BC for his time to help clear this up.
[…] positions is longer than it’s fair to put in a blog post, so like the “Primer” (https://jhengstler.wordpress.com/2013/05/17/a-k-12-primer-for-british-columbia-teachers-posting-stude…), I’ve linked it in this post as a longer PDF. Click on the cover image to download the […]
[…] For more guidelines about privacy rules and posting student work online, please refer to “A K-12 Primer for British Columbia Teachers Posting Students’ Work Online” found at the following link: https://jhengstler.wordpress.com/2013/05/17/a-k-12-primer-for-british-columbia-teachers-posting-stud… […]
Hey great post. I hope it’s alright that I shared it on my Facebook, if not, no worries just
let me know and I’ll remove it. Regardless keep up the good work.
Thank you for referencing & sharing my work. Make sure you read through the comments–as there have been a number of updates in info. I need to do a V 2.0 of this doc soon.
BTW I’m originally from NY. LOL.
[…] Hengstler, Julia. “A K-12 Primer for British Columbia Teachers Posting Students’ Work Online.” Jhengstler’s Blog, 13 May 2014, https://jhengstler.wordpress.com/2013/05/17/a-k-12-primer-for-british-columbia-teachers-posting-stud…. […]
[…] Hengstler, Julia. “A K-12 Primer for British Columbia Teachers Posting Students’ Work Online.” Jhengstler’s Blog, 13 May 2014, https://jhengstler.wordpress.com/2013/05/17/a-k-12-primer-for-british-columbia-teachers-posting-stud…. […]