Online Learning Guidelines Issued to Help Protect Student Privacy and Reduce Data Breaches in Schools

Before webcam-supported online discussions are recorded, schools must consider getting the consent of the parent or legal guardian of students below 18 years old, according to guidelines that a group of public and private universities and colleges across the country has issued.

The presence of the parent or guardian during these recorded sessions must also be considered, said the group, which likewise advised that the use of webcams in synchronous online classes be optional.

These are among the guidelines contained in Advisory No. 2020-1 that the Data Privacy Council Education Sector issued recently to help students, parents, and teachers, administrators and other school personnel safely navigate digital spaces, as classes have shifted to online platforms to curb the spread of Covid-19.

With encouragement from the National Privacy Commission (NPC), data protection officers of a number of universities and colleges volunteered on June 26 to come up with the guidelines in the wake of a surge in security breaches of data systems of schools in the country in the first half of the year.

The security breaches stemmed from hacked portals and databases, phishing, stolen laptops, system glitches and human error, according to a report of NPC’s Data Security and Compliance Office.

Protect student privacy

Privacy Commissioner Raymund E. Liboro said the NPC ``commends the education sector for coming up with an online learning guidance with data privacy at its core. Adopting technologies and online tools is a new progression of education as the pandemic continues to inhibit our movements.”

Like everything else, online learning must adhere to the data privacy law for the safekeeping of personal data, he said.

“Educational institutions must choose an online learning platform with the best security features and one that is most capable of protecting students’ privacy. Consider if the platform meets the requirements of the Data Privacy Act before letting students use them,” Liboro added.

For the conduct of personal data processing activities deemed necessary or related to online learning, the advisory emphasized accountability, information about education as sensitive personal information, legitimate interest, legitimate purpose, proportionality and transparency.

Areas of concern

The guidance listed areas of concern covered by the guidance.

These are the use of a Learning Management System (LMS) and Online Productivity Platforms (OPP); other available unofficial supporting tools for online learning; use of social media; publication of information or files via other means or platforms; storage of personal data; use of webcams and the recording of videos of online discussions; online proctoring; and data security.

The advisory, among other things, said that:

  • An announcement or posting involving personal data, such as grades and results of assignments, must be viewable only by its intended recipient/s.
  • Downloading of personal data stored in the LMS or OPP should be kept to a minimum and/or limited to that which is necessary for online learning.
  • Mechanisms must be in place so that submissions, such as assignments and projects, may be carried out in a safe and secure manner.
  • Submissions via social media platforms are discouraged.
  • Posting or sharing of personal data, such as photos and videos, on social media, must have a legitimate purpose and be done using authorized social media accounts of the school.
  • Explicit consent of the student (or parent or legal guardian, in the case of minors) should be obtained before the conduct of online proctoring and the use of related tools or technologies.

The advisory also asked schools to practice limited use of supporting tools or technologies that they have not officially adopted, as there is no formal relationship between them and the developer of the tools.

School prerogative

The guidance is meant to be a set of recommendations and shall not be treated as some type of policy since schools retain the prerogative to decide on the measures, they deem appropriate.

The advisory also said that the document covered different areas relevant to online learning, but it was not intended to be an exhaustive list of such concerns. ``Neither does it include issues which, while related to online learning, do not involve the processing of personal data,’’ it read.

The advisory can be updated periodically, as the need arises, it added.

The advisory is among the articles in the September issue of the DPO Journal. A complete copy of the advisory can also be read on the NPC website.

Schools that drafted advisory

Members of the Data Privacy Council for Education that drafted the advisory are San Beda University, De La Salle University, Ateneo de Manila University, University of the Philippines-Diliman, University of the Philippines-Manila, University of the Philippines-Cebu and Technological University of the Philippines.

Also involved are De La Salle-College of Saint Benilde, PAREF Woodrose School, Our Lady of Fatima University, University of Perpetual Help-Dalta, University of Santo Tomas-Legazpi, Central Mindanao University, Laguna State Polytechnic University, and Ateneo de Iloilo.

Launched by the NPC in 2018, the DP Council is a stakeholder-based approach for a more effective promotion of data privacy accountability across all sectors. The Council is tasked with collaborating with the NPC in the creation of privacy codes for the specific needs and conditions of every sector.

# # #