Laatste update op 13 maart 2021
Spoiler alert: it’s all about ethics.
Schools are struggling with which software applications and websites can be used in the classroom by students when it comes to privacy. Indeed, there is so much to choose from, teachers all have their own preferences but not every website or application is safe to use.
In this article I’ll address several issues, talk you through some best practices that will help you how to go about this in your school. I write this article with the European GDPR in mind, but I guess it will also be useful in other countries, such as the USA. I’ll use an American example, the one that tricked me into writing this post.
First I want to point out that a school should always provide a safe learning place, be a safe space for students, either young and old. Customers (parent, students) may require this from their school. It should be a no-brainer. However, in reality it seems not to be that simple. This has everything to do with how fast technology develops, how we got where we are and, of course, with money. I think there is a way out.
Example of a (not so appropriate) consent form for online educational tools you may come across
The above form was presented by Laura Moy on Twitter, stating “My six-year-old brought home this ridiculous “consent” form yesterday. What am I supposed to do with this? Just glanced over policies of three providers on the list (of 58) and already found one that says it’s “designed to be used by individuals who are over the age of thirteen.”
There are several issues with this consent form.
First, the form should not have been presented in the first place. The school did a really good job vetting over 300 apps and marked them with either ‘approved’, ‘consent’ and ‘prohibited’. However, they should have dismissed use of apps that require consent all together. Consent is only one of several lawful bases for data processing and opt-in/consent is not always required. In GDPR terms, the school could simply use the basis ‘contract’ and/or ‘legitimate interest’ to perform their task. Mind you, for this you still need to use tools that are compliant with the laws. And you may have guessed it already, not all of them are (and that’s where they ask for consent). In the end it is about educational responsibility.
For example, ClassDojo is listed by the school as ‘use responsibly’. The International Association of Privacy Professionals (IAPP) says:
Classroom management software, such as ClassDojo and others, provides for behavioral and disciplinary tracking of students. While much of this functionality is a positive for teachers overseeing a classroom with limited resources, there are potentially negative impacts educators must consider.Sourc: IAPP
So no teacher should use this in the classroom at any case. Schools nor parents should expose their children to this kind of tracking.
Assessing 58 apps/sites?
Second, there is no way anyone can make a quick and good assessment whether or not to agree, as no further information is given about the tools other than that the school says they are compliant. The school does it’s best to provide further information about the 58 apps/sites on their site through their ODT database (Online Digital Tools) where screened apps are listed. However, he database itself can only be accessed if you agree to cross-site tracking cookies. Once there, the database does provide useful information, although it does not become clear what tools are used for, what information they gather, share, etc.
And as Laura checked some policies herself, she soon discovered that one of the apps is only suitable for children who are over the age of thirteen. Her daughter is six.
It would be so much easier for everyone to just use privacy-friendly ODTs.
All or nothing
And how is one supposed to opt-out some and opt-in others? The consent form does not provide such a selection. It is simply ’take it’ or ‘leave it’, logically originated by a sense of being practical. This is not being transparent about what happens. In addition this practice of no exception makes it extra hard to say ‘no’ as it is easier for the school. Parents are especially susceptible to that approach, as they don’t want to make it any harder for schools and teachers as it is. However, in this way the school avoids its accountability. Presenting the form in this way, creates four issues:
- ethical: they use group pressure in this way to consent, as children of parents who say no, are at risk of social isolation because of alternative instructional activities (hey, so the instruction can be done in another way).
- judicial: pressure means that consent is not freely given, people feel forced to say yes (group pressure and school pressure).
- judicial: the form lacks transparency about the processing of personal data per application
- judicial: what they do when a parent withdraws consent?
In this way the school does not take enough measures to actually provide a safe learning space.
It can be done
As a privacy officer of a large school for vocational education with over 17,000 students, I am familiair with the topic. We cannot ask parents to consent: we need to ask the students themselves as almost everyone is over 16. GDPR says freely given consent is almost impossible to prove because of the imbalance in power when a school/teacher asks a student to use a certain product. So, we actually can’t ask consent in this power relation.
We solved it simply by not allowing the use of unsafe tools all together. So we wrote a sound policy in which we (obviously) choose to only use products that are privacy-friendly and compliant. So we screen all apps/websites/tools that we know of teachers like to use and tell them which options they have. This way we can use tools in the classroom without the need to ask consent. In addition we work together with other schools to find privacy-friendly alternatives when a certain app is discouraged and we share best practices. The teachers are actively involved in expanding the list of usable ODTs and alternatives.
When you assess digital tools, there are of course several topics you can take into account. Usually the information this check provides, is enough to assess whether an app is safe to use or should be discouraged/prohibited, as a suggestion:
- privacy statement available (if yes, is the content compliant with the applicable legislation), and is it transparent or vague/broad?
- cookie statement available (if yes, are the cookies presented in privacy-friendly way), is it transparent or vague/broad?
- is marketing tracking performed (if yes, is it opt-in or opt-out)
- is information being transferred to third parties?
- https available?
- bothering Facebook pixel?
- contact information available?
- contractual agreements possible (like a data processing agreement)?
- simple protection/safety test
Or use a decision tree to decide which tools you can use as a teacher (I’ll try to find time to actually “tree” this text):
- Does the tool requires personal information?
- yes? – is the application offered by your school?
- no? – do users need to login or make an account?
yes? – ask the privacy officer of your school to screen the app (may in addition a data processing agreement is required).
In the next list you will find suggestions for the use of online educational software like apps/websites/tools in the classroom. I hope this will be of use to you. It will be expanded with the list from the consent form in this article. In addition I will add the aspects that were taken into account for the advice.
|123test||individual tests, assessments, IQ-test||personal use only, not advised for privacy reasons (trackingcookies/no opt-out)|
|Adobe Spark||creation of visual stories||teacher only|
|Autodesk (Fusion 360)||drawing program||licensed-based|
|Blender||3D creation suite||yes (local download, management for updates required)|
|Core Talents||Core Talents Analyser||only for personal use (employees/consent)|
|Cumlaude||ELO||contractual agreements necessary|
|Datumprikker||appointment planner||contractual agreements necessary|
|Doodle||appointment planner||not GDPR-compliant|
|Dropbox||file sharing cloud service||check whether the school offers contracted alternatives|
|Eventbrite||event organiser and ticketing system||personal use only, not advised for privacy reasons|
|Gallup Clifton Strength Finder||development strengths||personal use only, not advised for privacy reasons (trackingcookies/no opt-out)|
|Google tools (forms, etc.)||a selection of online tools||Not privacy-friendly. Check whether the school offers contracted alternatives|
|H5P||generation HTML5-content||contractual agreements necessary|
|Hypothes.is||annotation of websites||not GDPR-compliant|
|IAT||implicit Association Test Harvard||not GDPR-compliant|
|Intodrives||motivational factors scan||only for personal use (employees/consent)|
|Kahoot!||online learning tools||teacher only|
|Learningapps||online learning tools||teacher only|
|Lesson up||interactive digital lessons||teacher only|
|Mailchimp||email newsletters||contractual agreements necessary|
|Mentimeter||interactive presentations||teacher only|
|Microsoft 365||office applications||contractual agreements necessary|
|Mindmap||online mindmapping||teacher only|
|Mindmeister||online mindmapping||not GDPR-compliant|
|Nearpod||online learning tools||teacher only|
|Padlet||sharing information through widgets||teacher only|
|Peergrade||online peer feedback||not GDPR-compliant|
|Plickers||online learning tools/quiz||teacher only|
|Prezi||interactive presentations||teacher only|
|Quizlet||online learning tools||teacher only|
|QuizTools||quiz system||yes (anonimised tests only)|
|RoundMe||creation of virtual tours||teacher only|
|Schoolgesprek.nl||appointment planner||contractual agreements necessary|
|Socrative||online learning tools||teacher only|
|SurveyMonkey||online survey tool||contractual agreements necessary|
|TMA Analyse||talent development||personal use only, not advised for privacy reasons (trackingcookies/no opt-out)|
|Tricider||source for inspiration||teacher only|
|Weebly||online website building||not GDPR-compliant|
|WeTransfer||filesharing||free version not safe enough|
|chatapp||communication with students on initiative of student/employee|
|Wheel Online||turn chooser||just surnames|
|Wickr||online website building||not GDPR-compliant|
|Wix||online website building||not GDPR-compliant|
|Wordpress online||online website building||not GDPR-compliant|
* teacher only means that the teacher may choose to open an account for themselves and work from there with the class. For example Quizlet and Kahoot! are quite useful without student accounts.
Also check switching.software for privacy-friendly tools.
These suggestions are open for feedback. If any company should feel an assessment is not accurate, please notify me.
- Weizenbaum examines computers and society
- Student Privacy
- IAPP, what you need to know about educational software
And in this case, maybe also read about the MCPS approach, their database and the MCPS data breach. It happens.