10 Case Study: Protecting Children’s Private Information in Early Childhood Programs
Protecting Children’s Private Information in Early Childhood Programs
Enas Zaghloul; Angela Walsh; Roohi Jawad; Evelynn Jacob; and Kalaivani Sritharan
In this chapter, we outline a case study that includes:
- Context
- The Policy Environment
- People and Organizations
- Problem definition
- Solutions
- Reflection on the Solutions
- Discussion Questions
- Video
Executive Summary
Parents using child care may appreciate the convenience of an app to communicate with their daycare but also may need to realize who has access to the information about their child via the app. Similarly, teachers may share information with parents through an education app but not realize who has access to the shared information. This case study describes one such scenario.
Child care providers (CCP) in Ontario are regulated and provide services for children ages birth through 12 years. The Ontario Ministry of Education is responsible for child care overall and gives full-day kindergarten to all four and five-year-old children. Child care is also provided for out-of-school hours and for children who are not yet school-aged.
While companies have designed educational apps to simplify communication with parents, some apps share families’ personally-identifiable information (PII; Bradshaw et al., 2013), making it challenging for CCPs to communicate effectively with children’s families while simultaneously guarding the PII of students and parents. This precarious situation is augmented if the education app’s providers experience privacy breaches.
The authors of this case study are experienced educators guided by insight from Warren and Brandeis (1890) that families and children have a right to privacy “in its fullness” (p. 213). Throughout this chapter, we explore the present policy environment and the roles and challenges of protecting privacy for CCPs and families using educational applications. The authors ultimately propose various problem solutions and reflect on their efficacy.
Context
Edmodo, a popular communication tool for K-12 teachers, began in 2008 as an open-source learning management system. According to the official website for the State of Vermont (2022), Edmodo offered lesson planning tools, live classes for synchronous delivery and the opportunity to hold classes in “enclosed communities.” Edmodo quickly became popular with teachers; Edmodo has claimed to have 90 million users in 400,000 schools in 192 countries (Corcoran & Wan, 2018). When schools or childcare providers (CCPs) outsource communication to a company like Edmodo, they outsource more than the platform. Parents, students, participating schools, and CCPs also share private information. Regulations regarding “who owns the data” may not be apparent to everyone involved.
Edmodo was hacked in May 2017, leading to a report that tens of millions of users’ account names and email addresses were for sale on the dark web (Klose et al., 2020; Herold, 2017). Edmodo was responsible for informing users and regulators of a data breach. Subsequently, Netdragon acquired the EdTech platform in 2018 (Corcoran & Wan, 2018). In 2022, Edmodo ceased to operate, leading experts to question what would happen to the large amounts (ten years) of sensitive data stored in Edmodo from participating schools, CCP and families. Fortunately for educators, parents and students, Edmodo has indicated that it intends to destroy the data it holds (Mollenkamp, 2022).
The Policy Environment
Although policies for privacy protection for students are advancing, many current education apps still allow unauthorized access to PII. There is, in addition, a lack of privacy protection laws internationally. The Global Privacy Enforcement Network of 60 global privacy regulators raised the alarm for protecting student and family PII based on their findings that many internet-based education applications require learners and students to submit PII, including emails, to access their services (GPEN, 2017). Some information security policies designed to protect the PII of students and families are beginning to be implemented globally, such as the European Parliament’s. (2016) General Data Protection Regulation (GDPR) which protects European students.
The policy is a planned response, but Cavoukian (2011) asserts that the privacy policies of most online platforms are reactive. Durrani and Alphonso (2022) examined data and findings from the Humans Rights Watch (HRW) concerning the abrupt shift to online learning at the onset of the COVID-19 pandemic. They found that students’ information from EdTech apps was shared with advertisers, reaffirming global privacy and safety gaps in educational technology (Durrani & Alphonso, 2022). In a survey of 3084 US students, 52% said that they have been “very/somewhat concerned” with sharing their data, including COVID-19 vaccination information, and 56% were concerned about data breaches such as being “zoom-bombed” by uninvited users interrupting their online classes (Klein, 2021).
According to Bradshaw et al. (2013), because educational apps require users to enter PII for the child and family, Canadian legislation needs to improve digital privacy protection for young children, mainly since more digital education solutions have emerged during the COVID-19 pandemic. In Canada, the House of Commons (2019) Personal Information Protection and Electronic Documents Act is in place for monitoring the commercial use of information federally. However, education is the responsibility of the provinces, thus creating overlapping policy issues and gaps. There also exists a gap in curriculum policy evidenced by the lack of incorporation of essential learning concepts of digital privacy, including digital permanence, digital footprint, and digital dossier, across Canadian curriculum policies (Leatham, 2017)
Within Ontario, CCPs must comply with the Child Care and Early Years Act (CCEYA, 2014) legislation and the Municipal Freedom of Information and Privacy Act (MFIPPA, 1990) which is the overarching protection of information legislation that provides more detail on protecting and securing PII. Though MFIPPA predates widely used digital platforms and offers the definition that “personal information is inclusive of age, race, origin, identifying symbol or number, and unique physical characteristics, among others, that can be used to identify an individual” (s.2-1(a)). Although MFIPPA is yet to be updated to reflect a digital environment, it acknowledges that a record of PII includes electronic information s.2(1). MFIPPA is essential in protecting learners because it prohibits institutions, including schools, from the unconsented use of stored personal information (Bradshaw et al., 2013).
The United States began protecting student privacy as early as 1974 under the Family Education Rights & Privacy Act (FERPA). More recently, in response to the increase in the use of the internet and digital applications, they enacted the Children’s Online Privacy Protection Act (COPPA, 1998) and the Children’s Internet Protection Act (Federal Communications Commission, 2003) to protect children’s privacy (Poggi, 2021). FERPA (1974) outlines the requirements to protect PII, while COPPA (1998) establishes the age of 13 for consent for an online profile. These laws can serve as an example in identifying the type of records and sensitive information that should be protected when uploaded to digital applications. Even though multiple layers of legislation can be cumbersome, Flanigan (2015) argues that enacting vast bills at the federal and state level is essential in enhancing children’s data privacy. However, there is a lack of teacher training around them.
The European General Data Protection Regulation (GDPR, 2016) Article 4 identifies:
‘personal data’ as any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. (p.33)
According to the office of the Privacy Commissioner of Canada (OPC), the GDPR protects the transfer of PII under Article 46, which states that if an organization has appropriate safeguards, it can transfer data to other countries without authorization from a supervisory authority within the EU (OPC, 2020). While this only applies to any organization doing business with Europe, it protects students’ privacy and might benefit the global use of educational apps. According to the UNCTAD Global Cyberlaw Tracker, only 59% of countries have consumer protection laws, 71% have privacy laws, and 80% have developed cybercrime laws (United Nations Conference on Trade and Development [UNCTAD], 2021).
People and Organizations
In Ontario, another term for licensed CCPs is early years centres; these commercial businesses operate on a traditional organizational style with upper management and reporting lines flowing down from the top. Some organizations offer home child care as a branch of their business, and these operations follow the same organizational structure. Executive directors and managing directors facilitate the operational aspects of each department. Service System Managers in early childhood centres provide a high standard of quality programming and safety, build capacity to support clients, and ensure that licensed operations are compliant with legislative standards (OMSSA, 2020). Coordinators and administrators oversee their directives and guide the early childhood educators and assistants.
Problem Definition
The use of digital applications in education demonstrates a problem of consent and the need for training. The primary users of digital educational applications are parents and caregivers for daily collaboration, sharing content, and supplementing classroom learning using apps such as Google Classroom, HiMama, Storypark, and Edmodo. Users are responsible for regulating and managing their privacy and information in their account settings and activity controls (Kudina & Verbeek, 2019). However, there needs to be clarity regarding where the responsibility lies in educational applications to ensure no third-party access.
While consent to share data is given upon accepting the terms and conditions, merely using the software can also indicate consent, which is problematic when the video subject is not of consenting age. Edmodo’s terms of service state that educators who sign up for their service are presumed to represent and warrant legal authority from schools to provide consent (Common Sense, 2021).
Part of the problem lies in understanding the use of the collected data by the company that owns the app. After the information is collected, they have control of what happens with it, whether the data has been provided by the CCP or parent if they uploaded content. Storypark, an educational documentation software, positions the data as voluntarily provided personal information, but they control all aspects of the information. Data is stored for the contract’s life, is shared with third parties for business development, and is used to track behaviour trends and assess their market position (Storypark, 2020). A recent report by Human Rights Watch (2022) indicates that educational apps are selling student information to third parties at a staggering rate, and this practice is largely unregulated.
In Canada, educators need the training to build digital privacy protection skills capacity. Educational Policy Institute Canada (2010) developed a framework for statistics on learning and education, which outlines that the early childhood education sector needs more research, training, and development at the provider level. Privacy and security training is recommended as one line of defence for information privacy, delivered through software providers or independently within the organization (IPCO, 2019; Student Privacy Compass, 2022). Training offers an understanding of sensitive data, retention and collection procedures, and policies governing continuous assessment practices in CCPs. In a study commissioned by the Office of the Privacy Commissioner of Canada, Hamel (2011) observed that “rights and protections do not exist online for safety and security, especially where privacy is concerned” (p.27).
Solutions
The authors believe educational/caregiving organizations should implement security measures to protect PII from external and internal data breaches. Adult-targeted digital literacy content is almost never presented with an educational focus; instead, it is only presented textually for reference. They communicate but do not sincerely attempt to teach. While graphical, interactive embellishments may not be necessary to keep an adult’s interest, the methods usually used to teach youngsters could be used to communicate digital literacy principles—including privacy—more effectively (Hamel, 2011). Organizations must not only provide a choice for users to give their consent, but they have a duty of care to actively seek the consent of users by asking multiple times and ensuring that informed consent is given (Robertson & Muirhead, 2022). CCPs can coordinate to take an active role in learning how to report education initiatives and performance for young children and how to keep large data sets confidential while collecting sensitive information.
The authors argue that teaching staff digital privacy requirements based on provisions of MFIPPA will help educators to practice digital privacy in the current surge and reliance on the internet for education. At present, educators need to be aware of the different legislation provided to enhance children’s privacy and security when using digital learning applications. Equally, Canadian educators also require understanding of Canadian and American legislation for trans-border considerations and application. Policies should define the range of collected, stored and used information, and recommend consent forms from parents or designated early childhood educators before using students’ information. The legislation will be ineffective in protecting against privacy risks without adequate staff training focused on understanding information security’s meaning, significance, and scope within a learning environment.
Reflection on the Solutions
All stakeholders play essential roles in IT security strategies and decision-making for integrating digital platforms (Li et al., 2021). Data breaches result in fallout with severe consequences, including falling market value and high penalty costs (Shankar & Mohammed, 2020). However, organizations can recover from these fallouts through internal change processes (based on dynamic capabilities) to reclaim customers’ confidence (Shankar & Mohammed, 2020). CCPs can initiate change for information privacy by assessing their organizational beliefs and values that inform technological adoption. Understanding technology’s role in daily operations can help determine how valuable security measures are and what actions need to be taken by leaders. Without a clear policy for digital privacy in education, the message is “user beware.”
Discussion Questions
- How can organizations and parents collaborate to integrate a need for privacy when selecting educational apps that share private information?
- Considering digital permanence, what might be shared online in 2022 that could impact that child when they are an adult?
- What steps would you support in limiting the amount of information users share on learning platforms?
- How can EdTech software providers protect PII and meet parents’ efficient communication needs?
- How might digital providers change the Terms of Service to be ethically accountable for explaining third-party access in plain language?
- Within the digital platforms in Early Learning, what PII needs to be protected?
- What needs to be done differently to improve privacy policy and digital safety for childcare providers?
Video
Acknowledgement
The authors would like to thank Heather Leatham for their guidance and insight.
References
Bradshaw, S., Harris, K., & Zeifman, H. (2013, July 22). Big data, big responsibilities: Recommendations to the office of the privacy commissioner on Canadian privacy rights in a digital age. CIGI Junior Fellows Policy Brief, 8, 1-9. https://www.cigionline.org/publications/big-data-big-responsibilities-recommendations-office-privacy-commissioner-canadian
Cavoukian, A. (2011, January). Privacy by design: The 7 foundational principles. Information & Privacy Commissioner Ontario. https://www.ipc.on.ca/wp-content/uploads/resources/pbd-implement-7found-principles.pdf
Child Care and Early Years Act, S.O. 2014, c. 11, Sched. 1, 2014. https://www.ontario.ca/laws/statute/14c11?_ga=2.73153043.107555154.1655045667-1884507702.1655045667
Children’s Online Privacy Protection Act, Pub. L. 105-277, div. C, title XIII, Oct. 21, 1998, 112 Stat. 2681-728 (15 U.S.C. 6501 et seq.) [1998]. https://uscode.house.gov/view.xhtml?path=&req=granuleid%3AUSC-prelim-title15-section6501&f=&fq=&num=0&hl=false&edition=prelim
Common Sense. (2021, August 26). Privacy evaluation for Edmodo. https://privacy.commonsense.org/evaluation/edmodo
Corcoran, B., & Wan, R. (2018, April 9). China’s NetDragon to acquire Edmodo for 137.5 million. EdSurge. https://www.edsurge.com/news/2018-04-09-china-s-netdragon-to-acquire-edmodo-for-137-5-million
Educational Policy Institute Canada. (2010). A framework for statistics on learning and education in Canada. Council of Ministers of Education, Canada. http://www.cmec.ca/Publications/Lists/Publications/Attachments/257/cesc-data-framework-sept2010.pdf
European Parliament. (2016, April 27). Regulations. Official Journal of the European Union, 59, 119/1-119/31. https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679
Durrani, R., & Alphonso, C. (2022, May 24). Technology used by educators in abrupt switch to online school shared kids’ personal information, investigation shows. The Globe and Mail. https://www.theglobeandmail.com/canada/article-online-school-kids-privacy-data/
Federal Communications Commission. (2003, August). Children’s Internet Protection Act (CIPA), Pub. L 106–554, 2000. https://www.ntia.doc.gov/files/ntia/publications/cipareport08142003.pdf
Family Educational Rights and Privacy Act, Pub. L. 93-380, title V, Sec 513, Aug. 21, 1974,88 Stat. 571, [1974].
Flanigan, R. L. (2015, October 19). Why K-12 data-privacy training needs to improve. EducationWeek. https://www.edweek.org/technology/why-k-12-data-privacy-training-needs-to-improve/2015/10
House of Commons. (2019, June 21). The Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5). https://laws-lois.justice.gc.ca/eng/acts/P-8.6/index.html
Information and Privacy Commissioner of Ontario (IPCO). (2019). Privacy and access to information in Ontario schools: A guide for educators. https://www.ipc.on.ca/wp-content/uploads/2019/01/fs-edu-privacy_access-guide-for-educators.pdf
Hamel, van A. (2011). The privacy piece: Report on privacy competencies in digital literacy programs in Canada, Britain, Australia, America, and Brazil. MediaSmarts. https://mediasmarts.ca/sites/mediasmarts/files/pdfs/publication-report/full/The-Privacy-Piece.pdf
Human Rights Watch. (2022, May 25). “How dare they peep into my private life?” children’s rights violations by governments that endorsed online learning during the COVID-19 pandemic. https://www.hrw.org/report/2022/05/25/how-dare-they-peep-my-private-life/childrens-rights-violations-governments
Global Privacy Enforcement Network (GPEN). (2017, October). GPEN sweep 2017: User controls over personal information. UK Information Commissioner’s Office. http://www.astrid-online.it/static/upload/2017/2017-gpen-sweep—international-report1.pdf
Herold, B. (2017, May 16). Popular ed-tech platform Edmodo, hacked, faulted for ad-tracking. Education Week. https://www.edweek.org/technology/popular-ed-tech-platform-edmodo-hacked-faulted-for-ad-tracking/2017/05
Klein, A. (2021, November 16). EdTech usage is up. so are parent privacy concerns. EducationWeek. https://www.edweek.org/technology/ed-tech-usage-is-up-so-are-parent-privacy-concerns/2021/11
Klose, M., Desai, V., Song, Y. & Gehringer, E. (2020). EDM and privacy: Ethics and legalities of data collection, usage, and storage. In A.N. Rafferty, J. Whitehill, V. Cavalli-Sforza, & C. Romero (Eds.), Proceedings of The 13th International Conference on Educational Data Mining (EDM 2020) (pp. 451-459). https://educationaldatamining.org/files/conferences/EDM2020/papers/paper_135.pdf
Leatham, H. (2017). Digital privacy in the classroom: An analysis of the intent and realization of Ontario policy in context (Masters dissertation, Ontario Tech University). https://hdl.handle.net/10155/816
Li, H., Yoo, S., & Kettinger, W. J. (2021). The roles of IT strategies and security investments in reducing organizational security breaches. Journal of Management Information Systems, 38(1), 222–245. https://doi.org/10.1080/07421222.2021.1870390
Mollenkamp, D. (2022, August 16). Popular K-12 tool Edmodo shuts down. EdSurge. https://www.edsurge.com/news/2022-08-16-popular-k-12-tool-edmodo-shuts-down
Office of the Privacy Commissioner of Canada. (2020). Appendix 3: Cross-border data flow and transfers for processing-jurisdictional analysis. https://www.priv.gc.ca/en/opc-actions-and-decisions/research/explore-privacy-research/2021/tbdf_app3/
Ontario Municipal Social Services Association. (2020, November). Child care and early year services in Ontario. https://www.omssa.com/docs/Child_Care_and_Early_Years_Services_in_Ontario.pdf
Poggi, N. (2021, February 4). Three laws that protect students’ online data and privacy. PreyProject. https://preyproject.com/blog/en/three-laws-that-protect-students-online-data-and-privacy/
Robertson, L., & Muirhead, W. J. (2020). Digital privacy in the mainstream of education. Journal of Systemics, Cybernetics and Informatics, 16(2), 118-125. http://www.iiisci.org/journal/pdv/sci/pdfs/IP099LL20.pdf
Shankar, N., & Mohammed, Z. (2020). Surviving data breaches: A multiple case study analysis. Journal of Comparative International Management, 23(1), 35–54. https://doi.org/10.7202/1071508ar
Storypark. (2020, December 01). Privacy policy. https://main.storypark.com/privacy-policy
Student Privacy Compass. (2022). Student privacy training for educators. https://studentprivacycompass.org/resources/educatortraining/
United Nations Conference on Trade and Development [UNCTAD]. (2021, December 14). Summary of adoption of e-commerce legislation worldwide. https://unctad.org/topic/ecommerce-and-digital-economy/ecommerce-law-reform/summary-adoption-e-commerce-legislation-worldwide
Vermont Agency of Education. (2022). Edmodo resources for classroom teachers. https://education.vermont.gov/edmodo/resources-classroom-teachers
Warren, S. D., & Brandeis, L. D. (1890). The right to privacy. Harvard Law Review, 4(5), 193-220. https://doi.org/1321160