Data Privacy in Ed-Tech Companies
The Education Technology or the Ed-tech industry has witnessed tremendous growth over the past few years. By providing educational solutions to vast users, by the use of an online platform that is accessible across the globe, the Ed-tech sector is advancing at a rampant pace. The global investment in the ed-tech sector is estimated to reach $350 Billion by 2025. In India, the increasing reliance on online education has helped many ed-tech startups double their user base. According to reports India’s ed-tech sector is estimated to be worth USD 30 billion by 2032. Such fast growth of the EdTech sector comes with responsibility and accountability in regard to the large amount of personal data it collects and handles.
Due to poor privacy protocols, the Ed-tech sector is prone to data breaches. Last year, one of the country’s leading ed-tech platform, suffered from a massive data breach, resulting in the personal and sensitive personal data of thousands of students and teachers, put for sale on the dark web. With the users of Ed-tech platforms constituting the majority of children and young adults, data protection and privacy is an under-addressed issue in the ed-tech sector with the stakes for privacy at an all-time high.
This article explores the primary aspects of data privacy in the ed-tech sector.
1: Collecting a large amount of personal data
Limitation and Minimization regarding the collection of personal data is one of the key principles of data privacy. When an organization receives and collect a large amount of personal data, it brings along sets of obligation, to ensure that the data collected is not irrelevant or unnecessary and is utilized for the purpose of legitimate processing activities. Often data collected by ed-tech platforms are personal data of children, who form part of a vulnerable group. Data collected includes names, e-mail and contact numbers, user habits such as time taken to complete an assignment and social and emotional behavior.
Given the amount of data collected by ed-tech and the demographics they cater to, it is very important that such ed-tech companies pay proper attention to ensuring user privacy by collecting relevant data sets and ensuring that all stakeholders receive complete transparency and notice regarding the use, storage, retention, processing and sharing of the large amount of personal data collected.
2: Privacy Obligations while performing complex processing operations
Another crucial aspect is that the data is collected from a susceptible group of the population, i.e., children and students. Such data is processed to draw inferences on abilities and intelligence, which forms part of sensitive personal data. New-age features and functionality provided by EdTech platforms are equal performing sophisticated processing operations, including, profiling and other means of automated decision making. Processing operations used to monitor user behavior further and to build marketing profiles, to obtain a monetary advantage, is also a major policy concern. Artificial Intelligence and other modern means of automated processing, which help draw inferences, are relied upon at heavily by EdTech platforms to monitor and evaluate students’ performance metrics, throughout the course.
Data Processing must be done in a way that is not only informed and transparent but also, allows a certain degree of control when formulating profiling decisions based on automated processing. Express consent for processing using automation can be a good measure to ensure that such processing operations do not deter privacy-related rights and freedom of the individual. Such forms of processing, if carried out, should be made subject to conditions, and should allow individuals, to whom such personal data belongs, to exercise greater control or over the results/outcomes of such processing.
3: Securing Personal Data
A natural obligation resulting from collecting and receiving a large amount of personal data is ensuring that such data is kept secure and safe. Technical and organizational security measures form a necessary part of privacy compliance. It warrants that the organization formulate elaborate and appropriate security measures to safeguard personal data within its control, from unauthorized use transfer or processing.
4: Sharing, transferring and storing of personal data
Sharing data with global and transfer data to third-party vendors and service providers is a business necessity, however, such transfers cannot be arbitrary, excessive, and unregulated. Privacy principles require that data transfers to third parties and even affiliated group companies be secured by way of specific modalities such as data protection agreements (‘DPA’), record keeping etc.
Along with transferring, the data collected is also hosted on a cloud. EdTech platforms rely on these cloud servers and cloud data centers, for storage. Such storing of personal data on the cloud raises alarms of privacy. Upon any data security incidents in the database of cloud service providers, the personal data of the users of the EdTech platform, suffer the consequences. Well established, data sharing procedures and mechanisms provide the company, with safeguards to secure the data collected, stored or transferred to avoid any data breaches which may harm the data subject.
Handling Children’s Data- Global Perspective
As highlighted, the ed-tech sector deals with personal data belonging to teachers, children and young adults, and often their parents. Privacy legislations prescribe special provisions when handling personal data of these subjects.
EU: According to Recital 38 of the EU-General Data Protection Regulations (GDPR), Children require special protection with regard to their personal data, as they are less aware of the risks, consequences and safeguards regulating the processing of personal data.
USA: The United States of America protects the privacy of children below the age of 13 through the Children’s Online Privacy Protection Act (COPPA). COPPA applies to any websites or online services that are either directed at children under the age of 13 years old, or who have actual knowledge that they are collecting personal information online from kids under 13 years of age.
India: In India, data privacy is governed by Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. The rules do not provide any specific provisions for the protection of children’s data. However, the pending Personal Data Protection Bill provides for verification of age by the data fiduciaries and obtaining consent from the legal guardian of the child.
EdTech platforms thus must ensure, that their platforms are designed keeping in mind the privacy issues that may arise from their functioning and operations. A dedicated data privacy strategy and compliance program will help these platforms to cater to data privacy and protection requirements with ease and help them to meet their larger responsibility of ensuring privacy and security in their platform.
(Devdiscourse's journalists were not involved in the production of this article. The facts and opinions appearing in the article do not reflect the views of Devdiscourse and Devdiscourse does not claim any responsibility for the same.)