Canada lags the rest of the world when it comes to protecting personal data privacy. This is true both in general, and also when it comes to children’s data privacy and the protection of data privacy in Canadian classrooms.

Canadian educators are hindered in helping students protect their privacy by a lack of clear guidance and a jurisdictional mishmash. Education is a provincial responsibility, so education records are governed by provincial law. However, most online education sites are international, and so fall under federal privacy legislation.

Privacy in Canada is governed federally by The Personal Information Protection and Electronic Documents Act (PIPEDA). Unlike in the US, the unique privacy needs of children aren’t protected in Canada by specific legislation. However, a recent development has given some insight into what Canadian teachers can do to protect student’s online data privacy.

webkinz3

Webkinz, a product of toy company Ganz based in Woodbridge, Ontario, are toy stuffed animals that have a playable online counterpart in “Webkinz World“. Webkinz World is a very popular website for kids, with an estimated 800,000 unique visitors per month. It is aimed at children aged six to 13 years and allows users to create and care for a virtual pet, play games, complete tasks, earn virtual money and chat online.

On March 2, 2012, The Privacy Commissioner of Canada (PCC) initiated a complaint against Ganz for violations under PIPEDA. They believed that “…Ganz was collecting, using and retaining the personal information of children through its user registration process for the Website, without fully explaining its purposes for doing so, or obtaining appropriate knowledge and consent”. Later the complaint was expanded based on their findings.

The PCC reported their findings on Ganz on March 25th, 2015, and issued “Ten tips for services aimed at children and youth“. These guidelines indicate what online services targeting or designed for Canadian children need to do to protect the data privacy of their users.

Based on those tips, here are Five Data Privacy Tips for Canadian Educators. Educators can use them to ensure that the online services and practices they’re using in their classroom conform to Canadian guidelines:

  1. Minimize the collection of personal information: The PCC says that the collection of personal information about children should be “limited or avoided altogether”. Most online educational services collect some personal information about students, often to “refine their product or service”. Educators should review the privacy policy or Terms of Service of the websites they’re using in their classrooms, to find out how much “Personally Identifiable Information” companies are collecting about their students.
  2. Prevent the “inadvertent collection” of personal information: While Ganz wasn’t requiring children to enter their own names, The PCC found that many children still used their real names as their usernames and Ganz had no practices to monitor this. Websites for children should be designed to prevent this from happening. Educators should teach students how to create non-identifiable usernames as an essential part of Digital Citizenship instruction.
  3. Deleting inactive accounts: Each summer, students clean out their desks and move on to a new teacher. What happens to their online accounts and all that associated personal data? Under Canadian law user data should only be retained “as long as needed”. Sites are “…required to have, and make users aware of, an appropriate retention schedule for inactive accounts (deletion after a defined period of inactivity, for instance)”.  Sites should also have a ‘true deletion’ option, which allows user accounts to be fully deleted, and not just archived. Using sites that don’t have this isn’t supported by The PCC.
  4. Privacy practices must be understandable: It is the responsibility of services to ensure that users understand the privacy practices used on the sites they are using. Privacy practices should be explained in language that students can understand, and companies should use “interactive and innovative techniques” for informing students about privacy practices (think animated characters explaining privacy practices). If a service is designed for younger children who cannot understand these concepts, then privacy policies should be understandable by educators or parents. If privacy polices aren’t easily accessible and understandable, steer clear.
  5. Default Settings Should Be Private: Users should be able to confidently use a site knowing that the default settings will ensure their privacy is protected. Users should have to opt out of privacy, not opt in. Before using a service investigate what the default privacy settings are, to make sure that students’ privacy is protected from the beginning.

The Privacy Commissioner concludes their fact sheet by referring to their paper on Surveillance Technologies and Children and reviews the existing research on the effects of the mass collection of information on children.

That paper concludes with a cautionary note:

“Available research has raised legitimate questions about the potentially detrimental effects surveillance may have on children’s social development in the long term. Some have posited that growing up with surveillance as a daily presence may even normalize the practice over time and influence a shift in social norms away from privacy.”

This is the issue raised by Jessy Irwin in her excellent “Grooming Students for a Lifetime of Surveillance“, which should be required reading for all “21st Century Educators“. In our rush to embrace new technology in the classroom, we must also ensure that we are also protecting our students long-term freedom. There’s really no point in teaching students to think and express themselves if we are, at the same time, creating a future where they don’t have the freedom to do so.