A recent school assembly threw up an object lesson on how far we have to go with student data privacy.
My school is an enthusiastic participant in Jump Rope for Heart. I support the work of The Heart and Stroke Foundation, and on “Jump Rope Day” my students will be skipping and I will be encouraging them as they raise funds. But it was during our Jump Rope for Heart kick off assembly that I heard something that made me shake my head in amazement.
Not long ago there was a steady parade of children knocking at my door and asking for donations for a variety of causes. That doesn’t happen anymore. Shifting societal attitudes combined with parental concerns about safety means schools now insist that students don’t solicit donations “door to door”. Not even from neighbours they know.
This is good for student safety but bad for donations. No doubt to try and compensate, The Heart and Stroke Foundation has turned to digital technology. In an assembly containing students from four to fourteen, students were encouraged to register online at Jump Rope for Heart Website to help them collect donations for The Heart and Stroke Foundations work.
Students select their province, their school, identify their grade and then enter their first and last name. Now students can solicit donations from friends and family from far and wide can all from the safety of their computer. Students who raise enough money they are rewarded with prizes.
At no point in the assembly were students encouraged to ask parents for permission to register. They were simply told to go to the website, choose your school and enter you name. They were also told that they’d be rewarded for registering with a $5 “kick-start” to their campaign.
Later, I checked out the registration process. There is a page of “Contact Information” which requires the provision of Parent/Guardian information and a waiver with a lot of legal information that requires a check box, but that’s it. There’s nothing I can see that would prevent a motivated child from registering themselves without parental consent.
Here are my concerns:
- Children’s Personal Information: The Privacy Commissioner of Canada has said the collection of personal information about children should be “limited or avoided altogether”. The Jump Rope for Heart website is openly collecting personal information about children. What could be more personal than a child’s full name and what school they attend?
- Deleting Children’s Data: There is no indication of what happens to this data after Jump Rope for Heart is over and the legal waiver that students and/or their families agree to doesn’t mention data at all. Does Heart and Stroke Foundation keep the user data? If so, why? What do they intend to do with this data? Sell, share of delete it? Users should know this information before they register.
- Cumulative Effect: While their may be little direct damage caused by the Heart and Stroke Foundation knowing a child’s name and school, the greatest danger isn’t posed by a single data set. It’s potential of combining previously unrelated data sets to make knew connections that has privacy advocates concerned. The combination of a child’s name and school ties them to a whole array of publicly available demographic and academic data. Suddenly a child has a very large and detailed unintended digital footprint.
This all the more dangerous because it is done with the approval and encouragement of a school and for “a good cause”. Students want to raise funds, want to win prizes and feel that since the school approves of it, it must be safe.
That a large reputable charitable organization is collecting data from students with apparently little regard for privacy is troubling. We desperately need to start talking more about student data privacy. We desperately need to start talking more about student data privacy and putting this on every educator’s agenda. The longer we wait, the more our students right to privacy is eroded.