28 August 2021
– Amardeep Mathur and Ayushi Modi
The Education Technology or the Ed-tech industry has witnessed tremendous growth over the past few years. With providing educational solutions to vast users, by the use of an online platform which is accessible across the globe, Ed-tech sector is advancing at a rampant pace. The global investment in ed-tech sector is estimated to reach $350 Billion by 2025. In India the increasing reliance on online education has helped many ed-tech startups double its user base. According to reports India’s ed-tech sector is estimated to be worth USD 30 billion by 2032. Such fast growth of the EdTech sector, comes with responsibility and accountability in regard to the large amount of personal data it collects and handles.
Due to poor privacy protocols, the Ed-tech sector is prone to data breaches. Last year, one of the country’s leading ed-tech platform, suffered from massive data breach, resulting in personal and sensitive personal data of thousands of students and teachers, put for sale on the dark web. With the users of Ed-tech platforms constituting majority children and young adults, data protection and privacy is an under addressed issue in the ed-tech sector with the stakes for privacy at an all-time high.
This article explores the primary aspects of data privacy in the ed tech sector.
1: Collecting large amount of personal data
Limitation and Minimization regarding collection of personal data is one of the key principles of data privacy. When an organization receives and collect large amount of personal data, it brings along sets of obligation, to ensure that the data collected is not irrelevant or unnecessary and is utilized for the purpose of legitimate processing activities. Often data collected by ed-tech platforms are personal data of children, who form part of a vulnerable group. Data collected includes names, e-mail and contact numbers, user habits such as time taken to complete an assignment and social and emotional behavior.
Given the amount of data collected by ed-tech and the demographics they cater to, it is very important that such ed-tech companies pay proper attention to ensuring user privacy by collecting relevant data sets and ensuring that all stakeholders receive complete transparency and notice regarding the use, storage, retention, processing and sharing of the large amount of personal data collected.
2: Privacy Obligations while performing complex processing operations
Another crucial aspect is that the data is collected from a susceptible group of population, i.e., children and students. Such data is processed to draw inferences on abilities and intelligence, which forms part of sensitive personal data. New age features and functionality provided by EdTech platforms, equals to performing sophisticated processing operations, including, profiling and other means of automated decision making. Processing operations used to monitor user behavior further and to build marketing profiles, to obtain monetary advantage, is also a major policy concern. Artificial Intelligence and other modern means of automated processing, which help draw inferences, are relied at heavily by EdTech platforms to monitor and evaluate students’ performance metrics, throughout the course.
Data Processing must be done in a way which is not only informed and transparent but also, allows certain degree of control, when formulating profiling decisions based on automated processing. Express consent for processing using automation, can be a good measure to ensure that such processing operations do not deter privacy related rights and freedom of the individual. Such forms of processing, if carried out, should be made subject to conditions, and should allow individuals, to whom such personal data belongs, to exercise greater control or over the results / outcomes of such processing.
3: Securing Personal Data
A natural obligation resulting from collecting and receiving large amount of personal data, is ensuring that such data is kept secure and safe. Technical and organizational security measures form a necessary part of privacy compliance. It warrants that the organization formulate elaborate and appropriate security measures to safeguard personal data within its control, from unauthorized use transfer or processing.
4: Sharing, transferring and storing of personal data
Sharing data with global and transfer of data to third party vendors and service providers is a business necessity, however such transfers cannot be arbitrary, excessive, and unregulated. Privacy principles require that data transfers to third partis and even affiliated group companies be secured by way of specific modalities such as data protection agreements (‘DPA’), record keeping etc.
Along with transferring, the data collected is also hosted on a cloud. EdTech platforms, rely on these cloud servers and cloud data centers, for storage. Such storing of personal data on cloud raises alarms of privacy. Upon any data security incidents in the data base of cloud service providers, the personal data of the users of the EdTech platform, suffer the consequences. Well established, data sharing procedures and mechanisms provide the company, with safeguards to secure the data collected, stored or transferred to avoid any data breaches which may harm the data subject.
Handling Children’s Data- Global Perspective
As highlighted, ed-tech sector deals with personal data belonging to teachers, children and young adults, and often their parents. Privacy legislations prescribe special provisions when handling personal data of these subjects.
EU: According to Recital 38 of the EU-General Data Protection Regulations (GDPR), Children require special protection with regard to their personal data, as they are less aware of the risks, consequences and safeguards regulating the processing of personal data.
USA: The United States of America protects privacy of children below the age of 13 through the Children’s Online Privacy Protection Act (COPPA). COPPA applies to any websites or online services who are either directed at children under the age of 13 years old, or who have actual knowledge that they are collecting personal information online from kids under 13 years of age.
India: In India data privacy is governed by Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. The rules do not provide any specific provisions for protection of children’s data. However, the pending Personal Data Protection bill, provides for verification of age by the data fiduciaries and obtain consent from the legal guardian of the child.
EdTech platforms thus, must ensure, that their platforms are designed keeping in mind the privacy issues which may arise from their functioning and operations. A dedicated data privacy strategy and compliance program will help these platforms to cater data privacy and protection requirements with ease and help the to meet their larger responsibility of ensuring privacy and security in their platform.
Published here: Data Privacy in Ed-Tech Companies (devdiscourse.com)
Disclaimer: This article is the copyright of Reina Consulting LLP. It is not intended to be a form of solicitation or advertising. The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is viewed or that it will continue to be accurate thereafter. No person should act on such information without appropriate professional advice based on the circumstances of a particular situation. This information is not to be considered as legal advice or opinion and the firm shall not be liable for any action taken by the user, directly or indirectly, on the basis of such material.