Victorian primary schools neglect privacy in software choices

Victorian government primary schools are overlooking privacy considerations when selecting classroom apps not covered by central licensing arrangements, the state’s privacy watchdog has found.

The Office of the Victorian Information Commission (OVIC) this week released its examination [pdf] into the use of app and web-based learning tools in schools, focusing on four primary schools.

The report, which sought to uncover potential privacy risks, found the majority of the schools assessed were unaware of the need to perform privacy impact assessments (PIAs) for software.

While the Department of Education and Training (DET) completes PIAs for apps provided through a central ‘DET licence’ such as G Suite for Education, schools are free to use other apps.

Schools that choose apps for which there is no central licence are required to complete their own PIAs using a template and examples provided by the department.

Some of the apps not covered by the DET licence include Seesaw, a digital tool that allows students and teachers to share work with parents, and Compass, which is used to record attendance.

But OVIC said three of the four schools assessed “were not aware it was a requirement to complete a PIA for all apps and web-based learning tools implemented by the school”.

“OVIC asked the schools if they were aware of any direction from DET to complete PIAs for all apps … the schools choose to implement,” the report states.

“One of the four schools who OVIC met with said they were aware of this requirement from DET, and said they knew how to complete a PIA if required.

“Three of the four schools informed OVIC that they had a basic understanding of PIAs and why they were performed, however did not know where to locate the template PIA form or how to complete it.”

Schools are also “rarely” sending parents information notices and opt-out forms for all apps, in part due to the lack of PIAs, which are used to develop the materials.

Three of the four schools were “not aware that DET expected them to do so for all apps and web-based learning tools that collected personal information”.

OVIC said that all the schools confessed to being more “focused on curriculum and budgeting requirements” than privacy considerations when selecting apps for the classroom.

It noted that approximately 90 percent of apps or web-based learning tools used by the four schools were free.

“Consideration is given mostly to the cost of the app and how it will fit in with teaching in each classroom,” the report states.

“School personnel said that some high-level privacy issues were considered (such as what information each student would be inputting into the app … when setting up a profile), but that teachers and principles were not delving much deeper into privacy consideration.”

By focusing mainly on the financial aspect and selecting free or ‘lite versions of apps, schools “may not properly consider risks associated with information being collected to be on-sold or used for targeted marketing”, OVIC said.

“In light of the issues identified in the examination, we consider that schools are at risk of branching the IPPs [state information privacy principles] when using apps ... that handle student personal information,” it concluded.

The watchdog acknowledged, however, that “it may not be feasible for schools to assess these risks themselves for the wide variety of apps and tools that they use”.

“As such, DET may wish to consider providing schools with additional specific information, support, and training on the topic of free apps and web-based learning tools,” OVIC suggested.

“The guidance that DET provides to schools at present is of high quality but could be better communicated to schools and expanded to cover a wider variety of apps and web‐based learning tools."

In response, the department said it planned to "review its current support model and investigate ways to streamline its approach and strengthen guidance".

DET has also recently updated the PIA template used by schools, bolstered its privacy team and allocated additional resources to better respond to privacy enquiries.