WA teachers access student email with tweaked Office 365

Privacy advocates have raised concerns about functionality built into West Australian school student email accounts which offers some education staff unsupervised access to stored messages.

The so-called ‘duty of care’ feature was built into WA schools' Microsoft Office for Education cloud email service in late 2013, according to the WA Department of Education’s recently released annual report.

The bespoke functionality, built by Dimension Data, allows teachers to access the mailboxes of any of the state’s 265,000 public school students using the Microsoft accounts, in an effort to allay safety concerns and keep tabs on misuse.

A spokesperson for the department told iTnews that state policy obliges teachers to request access and read a student’s messages “if they have evidence of, or reasonable grounds for suspicion of, inappropriate use of the service”.

But privacy advocates have raised concerns about a lack of independent oversight of the practice.

The department confirmed that the state's 770 public school principals were responsible for granting access privileges to the mailboxes.

“Schools have their own policies about access to student emails,” a spokesperson said.

“By default only one administrator role in each school has access; after that it is a local school decision to further delegate access.”

President of the Australian Council for State School Organisations, Peter Garrigan, has been a vocal advocate for protecting cloud-based student email accounts from “data mining” by service providers.

He said he felt uneasy about WA’s approach to the privacy of young people in its care.

“I would like to see responsibility for signing off on access taken much further up the tree than the school principal, and for access events to be recorded and made accessible to independent scrutiny,” he told iTnews.

At present, cases of data access are only logged centrally by default when they involve a member of school staff other than the appointed administrator.

Some schools have employed additional tracking, the department spokeswoman said, but she could not provide any data on how many times the ‘duty of care’ privileges have been used since technology was switched on, saying the figures are “not readily available”.

She also said students and their parents are made aware that emails might be accessed when they agree to terms of use.

“The student email service is provided by the department for the sole purpose of facilitating students’ learning. Students are made aware of the purpose and the likely monitoring of the system by both teachers and ICT staff," the WA Education spokeswoman said.

“The department has not been given any cause for concern about potential abuses or risks to student privacy due to the system of email monitoring."

But privacy advocate and consultant Steve Wilson said wall-of-text terms of use agreements are “a famously bad way of managing privacy”.

“I don’t think anyone with a genuine interest in protecting personal privacy would hold any faith in them.”

Wilson warned that the sort of unfettered access WA schools appeared to have been given risked undermining the relationship of trust between a student and teacher – a concern Garrigan echoed.

“There is a need for young people to feel safe using these communications tools,” Garrigan said.

“Principals and teachers should go to the appropriate authorities if they have a concern about a child. I am uneasy about WA building mechanisms into the email that simply make it easier to achieve this access.”

Western Australia remains the only Australian state or territory government without its own legislative privacy regime governing public sector data stores. Its Freedom of Information Act contains a handful of confidentiality provisions.

The office of the Australian Privacy Commissioner Timothy Pilgrim declined to comment on the WA Education policy.