When we share data with services we do so with a clear view of the benefits. Sharing requests with Alexa or Google Home makes life more convenient for example. Using Google Maps on my phone and sharing location information helps Google make their traffic reports and advice more accurate and timely. Using a fitness tracker and sharing data in relation to my heart rate, distance traveled and route allows the service to provide me detailed tracking information plus allows me to share my progress via social media as well as allowing me to compare my progress with that of other people. The issue however is that, as with most things, for all the positives there are also risks or downsides.
To help illustrate the potential flip side and to get students to at least consider the implications of sharing personal data I use the below video showing the Google perspective of what they do followed by a more cynical Microsoft perspective on what Google do.
This perfectly illustrates that Googles objectives may not be as altruistic as it at first appears. They are after all a company with shareholders and a need to turn a profit.
For me the issue is simply that we share a massive amount of data about ourselves, about our lives, our habits, our families and the people we interact with. We share based on the clear and obvious benefits of doing so however we often do not consider the risks that this might pose, the risks which are not at first evident.
As we continue to share more data we need to at least start of consider the potential implications this may have further down the line.
The new GDPR regulations coming into force in May 2018 mean that the potential fines associated with data breaches or other leaks will be greater than those that exist under the current data protection act.
The new regulations also finally make third party vendors liable where their action or inaction result in the release or leak of data which they are processing on your behalf. This seems like a good thing in that if you use a third party and through no error of your own their use leads to the leak of data, they will be held responsible.
The issue here though is that the above is only part of the story. Although the third party vendor may be responsible for the breach it would have been your responsibility to confirm their compliance with GDPR and their security and other measures in relation to data prior to commissioning them to handle your data. Even although the breach or leak may have been due to the action or inaction of a third party you are going to have to prove that you showed due diligence in checking out the third party and its operations prior to signing them up to process, store or otherwise use your data. If you didn’t then you too may be found to be liable and therefore receive what could be a significant fine.
As schools a large number of third party sites are used in the delivery of the educational experience we provide the students under our care. This might be specific maths or science websites with sample questions or learning materials, or it might be more generic services such as Showbie or G-suite. In each case you will be providing personal info on your students, with some sites requiring more data than others. In each case you will need to prove that you undertake at least a basic review of the provision offered in relation to data safety and security by each site or service.
With this in mind the key questions I see the need to ask a third party are:
- Do you share my data or allow others to access my data? If so, with who and why?
- What security do you have in place (physical and logical) to protect my data?
- What disaster recovery and backup process do you have in place?
- How long do you retain data and what happens to data should I quit your service?
- Do I have the right to audit or request the audit of your data security provision?
As we approach the May implementation date for GDPR we need to ensure we have a better handle of where school data, that of students, staff, parents, visitors and other stakeholders, is stored. Part of this will involve identifying all third party vendors and asking them regarding their preparedness for GDPR.
Being a citizen in a digital world means using an increasing number of services in our daily lives. Online banking, passport applications, email accounts, twitter and other social media accounts, an account for google so we can store our favourite locations in Google Maps and backup our phones app data, accounts for our fitness tracker and for amazon. The above represent a small number of the services which we may be using. Our students may be using even more services including music and video streaming services, Instagram, Snapchat and a multitude of other services which I doubt I could identify or name. And as our use of technology increases we enroll in ever more services including services relating to our home assistant and our home control systems among others that are yet to be invented.
But who has our data and does it really matter?
In thinking about this I remember back to a student I met in the late 90’s. Using some basic information about me, his teacher or lecturer as I was then, he was able to tell me where my home address was and basic information about my immediate family. He was even able to provide a basic route map from the college where I worked back to my family home all based on a couple of basic facts and a couple of online web services. This immediately took me into a lesson on the risk associated with the internet and also on ethics relating to publicizing of data and also deciding on how it should be used.
That was almost 20 years ago, when the amount of data which was on the internet about individuals was significant less than it is now. When our ability to search through, sort and sift through data was less than it is now.
So if that was possible 20 years ago what might be possible now and also what might be possible in the near future?
Should we sign up and provide ever more data to online services or do we need to stop and take stock of who has our data and the why?