The Manila Bulletin Business Section publishes in full the National Privacy Commission Bulletin No. 16 to guide students, parents, guardians, teachers and schools in safeguarding sensitive personal information of pupils as they return to school via online learning.
NPC Bulletin No. 16
Privacy Dos and Don’ts of Online Learning for K-12 and college students, parents, guardians, teachers and schools
As all school levels are now open with the start of public K-12 classes nationwide, students, parents, guardians, teachers, and schools would do well to heed guidelines on online learning that list dos and don’ts aimed at safeguarding sensitive personal information of pupils.
Issued by the National Privacy Commission (NPC), with pointers from Advisory No. 2020-1 of the Data Privacy (DP) Council for the education sector, the guidelines cover areas, such as online decorum, learning management systems, online productivity platforms, social media, storage of personal data, webcams and recording videos of discussions, and proctoring.
Listed are the dos and don’ts for online learning in K-12 and college classes:
•Creating strong passwords when signing up on e-learning platforms. Passwords should be at least 12 characters containing upper-and lower-case letters, numbers, and, if possible,symbols.
•Staying alert during online classes, especially when sharing videos, photos, andfiles.
•Using customized backgrounds to avoid accidental disclosure of personal information.
•Installing and regularly updating an anti-virus program.
•Muting the microphone and turning off the camera by default, especially when not speaking or reciting. Subject to applicable school guidelines on keeping cameras open for the proper conduct of synchronous online classes, where necessary and reasonable, and always with due consideration of privacy principles.
•Turning off the microphone and camera when leaving one’s station for, say, bathroom breaks.
•Connecting phones, laptops, and other gadgets to free or public Wi-Fi networks. (In unavoidable circumstances,ensure that the public network has a password and is not accessible to everyone.)
•Sharing submissions for an unlimited time. (When the content no longer needs to be shared, delete it.)
•Sending assignments, projects and other requirements to teachers via social media.
•Taking screenshots of the video feed of teachers and classmates.
•Spamming the chat.
•Giving out online links and their passwords to people who should not be in the class.
For parents or legal guardians
•Helping the child or ward check and customize privacy settings of the device or application for online learning.
•Teaching them basic online security (e.g. enabling two-factor authentication and avoiding sharing homework, passwords, and other personal information even with friends).
•Ensuring that your consent is obtained for the recording of classes. Consider being present during these sessions, especially if the student is a minor.
•Leaving the child, especially minors,unsupervised (before he or she is briefed on the dos and don’ts) during the conduct of online learning.
Teachers must always consider the privacy, equity, and peculiarity among students when conducting online classes:
Students might feel uncomfortable displaying their living space to their peers. Family members might not want their image or video to be captured.
Students might also take a screenshot of their classmate’s video feed,which is prone to cyberbullying and privacy issues.
Not all students have reliable internet access. Some might have low bandwidth, cannot afford to stream videos, or have limited access to digital devices.
Some students might feel shy or anxious on camera, affecting their performance in class.
•Making webcam use optional in online classes whenever possible.
•Recording online classes as long as it has legitimate uses (e.g. review the lecture presentations and viewing by students who are unable to attend).
•Considering the principles of legitimate interest and proportionality during online proctoring, in which a
student’s test duration is monitored using a webcam, microphone, or accessing the student’s screen. Weigh the interests of the students against those of the educational institutions to determine the appropriate balance.
•Obtaining the explicit consent of the student (or parent/legal guardian for minors) before the conduct of online proctoring.
•Posting announcements that involve personal data, such as grades and results of assignments. For example, exam results should be given on an individual basis and not released enmasse.
•Allowing students to submit projects and assignments via social media platforms.
•Storing personal data collected as part of the class in a personal account or device.
•Removing students from the class or forcing them to turn their cameras on.
•Adopting a particular learning management system (LMS) or online productivity platforms (OPP) where all activities pertaining to online learning should be conducted.
•Ensuring that the LMS or OPP has adequate data protection features.
•Guaranteeing that the purposes for which personal data are being collected, processed, and used are legitimate, suited to the context, and authorized bylaw.
•Minimizing the amount of personal data to be processed.
•Informing students before collection about the personal data to be processed and the reasons using timely, age-appropriate, clear, and concise language.
•Allowing individuals, as far as possible, to use the e-learning platform with de-identified data, enabling them to use the platforms anonymously or with unlinkable pseudonyms.
•Avoiding, as far as possible, the use of personal data per se, and particularly data on learning behavior,for predictive purposes,profiling, or automated decision-making.
•Embedding and employing tools that enable individuals to control their personal data and effectively exercise their privacy rights.
•Exercising caution when integrating apps, supporting tools and other services with an LMS or OPP, as these other services may come with vulnerabilities.
•Being familiar and up to date with all privacy-related trends.This will be helpful in crafting data policies that meet the level of protection students need.
•Referring to NPC resources to ensure proper protection of students’ personal data.
•Forming a data breach response team responsible for creating and implementing an incident-response procedure.
•Establishing policies and implementing them effectively to prevent or minimize breaches and to ensure timely discovery of a security breach.
•Conducting and investing in security audits and tests, such as privacy-impact assessment source-code audit, vulnerability assessment and penetration testing.
•Ensuring that best application coding practices are used in their system development, be it outsourced or in-house.
•Strengthening systems against prominent web attacks.
A well-structured system, including both the front-end and back-end, ensures the protection of data against common web attacks.
oThe vulnerabilities found in the conduct of audits and tests must be fixed first before the system is used further.
OIt is important to secure the communication between a user’s browser and the school website site to add another layer of protection to the system.
•Updating systems and their components.
The security and privacy vulnerabilities yesterday may not be the same today.
O Making a conscious effort to continuously improve or update systems and implement best practices in configuring or hardening them (e.g., database encryption at rest, encryption in transit, network access controls, data access controls and audit logs).
oInstalling a web application firewall to deter distributed denial of service attacks.
When conducting regular maintenance like a system update, upgrade or configuration, run a full backup of the school website. A full backup must follow the system documentation consistently and obtain a clearance from an accountable officer in the school, such as the Data Protection Officer.
Online backups are also a convenient way to ensure an accessible copy of the website when the need arises.
The “3-2-1” strategy can be used:
o3 total copies of the data
o2 copies are local but on different mediums
o1 copy is offsite, which may be geographically separated or in an online cloud computing platform
•Migrating to the cloud is an option.
Use of cloud computing services reduces capital expenses like housing and maintaining the school’s data centers with servers, storages and other ICT active components.
In addition, the cloud eliminates the tedious task of upholding the security of the school infrastructure. The cloud service provider does that for the school.
However, keep in mind that proper security and routine maintenance of the web application that runs in the cloud is the school’s full responsibility.
•Keeping personal data longer than their intended purpose. (Set retention periods and employ mechanisms for frequent purging of messages or interactions between teachers, students and parents.)