The Manila Bulletin Business Section publishes in full the National Privacy Commission Bulletin No. 16 to guide students, parents, guardians, teachers and schools in safeguarding sensitive personal information of pupils as they return to school via online learning.
NPC Bulletin No. 16
Privacy Dos and Don’ts for Online Learning in Public K-12 Classes
As public K-12 classes nationwide are set to open in October, students, parents, guardians, teachers and schools would do well to heed guidelines on online learning that list dos and don’ts aimed at safeguarding sensitive personal information of pupils.
Issued by the National Privacy Commission (NPC), taking inputs from the Data Privacy (DP) Council for the education sector,guidelines cover areas, such as online decorum, learning management systems, online productivity platforms, social media, storage of personal data, webcams and recording videos of discussions, and proctoring.
Listed are the dos and don’ts for online learning in K-12 classes:
• Creating strong passwords when signing up on e-learning platforms. Passwords should be at least 12 characters containingupper-and lower-case letters, numbers,and, if possible, symbols.
•Staying alert during online classes, especially when sharing videos, photos,and files.
•Using customized backgrounds to avoid accidentaldisclosure of personal information.
•Installing and regularly updating an anti-virus program.
•Muting the microphone and turning off the camera by default, especially when not speaking or reciting.
•Turning off the microphone and camera when leaving one’s station for, say, bathroom breaks.
•Connecting phones, laptops, and other gadgets to free or public Wi-Fi networks. (In unavoidable circumstances, ensure that the public network has a password and is not accessible to everyone.)
•Sharing submissions for an unlimited time. (When the content no longer needs to be shared, delete it.)
•Sending assignments, projects and other requirements to teachers via social media.
•Taking screenshots of the video feed of teachers and classmates.
•Spamming the chat.
•Giving out online links and their passwords to people who should not be in the class.
Forparents or legal guardians
•Helping the child or ward check and customize privacy settings of the device or application for online learning.
•Teaching them basic online security(e.g.enabling two-factor authentication and avoiding sharing homework, passwords, and other personal information even with friends).
•Ensuring that your consent is obtained for the recording of classes. Consider being present during these sessions, especially if the student is a minor.
•Leaving the child, especially minors, unsupervised during the conduct of online learning.
Teachers must always consider the privacy, equity, & peculiarity among students when conducting online classes:
Students might feel uncomfortable displaying their living space to their peers. Family members might not want their image or video to be captured.
Students might also take a screenshot of their classmate’s video feed, which is prone to cyberbullying and privacy issues.
Not all students have reliable internet access. Some might have low bandwidth, cannot afford to stream videos, or have limited access to digital devices.
Some students might feel shy or anxious on camera, affecting their performance in class.
•Making webcam use optional in online classes.
•Recording online classes as long as it has legitimate uses (e.g. review the lecture presentations and viewing by students who are unable to attend).
•Considering the principles of legitimate interest and proportionality duringonline proctoring, in which a student’s test duration is monitored using a webcam, microphone, or accessing the student’s screen. Weigh the interests of the students against thoseof the educational institutions to determine the appropriate balance.
•Obtaining the explicit consent of the student (or parent/legal guardian for minors) before the conduct of online proctoring.
•Letting students decide whether they would turn on the cameras of their devices. They should be permitted to use virtual backgrounds and fun filters.
•Asking questions regularly to assess students’ understanding. Allow them to respond through audio or the videoconferencing app’s chat and features, such as pollsand nonverbal actions (e.g. thumbs up), instead of requiring them to turn on their cameras.
•Posting announcements that involve personal data, such as grades and results of assignments. For example, exam results should be given on an individual basis and not released en masse.
•Allowing students to submit projects and assignments via social media platforms.
•Storing personal data collected as part of the class in a personal account or device.
•Correlating student’s use and eye contact with participation, grading and attendance (e.g. giving students plus points if their cameras are on).
•Removing students from the class or forcing them to turn their cameras on.
•Adopting a particular learning management system (LMS) or online productivityplatforms (OPP) where all activities pertaining to online learning should be conducted.
•Ensuring that the LMS or OPP has adequate data protection features.•Informing students before collection about the personal data to be processed and the reasons using timely, age-appropriate, clear and concise language.
•Exercising caution when integrating apps, supporting tools and other services with an LMS or OPP, as these other services may come with vulnerabilities.
•Being familiar and up to date with all privacy-related trends. This will be of help in crafting data policies that meet the level of protection students need.
•Referring to NPC resources to ensure proper protection of students’ personal data.
•Forming a data breach response team responsible for creating and implementing an incident-response procedure.
•Establishing policies and implementing them effectively to prevent or minimize breaches and to ensure timely discovery of a security breach.
•Conducting and investing in security audits and tests, such as privacy-impact assessment source-code audit, vulnerability assessment and penetration testing.
•Strengthening systems against prominent web attacks.
A well-structured system, including both the front-end and back-end, ensures the protection of data against common web attacks.
oThe vulnerabilities found in the conduct of audits and tests must be fixed first before the system is used further.
oIt is important to secure the communication between a user’s browser and the school website site to add another layer of protection to the system.
•Updating systems and their components.
The security and privacy vulnerabilities yesterday may not be the same today.
oMake a conscious effort to continuously improve or update systems and implement best practices in configuring or hardening them (e.g., database encryption at rest, encryption in transit,network access controls, data access controls and audit logs).
oInstall a web application firewall to deter distributed denial of service attacks.
•Backing up data.
When conducting regular maintenance like a system update, upgrade or configuration, run a full backup of the school website.
A full backup must follow the system documentation consistently and obtain a clearance from an accountable officer in the school, such as the Data Protection Officer.
Online backups are also a convenientway to ensure an accessible copy of the website when the need arises. The “3-2-1” strategy can be used:
o3 total copies of the data
o2 copies are local but on different mediums
o1 copy is offsite, which may be geographically separated or in an online cloud computing platform
•Migrating to the cloud is an option.
Use of cloud computing services reduces capital expenses like housing and maintaining the school’s data centers with servers, storages and other ICT active components.
In addition, the cloud eliminates the tedious task of upholding the security of the school infrastructure. The cloud service provider does that for the school.
However, keep in mind that proper security and routine maintenance of the web application that runs in the cloud is the school’s full responsibility.
•Keeping personal data longer than their intended purpose. (Set retention periods and employ mechanisms for frequent purging ofmessages or interactions between teachers, students and parents.)