Its not a sexy topic, but data privacy is becoming more prominent in what the industry is referring to as “tech lash” – backlash of omnipotent tech companies, such as Google or Facebook doing whatever they like. This article is a reminder that regardless of your personal thoughts many of us have professional responsibilities when handling data every day.
Who cares ?
Have you ever read the data privacy agreement of a web service you signed up to? I am guessing that the answer is either “no” or “I skimmed one once”
Well as an individual that is of course your prerogative, and I am guilty of the same, even though I should know better. However, as an employee you have a professional responsibility to read them when used for work and make an informed conscious decision, especially when handling other peoples personal information through that web service.
Isn’t this taken care of by the vendors?
I want to keep this quite light and so am not going to dive into all the legal details of GDPR. However, you might assume all companies have everything covered and you have no need to check, well you would be wrong, and the law could come down hard on you if you are negligent.
There are many traditional things in this world considered valuable such as Gold, Oil and Water however, the worlds newest commodity of high value is information. You can of course argue that information has always been valuable, and I would agree, but in this digital age the volume, ease of gathering and processing data to turn it into useful information is staggering.
All successful commercial companies understand this value and will try to use it to their advantage (as is the process of business) – this doesn’t make them evil or unscrupulous, it just means they will do things with your data that makes their business more profitable if you allow them to.
This has been happening for a long time and really nobody cared, but with recent media coverage for things like the Cambridge Analytical scandal and the launch of GDPR regulations in Europe people are paying more attention to their digital privacy and the permanent digital footprint it creates.
Example for teachers
My field is education technology and so as an example I looked at 3 very popular educational web tools used in most schools. Teachers sign up to free usage of these tools everyday. Each of them had information on their website regarding data privacy, here is a summary of my findings:
Companies 1 & 2
- Easily accessible links to privacy documentation, prominent on the main website menu.
- Detailed privacy centre site showing policy alignment for major regulators, FAQs, statement of privacy including “no transfer of information” and solid retention timings.
- Resources to ensure schools uphold the same level of protection for students and parents, (consent forms, process documents etc.)
- Link in the page footer in a tiny font to privacy page for overarching company.
- Some information regarding general usage of information, another small embedded link in paragraph text to detail how information is used – once you drill down to here its quite surprising, it turns out they will share your information routinely with other companies in their group, third parties to process your data on their behalf, learned societies who publish journals, and third parties who are co-promoters of competitions.
- Data retention was sketchy “This includes keeping a record indefinitely so that we can respect your request in future”
- No resources or advice for implementation in your school
In summary I was very impressed with the first 2 they had similar setups with a wealth of easily accessible information and support and gave very clear advice that your data would not be passed outside of their company and how you should obtain consent to use data in school. However the third site left me with many unanswered questions and no helpful advice – for example there was no list of the third parties they may send my data to, so how do I know how these companies will treat my information?
Make sure you cover yourself
So to bring this back round to where we started, I have shown that although you might not personally care about your data privacy, data protection law (GDPR, PDPA, PIPA, CAC etc. – depending on your country) will hold you responsible for how you handle other peoples personal information.
Therefore, if you upload a class list of student names (with good intentions to use a fab tool for learning) and agree to a data privacy agreement without reading it and conveying the details to the students or parents (depending on age) to gain their consent, you are putting yourself and your organisation firmly in the cross-hairs for a fine or worse.