Privacy in Education

Welcome

Welcome to
'Privacy in Education'

How will the GDPR affect your work as an educator?

Questions?

If you have any questions about this course, please contact us at info@cybersaveyourself.nl.

Purpose and overview

The General Data Protection Regulation (GDPR) entered into force on 25 May 2018 and is the same across all EU member states. It has replaced and superseded the Personal Data Protection Act (PDPA) as of that date. The Dutch name of the GDPR is Algemene Verordening Gegevensbescherming (AVG).

 

What will change?

The GDPR will, among other things:

  • strengthen and expand privacy rights;
  • expand the scope of responsibilities for organisations;
  • provide the same robust powers for all European privacy regulators, such as the power to impose fines of up to € 20 million.

The GDPR also has significant consequences for the work of educators. This online module will help you learn about the changes the GDPR will bring but also the opportunities it offers.

Purpose

The purpose of this module is threefold:

  • you will learn what the GDPR is all about;
  • you will learn the specific aspects of the GDPR that are relevant to you as an educator;
  • you will learn the steps you need to take to comply with the GDPR.

Target audience

This module has been developed for educators who are associated with a university or a university of applied sciences.

Summary

This online module consists of three sections:

  • They involve three education-related cases, each accompanied by a short quiz to test your current knowledge of the GDPR.
  • You will learn about various aspects of the GDPR, such as Privacy by Design and the six rules of thumb.
  • Using three scenarios, you will learn about the criteria that determine an important part of the measures to be taken within a given situation.

Duration

The entire module takes about 45 minutes to complete.

Three cases

What is your current knowledge of the GDPR? How well can you determine what technical and organisational measures need to be taken within the context of a given situation? To test yourself, we offer you three introductory cases. Please read the cases carefully before trying to answer the questions.

 

Go directly to:

Case : Student directory: what to do you do if you lose a hard copy?

Case : Live streaming: are students allowed to post your lecture on social media?

Case : Exam results: sharing the results directly via Whatsapp is practical, but is it permitted?

Case 1: Student directory

Every year, a completely new group of students. How will you remember the names of each and every person? A 'student directory' is still a common method used for this purpose. Just print out the names and photos of the students and, voilà, you will always have everyone 'at hand'.

 

What is the situation?

In this case, an educator has created a student directory. Not only has he included the names of the students, but he has also penned some notes about each student, e.g. study results, specific details and interests. The educator hopes that this information will help him get to know the students faster and better.

What happened?

The educator loses the student directory while travelling on public transport. Because he had written his name and email address on the first page, he was fortunate enough to have it returned to him by an alert finder later that week. As the student directory was only 'lost’ for a relatively short period of time, he decides not to report the incident internally or to inform the students about it.

What does the GDPR say about this?

See if you can answer the questions below. This will show you how much you already know about the GDPR:

After completing the exercise, click the arrow at the bottom right to go to the next page.

Case 2: Live streaming

Why attend lectures when you can also watch everything online? More and more universities and universities of applied sciences are using video solutions to make lectures available online. Usually, there are also some students who will record lectures and post them online.

 

What is the situation?

One of the students streams a 'live' lecture for a roommate who is unable to attend. The student has propped his mobile phone on a small tripod to ensure stable footage. The student shares the lecture with all his followers, including his roommate, on Instagram. The educator has no idea that the student is recording the lecture.

What happened?

After class, one of the other students informs the educator that his lecture has been posted on Instagram. The educator is not happy about this and says as much to the student. The student asserts that he has the right to record the educator, since the university always posts the lectures online during the following week.

The educator says that while he has indeed given the university permission to post his lectures online, he has not given the student permission to do so on social media.

What does the GDPR say about this?

See if you can answer the questions below. This will show you how much you already know about the GDPR:

After completing the exercise, click the arrow at the bottom right to go to the next page.

Case 3: Exam results

Not too long ago, printed exam results were put up on the bulletin board in the central hall. Today, however, this process is carried out digitally in almost every educational organisation, allowing students to see their results in an app.

 

What is the situation?

One of the educators has difficulty working with the internal system that stores study results and makes them available to students. He always manages it in the end, but students are impatient and want to see their results right away. For that reason, the educator always shares the results directly in the Whatsapp group, informing everyone as soon as they become available.

What happened?

Inadvertently, the educator shares the results in the wrong Whatsapp group. It takes a while before someone in the group mentions this. The educator deletes the message and shares it in the right group. This way, the students also see each other's results and usually save an image of the results on their phone.

What does the GDPR say about this?

See if you can answer the questions below. This will show you how much you already know about the GDPR:

After completing the exercise, click the arrow at the bottom right to go to the next page.

Privacy in education

The GDPR

The GDPR applies to personal data. Therefore, the first question to ask is always: for what activity (activities) in your courses do you process personal data? The GDPR only applies to these activities. Watch the GDPR video below before reading the key points for a correct implementation of the GDPR in your courses.

 

Familiarise yourself with the GDPR, and follow this link for the complete text of this regulation. No time to read all 88 pages? The five key points of the GDPR that every educator needs to know are:

 

WORK SAFELY


There are various (often simple) measures you can take to maximise student privacy in your courses. An overview of these measures is available on the 'Quick wins' page.

 

LEGAL BASIS


A legal basis, such as consent or a legitimate interest, must exist in order for personal data to be processed. You can view the six possible legal bases in this figure.

 

PRIVACY BY DESIGN & PRIVACY BY DEFAULT


Build maximum privacy and data protection safeguards into your course plan from the earliest stages of development. This is referred to as Privacy by Design. And where possible, set all default settings in apps or other software, for example, to the most privacy-friendly option. This is referred to as Privacy by Default.

 

COMPLY WITH THE PRIVACY PRINCIPLES


Comply with the six privacy principles, such as 'data minimisation' and 'transparency’, when processing personal data before, during and after the course. You can view the six privacy principles in this figure.

 

EXTERNAL APPLICATIONS ARE YOUR RESPONSIBILITY


As long as you are working within the internal systems provided by the organisation, you are fine. The organisation is responsible for these systems and, as an educator, you can rest assured that the organisation has good agreements in place with its suppliers. You will be held accountable if you share the personal data of students or employees outside these systems. So, think carefully about which system you are working in.

Would you like to know more?

In this module, we will discuss in more detail what you, as an educator, must (and should) do under the GDPR. If you would like to learn more about the GDPR, we recommend you visit hulpbijprivacy.nl . This is the website of the Dutch Data Protection Authority and it provides clear general information about the GDPR.

This SURF website also provides a Wiki containing helpful information about, and interpretation of, the regulation, plus a comparison with the Personal Data Protection Act.

Six rules of thumb

The GDPR is based on six principles, also referred to as the rules of thumb. It is important for educators to keep these rules of thumb in mind in every phase of the course. Applying these rules of thumb consistently reduces the risk of errors in handling personal data.

 

A brief explanation

Below, you will find the six rules of thumb, each with an associated question. If during the course the answer to one of these questions is 'no’, you will need adjust your course. For instance, by informing students more clearly ('Transparency'), destroying the personal data ('Retention period') or asking for a 'nickname' instead of their real name in a certain app (‘Data minimisation').

Read the six rules of thumb before trying to answer the questions below:

Privacy by Design & Default

Privacy by Design and Privacy by Default. The two key starting points for the proper handling of personal data. In short, the terms mean that you are building data protection safeguards into the design of your course from the earliest stage of development and setting by default the settings of products and services to the most privacy-friendly option.

Watch the video below before trying to complete the exercise:

 

Privacy by Default

Like Privacy by Design, Privacy by Default is really a mindset. Every time you use a new product or service or adjust an existing service or product, ask yourself: how can I minimise the sharing of personal data through this service or product?

Setting the service or product settings to the most privacy-friendly option enables you to approach your work with a privacy-by-default mindset. Examples of this include:

  • Choose, if possible, digital applications in which students do not have to create a new account, but can be identified by a number or nickname of their own choosing.
  • Where possible, store student data only within digital applications that have been made available by the educational institution.
  • When using a new digital application, disable all unnecessary tracking systems (e.g. location, IP address, device type, etc.) where possible.

'Privacy by Design'

Every course is different, so the exact measures to be taken for every step in your course to safeguard student and employee privacy may also differ. Therefore, Privacy by Design mainly involves cultivating a mindset of focusing on privacy throughout your course.

Below, you will find a fictional series of lessons divided into six steps. Try to discover the technical and organisational measures that you could take with every step.

Quick wins

In the three cases, you see that each situation requires specific measures to ensure proper handling of personal data. However, there are also a number of general quick wins: simple adjustments to your learning activities that ensure a great deal of added security. This page contains a brief overview.

 

What can you do now?

Below, you will find seven relatively simple actions that significantly reduce the risk of data breaches. We advise each educator to implement them where possible.

 

Privacy filter: a special type of foil that can be used on any laptop or desktop screen. It reduces the viewing angle, safeguarding data from prying eyes, which is useful, especially if you travel extensively for work. Search for 'privacy filter laptop' to find a suitable type.

 

Webcam cover: prevents unauthorised viewing from your webcam. A webcam cover is a 'small lock’ that is easy to install and can cover the webcam completely, if desired, making unauthorised viewing a thing of the past. search for 'webcam cover' to find a suitable type.

 

Encryption of the hard drive: encryption protects the data on the drive from unauthorised access, as the drive can be easily removed from your laptop and be effortlessly read by a PC. BitLocker Drive Encryption is a good option for Windows, and FileVault will get the job done on Macs.

 

Terms of service (ToS) reader: many online services have included provisions in their ToS as to what they can do with your data. There are add-ons available for your browser to facilitate assessment of these often lengthy ToS documents. These add-ons provide additional information about the risks you may encounter when using the service.

 

Anti-virus software: good anti-virus software and regular system updates are essential to prevent malicious attacks and unauthorised access to your computer or laptop. This software keeps your computer clean and secure.

 

Anti-tracking and anti-cookie software: web browser software that analyses cookies and provides information on what these cookies do and blocks harmful cookies. This software also checks whether a party is ‘tracking’ and collecting information about you, which it may pass on to third parties.

Ask yourself these questions

The GDPR is not a checklist that tells you exactly what you can and cannot do with personal data in any given situation. It is a set of guidelines that can lead to different measures in different contexts. In this chapter, we will offer you a number of questions per 'educator role', which will help you understand what you need to take into account within the GDPR guidelines.

 

Four roles

To give you the questions on the GDPR in a structured manner, we have divided the daily activities of educators into four roles. These four roles are:

Click ‘Next' again to see the most important questions per role that an educator has to ask about the handling of personal data.

Develop

Every educator develops his or her own course plan to a greater or lesser extent. This may be a PowerPoint presentation, or a complete series of lessons, assignment, activity or workgroup. Whenever personal data comes into play within the developed materials or activities, you must take appropriate measures. On this page, you will find the questions you need to ask in each case.

 

Course content

  • 1. Are you going to develop your own teaching materials or will you use teaching materials from a publisher?

If you are working with a publisher, make sure you have good privacy agreements in place. Your organisation must enter into a data processing agreement with the publisher. If you develop your own teaching materials, you are responsible for the proper handling of personal data.

  • 2. Where will you store the teaching materials you have developed and who has access to them?

Work from 'Privacy by design' and make sure that the data are securely stored in each phase.

Learning activities

  • 1. Can you offer a safe environment online and physically in terms of privacy at any given time?

Examine all steps in the series of lessons before determining how privacy can be ensured in each step. This applies to personal data storage, communication between you and the students and issues such as notes, results and monitoring.

Software

  • 1. Do you use software purchased by the organisation?

If so, a 'data processing agreement' is in place and privacy is guaranteed.

  • 2. Do you also want to use software that is not purchased by the organisation?

Determine whether this software meets the privacy guidelines of your organisation. And enter into a data processing agreement directly or via the organisation.

  • 3. What influence do you have on the privacy settings of the software to be used?

Always set all settings to the most 'privacy-friendly' option.

Teach

When the course plan has been developed, students will take the course. This may be done in a lecture hall or workgroup, but courses are increasingly provided online. Also during all face-to-face and online activities, you should think about the moments and the way in which your personal data, and that of students and colleagues, play a role in this regard. The questions on this page will guide you in determining this.

 

Course content

  • 1. Do you use external teaching materials, including software, for monitoring students?

If so, check whether this environment meets the privacy guidelines of your organisation.

Learning activities

  • 1. Can you guarantee a safe environment in every learning activity for yourself and the students?

Make sure, for example, that personal data (such as photos/film recordings, study results) are not shared outside the classroom. And for online learning activities, use software that meets the privacy guidelines of the organisation.

  • 2. Who has access to personal data during all the learning activities?

Determine whether this person or party has taken the appropriate measures to ensure privacy.

Software

  • 1. Do you use software purchased by the organisation in certain learning activities?

If so, a 'data processing agreement' is in place and privacy is guaranteed.

  • 2. Do you also want to use software that has not been purchased by the organisation?

If so, determine whether this software meets the privacy guidelines of your organisation. And enter into a processor’s agreement directly or via the organisation.

  • 3. What influence do you have on the privacy settings of the software to be used?

Always set all settings to the most 'privacy-friendly' option.

Assess

An important part of the course plan is student assessment. This can take the form of a final mark, a portfolio, interview or interim report. Every form of assessment you record involves sensitive personal data, which requires that both you and the student handle this with due care. The questions on this page will help you achieve that.

 

Results

  • 1. What 'results' will students receive during the series of lessons?

Not only a final mark, but also assignments, papers, essays and other products by students can be regarded as study results. All these results as a whole can say something about the student's progress and should therefore be stored in a secure way.

Publication

  • 1. In what way or ways are the different results published?

Publication does not only involve recording marks in the tracking system, but also the possible sharing of resulting via online platforms/apps, such as social media. Ensure that not only the final results, but also all intermediate results are only shared in safe environments.

Storage

  • 1. Where are the results stored?

Are the results stored using the software purchased by your organisation? If so, a 'data processing agreement' is in place and privacy is guaranteed. If you are using other software, consult internally as to whether results may be stored (and possibly published) in it.

  • 2. For how long will the results be stored?

Critically examine the necessity for storing certain results. Destroy them, if possible.

Coach

Most educators coach one or more students in one way or another. Coaching may be provided during a thesis or final paper, or during interviews or digital communication about general study progress. Students often share sensitive personal data during coaching. Not only about their progress, but also about more personal matters. Protecting their privacy is essential.

 

Reporting

  • 1. How and in which setting do you report on the coaching of students

Assess all forms of reporting for protection of privacy. Do you make notes in a notebook, which may get lost? Do you share reports over an unsecured server? Do you save your reports in a private mailbox? Etc. Make sure that all reports and notes on student coaching are stored in a secure environment.

Sharing

  • 1. Who has access to the reports or notes?

Chances are that not only you and the student, but also external parties, such as a student psychologist or student counsellor , have access to the notes or reports. Determine in advance how you and the others can share and jointly store the desired information in a secure manner.

Storage

  • 1. Where do you save the reports and notes?

Are they saved using the software purchased by your organisation? If so, a 'data processing agreement' is in place and privacy is guaranteed. Take additional measures if you make notes on paper, travel extensively for work (and others may be able to view the data while travelling) and share the notes or reports with several (external) parties.

Congratulations!

 

You have reached the end of this online module on Privacy in Education! We hope it has given you a clear idea about the various sections within the GDPR and what role the GDPR plays within your course plan.

 


If you have any questions or comments after having taken this online module, please do not hesitate to get in touch with the privacy expert within your organisation or Cybersave Yourself at info@cybersaveyourself.nl.

Other/Dutch modules


SURF also offers e-learning courses about privacy for various other target groups. On this page you will find an overview of all Dutch and English modules in the series.


Ook voor diverse andere doelgroepen biedt SURF een e-learning over privacy aan. Op deze pagina vind je een overzicht van alle Nederlands- en Engelstalige modules in de reeks.

English e-learning modules:

Privacy in Research
target group: English speaking researchers in research and education in The Netherlands
duration: approx. 45 minutes

Privacy in Research Light
target group: English speaking researchers in research and education in The Netherlands
duration: approx. 20 minutes

Privacy in Education
target group: English speaking teachers in research and education in The Netherlands
duration: approx. 45 minutes

 

Nederlandstalige e-learning modules:

Privacy in Onderzoek
doelgroep: onderzoekers in onderwijs en onderzoek in Nederland
duur: ca. 45 minuten

Privacy in Onderzoek Light
doelgroep: onderzoekers in onderwijs en onderzoek in Nederland
​duur: ca. 20 minuten

Privacy in Onderwijs
doelgroep: docenten in onderwijs en onderzoek in Nederland
duur: ca. 45 minuten

Privacy voor Onderwijsondersteuners
doelgroep: onderwijsondersteuners werkzaam op onderwijsinstellingen in Nederland
duur: ca. 30 minuten

  • Het arrangement Privacy in Education is gemaakt met Wikiwijs van Kennisnet. Wikiwijs is hét onderwijsplatform waar je leermiddelen zoekt, maakt en deelt.

    Auteur
    SURF Privacy Awareness
    Laatst gewijzigd
    2019-02-04 13:06:33
    Licentie

    Dit lesmateriaal is gepubliceerd onder de Creative Commons Naamsvermelding-GelijkDelen 4.0 Internationale licentie. Dit houdt in dat je onder de voorwaarde van naamsvermelding en publicatie onder dezelfde licentie vrij bent om:

    • het werk te delen - te kopiëren, te verspreiden en door te geven via elk medium of bestandsformaat
    • het werk te bewerken - te remixen, te veranderen en afgeleide werken te maken
    • voor alle doeleinden, inclusief commerciële doeleinden.

    Meer informatie over de CC Naamsvermelding-GelijkDelen 4.0 Internationale licentie.

    Deze online training is mede mogelijk gemaakt door:

    Erik van den Beld (Functionaris Gegevensbescherming / Docent, Saxion Hogeschool)

    John van de Pas (Hoofddocent /onderzoeker, Saxion Hogeschool)

    Roeland Reijers (Functionaris Gegevensbescherming, Universiteit van Amsterdam)

    Sander van Acht (Flooow, onderwijskundig concept)

    Maarten van der Schaal (Nieuwbericht, slidedesign)

     

    Foto-credits:

    Unsplash

    Aanvullende informatie over dit lesmateriaal

    Van dit lesmateriaal is de volgende aanvullende informatie beschikbaar:

    Eindgebruiker
    leerling/student
    Moeilijkheidsgraad
    gemiddeld

    Gebruikte Wikiwijs Arrangementen

    SURF Privacy Awareness. (2018).

    Privacy in Onderwijs

    https://maken.wikiwijs.nl/123512/Privacy_in_Onderwijs

  • Downloaden

    Het volledige arrangement is in de onderstaande formaten te downloaden.

    Metadata

    LTI

    Leeromgevingen die gebruik maken van LTI kunnen Wikiwijs arrangementen en toetsen afspelen en resultaten terugkoppelen. Hiervoor moet de leeromgeving wel bij Wikiwijs aangemeld zijn. Wil je gebruik maken van de LTI koppeling? Meld je aan via info@wikiwijs.nl met het verzoek om een LTI koppeling aan te gaan.

    Maak je al gebruik van LTI? Gebruik dan de onderstaande Launch URL’s.

    Arrangement

    Oefeningen en toetsen

    Student directory

    Live streaming

    Exam results

    Six rules of thumb

    IMSCC package

    Wil je de Launch URL’s niet los kopiëren, maar in één keer downloaden? Download dan de IMSCC package.

    QTI

    Oefeningen en toetsen van dit arrangement kun je ook downloaden als QTI. Dit bestaat uit een ZIP bestand dat alle informatie bevat over de specifieke oefening of toets; volgorde van de vragen, afbeeldingen, te behalen punten, etc. Omgevingen met een QTI player kunnen QTI afspelen.

    Versie 2.1 (NL)

    Versie 3.0 bèta

    Voor developers

    Wikiwijs lesmateriaal kan worden gebruikt in een externe leeromgeving. Er kunnen koppelingen worden gemaakt en het lesmateriaal kan op verschillende manieren worden geëxporteerd. Meer informatie hierover kun je vinden op onze Developers Wiki.

  • Gebruik
    Weergave
  • Wikiwijs is een dienst van