Support Centre

International: Data privacy for Edtech institutions and remote learners

In recent years, digital transformation has disrupted the traditional models of education. New methods have emerged for educating students, researchers, professors, educationists, and remote learners across the globe, regardless of territorial and geographical boundaries. The bulk of this frequent transmission of knowledge through well designed learning applications is referred to as Education Technology ('Edtech'). Ololade Oloniyo, Data Privacy Practitioner and Convener at IP Law Discourse, discusses data protection considerations for the Edtech industry and the business value of privacy for Edtech companies.

siraanamwong / Essentials collection / istockphoto.com

Prominent and successful Edtech companies improve student research, accountability, and evaluation through data mining, data analytics, and web dashboards. The evolution of computerised learning models allows companies to gain insight into best practices that improve learning capabilities. Data analytics software provides immediate feedback to teachers about a student's academic performance, making it possible to evaluate learning in more detailed ways. Data mining helps to provide credible feedback to course creators and faculty coaches on the structure and design models used in learning rooms. Many schools have developed dashboard softwares to monitor the overall performance of the school, and review, modify, and restructure academic goals.

Without the science of Big Data, the Edtech industry cannot maximise its potential or invent new models of business within the industry. One thing remains obvious, the science of big data is incredibly valuable to the Edtech industry.

While Edtech encourages innovation, collaboration, and inclusivity, it has also ushered waves of privacy concerns for tech-preneurs and educationists. The principle of data ethics implies that every organisation needs to implement data privacy solutions that reduce data breaches and demonstrate compliance with legal obligations. A recent case study by the U.S. Government Accountability Office on the K-12 Cybersecurity Resource Center1 clearly shows that Edtech organisations must carefully work towards protecting the personal data of remote learners. According to the study, many K-12 students had their personal data thwarted away in data breaches. Affected data included students' academic records, social security numbers, personally identifiable information, assessment scores, and special education reports. The consequential effect of this is individual and organisational harm, legal liability, identity hijack, blackmail, loss of public confidence, and reduced enterprise value.

Proactive measures should be embedded within the corporate strategy of every Edtech institution. One cardinal principle of data privacy is Privacy by Design. Article 25 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') supports data protection through technology design. The GDPR requires that a data controller exert proper technical and organisational measures to reduce data breach and protect the rights of data subjects. However, beyond technology design, Privacy by Design should be seen as a part of  organisational culture. The most effective way of making privacy and security an integral part of the company is to build them into the core values and ethics of the organisation. This way every trainer, staff, and program officer gets to see privacy as a tool for business continuity and integrity.

Remote learners should be keen on data privacy and protection as well. They should be taught to check privacy setting on mobile apps, computer software, and online accounts. Edtech institutions must also empower remote learners to understand their privacy rights. All data subjects including remote learners have the right to be provided with a transparent and clear privacy notice which explains how their data will be processed. They also have the right to restrict the processing of data, bring legal proceedings against a controller or processor and claim compensation for damages suffered for non-compliance with privacy regulations.

Edtech institutions should educate remote learners on anti-malware protection, keeping strong passwords, encryption, password storage tips, cyberbully (kids) and on best practices for using the internet safely. This builds clientele trust and enhances a more collaborative approach against cyber-threats and data breaches.

Privacy compliance, technical cyber security measures, staff trainings, and continuous education of remote learners for safe internet use must never be regarded as a burden by Edtech organisations. Leaders must recognise that data privacy compliance ultimately contributes to the achievement of the desired goals of the company. In the long run, institutions that make privacy a core value will promptly build a large base of fans, grow brand value, and attract investments opportunities within and outside its market.

Ololade Oloniyo Data Protection Practitioner
[email protected]
IP Law Discourse


1. Available at: https://www.gao.gov/products/gao-20-644#:~:text=According%20to%20GAO's%20analysis%20of,in%20which%20data%20are%20compromised.