Date:2 April 2020
PCPD Provides Guidelines on Children's Privacy during the Pandemic
Under the principles of “classroom without boundaries” and “suspending classes without suspending learning”, many schools have widely used various video conferencing software and online learning platforms to continue teaching, possibly resulting in collection of personal data of individuals. The Privacy Commissioner for Personal Data, Hong Kong (Privacy Commissioner), Mr Stephen Kai-yi WONG provides practical guidelines for schools and parents, reminding them of the potential risks of these software and online platforms, and the appropriate measures to protect the personal data of students and children.
The Privacy Commissioner said, “There are a wide variety of video conferencing software and online learning platforms with high-definition videotaping functionalities in the market. Apart from monitoring students’ level of attention during lessons using attention-tracking function, teaching staff may also distribute and collect homework, score grades, etc. through online learning platforms. These online teaching tools can collect a vast amount of students’ personal data. Without proper measures to handle those personal data, there would be increased risks of misuse or leakage of personal data. Hackers’ attack and malicious use of data for illegal activities may result. These technological products may long outlast the current public health emergency. For schools making use of these technologies, they should perform due diligence to ensure that technologies they select protect children’s privacy, for instance, by ascertaining whether students’ personal data would be collected by third parties, such as software developers and platform service providers. Vigilance is called for in the online world at all times to protect personal data privacy, just like what is needed in the real world. Once personal data is published online, it can be duplicated or permanently stored. In serious cases, it may even impact children’s future lives as adults.”
The Personal Data (Privacy) Ordinance (PDPO) is technology-neutral and does not prohibit any individuals or organisations from installing and using video conferencing software and online learning platforms. In general, if functions of video conferencing software and online learning platforms (such as real-time video or audio sharing, video or audio recording, attendee attention tracking, collection and distribution of homework, etc.) are used to identify an individual or compile information about an identified individual, it would amount to collection of personal data and one must comply with the provisions of the PDPO and relevant Data Protection Principles. Following are some guidelines for schools and parents:
-
Guidelines for Schools
Q: Can schools take pictures of students or record their voices to observe students’ performance in classes when using video conferencing software and online learning platforms?
A: If school authorities, teaching and administrative staff (being data users) collect personal data (e.g. names, images or voice data of individuals) when using video conferencing software and online learning platforms, they must be on a minimal basis and be done in a lawful and fair manner, and the purpose of collection should be directly related to their functions or activities (such as for teaching purposes). The collection of data should be necessary, but not excessive. More specifically, schools shoul
-
consider whether there are other less privacy-intrusive means to achieve the same purpose;
-
get a clear understanding of the privacy policies and security measures of these software and platforms to minimise collection of data by service providers;
-
not collect unnecessary data, for instance data unrelated to teaching purposes (such as IP address, location data, etc.), from students through their devices;
-
disable online tracking and recording functions of the software and platforms, and set them as default. If there are practical needs for online tracking or video/audio recording, schools should explicitly inform parents and students in advance, for example, by providing written notices about the purpose of activating these functions, and the classes of persons to whom their data may be transferred.
Q: Is it necessary for schools to seek parents’ consent before taking pictures of students or recording students' voices during online teaching?
A: According to the requirements of the PDPO, when a data user collects personal data from data subjects directly, the data user should inform the data subjects of the purpose of using their data, whether it is obligatory or voluntary to supply the data, the consequences for the data subjects if they fail to supply the data, and the classes of person to whom their data may be transferred, etc. Hence, if schools need to collect personal data of students, such as their video or audio data when using the online learning technology, they must inform parents and students of the relevant practices in advance.
Q: If schools have collected video or audio data of students through video conferencing software and online learning platform, can such data be used for other purposes, such as academic research or handling complaints?
A: The use of students’ personal data collected by schools should be restricted to related teaching purposes. If it is used for other purposes in future, schools must obtain prescribed consent from the data subjects before using the information, unless exemptions provided by Part 8 of the PDPO apply.
If the data subject is a minor, the PDPO allows the “relevant person” to provide “prescribed consent” on behalf of the data subject under certain circumstances. "Relevant person" can refer to the person having parental responsibility for a minor. That said, schools should handle minors’ data with extra care, even with prescribed consent from adults.
Q: What issues should schools be mindful of in relation to retention of students’ data and data security?
A: Schools must take all practicable steps to protect personal data from unauthorised or accidental access, processing, erasure, loss or use. Specifically, they should:
-
ensure that all devices are installed with the latest security patches and anti-virus software, and properly protected by firewalls;
-
ensure that the network connections are safe and secure (e.g. do not use public Wi-Fi, and use strong encryption for Wi-Fi network);
-
set a password for the online learning session which (as well as its link) should be given only to teachers and students of the online learning session;
-
not record relatively sensitive biometric data, such as voice data, which could reflect children’s emotions; their socio-economic background from their accents;
-
store all tracking data and records with encryption, and the personal data collected should be destroyed as soon as possible after the data has fulfilled the original purpose of collection;
-
beware of whether personal data could be accidentally captured on screen when the screen or video sharing function is activated; and
-
formulate guidelines for handling data breaches.
Q: Should schools formulate policies and guidelines on the use of video conferencing software and online learning platforms?
A: As schools may use online learning technologies for an extended period, they should formulate policies and guidelines on the use of these software and platforms to protect students’ privacy rights, and ensure that teaching staff get a clear understanding of:
-
how to use these tools correctly, securely and in a privacy-friendly manner; and
-
how to deal with incidents of loss of devices or stolen accounts.
2. Guidelines for Parents
Q: If children need to use video conferencing software and online learning platforms, especially in cases where children attend online lessons without their supervision, what measures can parents take to prevent personal data from being misused or embezzled?
A: Parents may consider enabling internet parental controls to manage children's internet usage and filter out inappropriate content. Besides, they should communicate with children prior to using those software/platforms, and guide them to be heedful of the following, for example:
-
When encountering suspicious website or email, do not click the web link and download documents or applications, and promptly verify their authenticity with schools;
-
Double check carefully the content of what they are going to send and the recipients before sending or uploading information to the software and platforms;
-
Remember to turn off the camera and microphone functions when these online tools are no longer in use; and
-
Disable online tracking functions whenever possible.
More Guidelines Issued by the Privacy Commissioner
The Privacy Commissioner has issued a range of guidelines on privacy issues arising from COVID-19:
-
Zoom Data Security Incident dated 1 April 2020
(
https://www.pcpd.org.hk/english/media/media_statements/press_20200401.html)
-
Fight COVID-19 Pandemic Guidelines for Employers and Employees dated 30 March 2020
(
https://www.pcpd.org.hk/english/media/media_statements/press_20200330.html)
-
Response to media enquiry on privacy issues arising from COVID-19 dated 21 March 2020
(
https://www.pcpd.org.hk/english/media/response/enquiry_20200321.html)
-
The use of information on social media for tracking potential carriers of COVID-19 dated 26 February 2020
(
https://www.pcpd.org.hk/english/media/media_statements/press_20200226.html)
-
Privacy issues arising from mandatory quarantine measures dated 12 February 2020
(
https://www.pcpd.org.hk/english/media/media_statements/press_20200211.html)
The Global Privacy Assembly (GPA), a global forum for data protection and privacy authorities, has carried our guidelines above on its webpage
“Data protection and Coronavirus (COVID-19) resources”, alongside the latest advice and guidance provided by other data protection authorities as GPA members and observers on personal data protection and COVID-19:
https://globalprivacyassembly.org/covid19/ .
-End-