Protecting the Privacy of Student Data: Required Actions for Compliance with BC's FIPPA Law
British Columbia (BC) has one of the strictest privacy laws of personal data in all of North America - enabled to ensure BC citizens are protected when it comes to storage and access of personal identifiable information.
To abide by BC's Freedom of Information and Privacy Protection Act (FIPPA) Regulation, faculty members must deploy three principles when in situations about privacy of student information: 1) give notice to students when they are sending/requiring them to send their data to a location outside of Canada, 2) provide knowledge of why they are doing this, and if required, 3) obtain written consent from students for doing so. These principles you can apply to almost any privacy situation in order to show you have done your due diligence.
Written consent is the highest level of 'due diligence' when classroom work requires the use of social media, or when a faculty member or student forwards email to Gmail/Hotmail (web email services), and when a course requires the use of online textbooks or textbook activity sites. Educating students is an important part of maintaining their privacy.
It is the responsibility of individual faculty members to ensure that they are compliant with FIPPA regulations. The following information is provided to help ensure that faculty members are aware of their responsibilities.
When to Think About FIPPA
Any time students’ personal, identifiable information (first name, last name, date of birth, course student is enrolled in, student grades, home address, student VIU ID) is stored on a server outside of Canada, or the parent company that owns the server is located outside of Canada, students must be provided with notice, knowledge, and consent. Personal, identifiable information includes any information that can be used to identify an individual student including photographs, file names of documents, student assignment titles, videos, audio files etc.
Any email that contains student’s personal, identifiable information should ONLY be accessed from Canadian-based services, such as the official VIU Outlook email account (hosted at VIU). Services such as Gmail, Hotmail, Yahoo, etc, host their services outside of Canada (on servers around the world), and should not be used to access emails that contain student personal identifiable information (including accessing VIU webmail from a public computer in another country). This would be a violation of the FIPPA law.
Note: It is possible to have emails forwarded from VIULearn to faculty members’ personal email accounts. Emails from VIULearn DO contain students’ personal, identifiable information, and SHOULD ONLY be forwarded to official VIU email accounts, and NEVER to services like Gmail, Hotmail, Yahoo, etc. unless notice, knowledge and written consent have been obtained from the students.
Online Textbook Resources
Any online learning resource, such as textbooks or any supporting materials included in textbooks (labs, quizzes, resources to access), that faculty require students to use should only be hosted in Canada. If the resource is located outside of Canada, or the parent company is located outside of Canada, faculty must ensure they give students notice of information that will be stored outside of Canada, knowledge of why they need to access the site, and ensures there is student consent (written or some alternative form of recording consent). In this way, students are made aware of the implications of having their data reside outside of Canada and what other companies can do with their data.
Social Media/Web Tools Used in the Classroom
Many students access social media and various web tools outside of the classroom. What students do with social media outside of the classroom on their own is their business, and not the responsibility of faculty. If students are required to use social media, web tools or online resources as part of their classes (make a Prezi, post to Twitter, create a Facebook account, upload video to YouTube etc), and that tool is based outside of Canada (which almost every company is!), faculty are responsible to ensure they give students notice of information that will be stored outside of Canada, knowledge of why they need to access the tool and how it is impacted by BC FIPPA laws, and captures student consent (written or some alternative form of recording consent).
Obtaining Student Consent
- Once you have all the information, create a consent form for your students. A consent form is required FOR EACH COURSE clearly outlining the assignments, activities and required learning that makes use of a tool or resource that is putting student information on servers outside of Canada. Unfortunately you can't have a 'blanket' program or degree consent form as you need the details for each course assignment/activity spelled out.
- Sample VIU Consent Form for an Online Textbook Site (Word version) for you to download, edit and use with students. Ensure you remove all 'sample' content and insert your own information. Sample VIU Student Consent Agreement
- You are also able to create a 'digital consent form' through an online content page in VIULearn where students read and by selecting the response to a question (consent) so you have record of their consent/non consent. Email the Centre for Innovation and Excellence in Learning for assistance.
- If you wish some assistance to proofread your consent form or you have questions, kindly email firstname.lastname@example.org for a consultation.
Alternatives to Student Consent
- Research the technology and your assignment/task to ascertain if your students/you require the collection, upload, and use of personal identifiable information (often you may not and can use the social media or web tool without needing such information). You may be able to have students skip sections intended to capture personal identifiable information.
- If you or the web tool requires personal identifiable information – find out how much your students really need to supply (or are connected to through accounts) and what are the privacy risks or abilities to make more private information – then use a consent form.
- If a student refuses consent – have a Plan B. Some students who wish to not not engage in privacy-laden activities, should still have an alternative that still fulfils a lot of the main learning intentions, but doesn’t expose them to privacy risks (e.g., use learning management system at VIU etc.)
- Inquire about ‘on site’ or ‘Canadian hosted’ tools that may allow you to do similar activities but not have to use US servers (e.g., VIU's learning management system is hosted in Ontario, VIUTube large file video storage is hosted at UBC/Vancouver, VIUBlogs is hosted at VIU etc)
- Educate students – let them know what is going on. They may have some solutions!
- Try using pseudonyms for some social media elements that won’t release personal identifiable information.