Experts ‘hack’ online education applications to improve student safety, privacy protection, and data security

Web Posted by:

||

In the early days of the pandemic, as school boards adapted to virtual learning, a team of IT, Privacy and Supply Chain Management experts from across the province was working night and day to ethically hack dozens of online applications. The objective is twofold; to safeguard student personal privacy information and data security and identify areas of data and legal risk to Boards using these applications.

“Boards and teachers were discovering educational apps to support their curriculum needs online, however, most of these hadn’t been reviewed to ensure that students would not be at risk, and that their personal data was protected,” explains John Shanks, ECNO’s Director of Business Development.

Improved privacy protection and cyber security had been identified as a priority in a 2018 Ontario Auditor General’s IT Systems and Technology in the Classroom report and an assessment framework had been developed by volunteers working with a joint working group of three OASBO committees, and ECNO, who then agreed to run the VASP program.

When a board submits a request following an internal pedagogical review, evaluators run the software through more than 100 risk assessments that consider student safety and privacy, security of personal data, technology requirements, and terms of use. To date, 92 per cent of Ontario’s school boards have signed on.

“Demand was swift and ECNO committed significant resources to getting this work done quickly,” says John.  As part of the Ontario Together project initiated by the Province, the Ministry of Education and ECNO/OASBO joint sub-committee immediately recruited and trained 20 privacy, technology, and supply chain management experts who collectively logged nearly 1,000 hours per week in the early months of the pandemic. The process can take as little as a couple of hours for simple applications that don’t collect very much personal information, to a week for sophisticated programs that can weave a complex trail of documentation and data. If the analysis identifies concerns and risks, evaluators work directly with the vendor to mitigate the issues.

The final report includes an overall privacy/security score, a technical School Board report for IT and curriculum staff, and a plain language report for administrators and educators. ECNO staff walk board representatives through the report to address questions or concerns, and assessments are centrally databased for participating boards. Over 110 reviews have been completed since the program kicked off in April 2020 with several new requests coming in each month.

John now oversees a team of eight reviewers, each dedicating about 20 hours per week to the program. In addition to continuing to assess new application requests, evaluators are frequently circling back to the completed titles to determine if any legislative or product privacy/terms of use conditions have changed warranting reassessment.

The process and evaluation tools are now being trademarked by OASBO and ECNO as co-owners to protect the intellectual property.