News release

Sweep of educational apps finds some fall short on privacy

GATINEAU, QC, October 24, 2017 – A sweep of a number of popular online applications used in Canadian classrooms has found that many service providers are carefully considering the needs of younger users when it comes to privacy, but others are falling short.

“We were pleased to find that many of the apps we looked at are taking important steps to protect the privacy of children and youth, for example, by offering kid-friendly explanations about why personal information is being collected,” says Privacy Commissioner of Canada Daniel Therrien.

“Unfortunately, we also found cases where educational apps need to do better. We were concerned to find cases where websites encouraged students to provide more personal information than was actually necessary.”

The Office of the Privacy Commissioner of Canada (OPC) took part in the fifth annual Global Privacy Enforcement Network (GPEN) Privacy Sweep, which involved 24 data protection regulators from around the world.

This year the OPC worked alongside the Ontario Information and Privacy Commissioner’s Office to examine privacy issues related to educational applications targeted at children and youth from kindergarten to grade 12. Together, the two offices reviewed more than two dozen apps and platforms.

“Sweepers” examined the apps’ privacy policies, the personal information being collected, and the controls in place to protect personal information.

As a result of the Sweep, the OPC has released a report outlining key takeaways for online educational services and tools as well as users.

Some of the key findings of the Sweep were as follows:

  • Most services made information about how they handle personal information available to users, but the quality varied and it was sometimes hard to find.
  • Concerns were raised with respect to how a significant number of services were obtaining consent for the collection and use of personal information. For example, more than a third of the services did not seek consent from students or parents, or provide teachers with resources for obtaining parental or student consent in other ways.
  • Only a handful of services had different consent mechanisms for younger and older students, which was surprising given the differences in the ability of younger and older children to understand safe, appropriate privacy practices.
  • Some services had adopted good practices to minimize collection and disclosure of students’ personal information and provide controls for teachers and parents to set age-appropriate limits/supervision on collection and disclosure of students’ personal information. However, there were cases where too much personal information was collected – for example, a blogging platform designed for use in schools that had fields to collect students’ instant messaging handles, photos and bios.
  • Many services failed to make it easy – or even possible – to delete personal information no longer needed.

The OPC’s Sweep was not an investigation, nor was it intended to conclusively identify compliance issues or possible violations of privacy legislation. Rather, “sweepers” sought to replicate the consumer experience by spending a short time on websites and apps to record certain privacy practices in relation to a common set of indicators.

The initiative is aimed at encouraging organizations to comply with privacy legislation and to enhance co-operation between privacy enforcement authorities. Concerns identified during the Sweep will result in follow-up work such as targeted education, outreach to organizations and/or enforcement action.

The overarching theme selected for the 2017 GPEN Sweep was “user controls over personal information.” Participating regulators took various approaches to the initiative. Globally, the Sweep found that website privacy notices are often too vague and generally inadequate.

About the Privacy Commissioner of Canada

The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman and guardian of privacy in Canada. The Commissioner enforces two laws for the protection of personal information: the Privacy Act, which applies to the federal public sector; and the Personal Information Protection and Electronic Documents Act, Canada’s federal private sector privacy law.

See also:

2017 Global Privacy Enforcement Network Sweep - Key takeaways for online educational services and tools

Information and Privacy Commissioner of Ontario’s News Release: New IPC report on online teaching tools & best practices for protecting student privacy

UK’s Information Commissioner’s News Release: International enforcement operation finds website privacy notices are too vague and generally inadequate

- 30 -

For more information:

Valerie.Lawton@priv.gc.ca
819-994-5663

NOTE: To help us respond more quickly, journalists are asked to please send requests for interviews or further information via e-mail.

Date modified: