In April of 2017, and then again in June, 2017, Millwood Junior School in Ontario implemented the “Millwood Wellness Census” as part of a Wellness Week initiative. The census was assigned to each student in grades SK-5, and required the students to use their Google account. The students’ surveys were submitted using the students’respective Toronto District School Board (TDSB) email addresses, which have the following format: [email protected]
But before we can consider the regulatory issues, what kind of information did this census or survey collect and store, how did it collect information, and who had created it? It was described to this site as a mental health assessment, a description that, not surprisingly, set off some alarm bells here.
Of particular concern to the parents, given that census appeared to them to be designed to elicit information about the wellness and mental health of an underage population, did the school personnel have the skills to create such a survey, and did the junior school staff have the authority to engage in such a sensitive data collection? What was the risk of inaccuracies or errors in the data that could lead to misinterpretation? And how would any problems with the English language or reading skills impact the accuracy of responses and interpretation?
Furthermore, and in the opinion of the parents who contacted this site, the information was collected improperly because:
- It was collected directly from students in grades JK-Grade 5 rather than from their parents or guardians,
- No notice of collection was issued to parents or guardians, describing the school’s or district’s authority to collect the information, the principal purpose for which the information would be used, and the contact person or position if parents had any questions, and
- No information was provided to parents as to for how long the data would be retained and how it would be stored.
That’s a lot of concerns. And their reaction is exactly why school districts need to be more proactive in terms of notice and consent. Why weren’t all of these parents’ questions answered before the survey was ever administered? Maybe the district or the school decided that this survey or census was “no big deal” and it didn’t warrant sending home information in advance, but in this day and age, and as parents become more sophisticated about data privacy and how EdTech may potentially pose problems, it would behoove districts to be more transparent even if there are no regulatory requirements.
But were there any requirements in this case?
Should the Parents Have Been Informed?
One of the many troubling questions raised by the census was that the parents were not informed of it in advance, and only discovered that it had been administered when a parent decided to search her child’s Google account for information on a pilot program the school was running called “Genius Hour.” The lead teacher for the program is reportedly the same staff member who designed and implemented the wellness survey.
“As we kept pressing the school administration and the school board for more answers, we learned that the superintendent and the principal authorized the deletion of the census in October, 2017. This was a warning sign for us and we filed an official privacy complaint with the TDSB internal Privacy Office. Predictably, they found that there was no privacy breach,” one of the parents informed PogoWasRight.org. PogoWasRight.org agreed not to use the parents’ names in this report because of their concern about retaliation.
To make a long story a tad shorter, the parents were not satisfied at all by the multiple and conflicting answers they received to their queries. But in the process of seeking information on that survey, they also discovered that the Board never informed parents that the district was using Google Apps for Education (GAFE) and never sought parental consent for the use of GAFE.
The more these parents drilled down into the contracts and consent provisions that apparently had not been adhered to, the more concerned they became.
“I also found (on Google of all places) an Addendum which is added to all agreements between Google and individual school boards in the province of Ontario,” one parent wrote to this site. “The Addendum suggests that Google clients commit to respecting COPPA . Google’s own Online Agreement specifically asks that in compliance with COPPA, Google customers must commit to obtaining parental consent for the use of non G Suite apps. It appears to us that the TDSB has for years now been operating in breach of its agreement with Google by not obtaining parental consent, as our children at Millwood Jr School have been using both YouTube and Maps without parental consent.”
But does COPPA, an American statute, have a long-arm provision that binds Google to complying with it even when it is doing business in another country? And if Google does have any obligations under COPPA when it does business with Canadian school districts, can Google punt those privacy-protective responsibilities to the school districts? And are there any Canadian laws or regulations that required parental notification and consent prior to conducting a wellness survey using Google accounts or is the only requirement Google’s contract with school districts?
Toronto District School Board Denies Privacy Violations
When PogoWasRight.org reached out to the Toronto District School Board to begin asking questions, their first response was to claim that the wellness survey was not a “mental health assessment,” which is how the parents had described it. According to spokesperson Ryan Bird:
This was not a “mental health assessment.” It was a wellness survey, conducted in each class, to gauge whether students were experiencing any challenges at school as part of the school’s Health and Wellness Week activities. Parent concerns were brought to our Freedom of Information/Protection of Privacy office which investigated and found that there was no breach of privacy.
So the district absolved itself of any privacy violations, claiming that the survey asked about challenges in school. But the parents, who had obtained copies of the survey, noted that it also asked about home situations. “Why ask questions about their home life? Aren’t those an intrusion upon the privacy of the students’ home life? How does knowing about whether their siblings are buggers enhance their learning at school?” one parent asked this site.
It’s a valid question. As is their question about any contract and addendum that seemingly required the district to have informed the parents of the use of GAFE and to obtain consent for some things. As one parent noted in responding to the district’s response to their concerns:
… section 29 (2) of the Municipal Freedom of Information and Privacy Protection Act (MFIPPA) sets out the notice requirement for the collection of personal information on behalf of an institution. Section 29(2) of MFIPPA states as follows:
2) If personal information is collected on behalf of an institution, the head shall inform the individual to whom the information relates of,
(a) the legal authority for the collection;
(b) the principal purpose or purposes for which the personal information is intended to be used; and
(c) the title, business address and business telephone number of an officer or employee of the institution who can answer the individual’s questions about the collection.
No such notice was provided, the parents told PogoWasRight.org, leading them to think that the failure to notify constitutes a breach of s. 29(2) of MFIPPA.
What Does the FTC Have to Say?
PogoWasRight.org also contacted the Federal Trade Commission to ask whether Google’s obligations under COPAA would apply to its tools if used by a Canadian school district. It turned out, getting a straight answer as to whether COPPA has a long arm was more than a little frustrating. The FTC wouldn’t answer any questions about any specific company, and just pointed me to guidance in the FAQ which I had already read and been amply confused by in terms of whether it would apply to schools in Canada using GAFE:
Notice this part of the FAQ:
As long as the operator limits use of the child’s information to the educational context authorized by the school, the operator can presume that the school’s authorization is based on the school’s having obtained the parent’s consent. However, as a best practice, schools should consider making such notices available to parents, and consider the feasibility of allowing parents to review the personal information collected.
So, assuming for now that COPPA does apply to Google because the TDSB data are stored on a server in Virginia, Google could presume that the district’s authorization was based on the school having obtained parental consent. But the district didn’t obtain parental consent, according to these parents. So did the district violate both its contract with Google and MFIPPA, or did it violate just the latter, or neither?
It took several months, but PogoWasRight.org finally obtained a statement from Google about the situation. Before I show you their response, though, do take note of what the questions were, because they fail to answer them. My questions to Google had been:
1. Is it Google’s understanding that Canadian school districts must comply with the Children’s Online Privacy Protection Act (COPPA) if they are customers of GAFE and non G Suite apps? Does the addendum negotiated in 2013 between the Ministry of Education in Ontario and Google essentially make each school district responsible for complying with COPPA?
2. Are any student’s data and records from the Toronto School District Board stored on servers in the U.S.?
3. Was Google aware that the Toronto School District Board allegedly was not obtaining parental consent, nor even informing parents of the principal use of data collection involving Google apps?
In response to those questions, months later, spokesperson Ashley Carlson wrote:
First, data privacy and security are of the utmost priority for Google — this
site https://edu.google.com/k-12-solutions/privacy-security includes detailed information on our privacy and security policies, including insight on COPPA, data security and ownership. Google cannot advise customers or anyone else on the legal requirements of COPPA or other laws. Our G Suite for Education (Online) Agreement https://gsuite.google.com/terms/education_terms.html addresses COPPA in section 2.5, which states the below. In this case, the school is the “customer.”
2.5 COPPA and Parental Consent. If Customer allows End Users under the age of 13 to use the Services, Customer consents as required under the Children’s Online Privacy Protection Act to the collection and use of personal information in the Services, described in the G Suite for Education Privacy Notice, from such End Users. Customer will obtain parental consent for the collection and use of personal information in the Additional Services that Customer allows End Users to access before allowing any End Users under the age of 18 to use those services. School administrators can determine which services are available and the policies for each service, so each school’s use of G Suite is different. G Suite for Education tools break down into two categories:
1. Core Services like Gmail, Drive, Calendar, Classroom — or —
1. Additional Services like YouTube, Maps, Blogger
You can read more details about what falls under each category here <https://support.google.com/a/answer/182442>.
G Suite for Education administrators determine which Google services their users can access. We recommend as a best practice, that schools get guardian consent for both Core Services they enable and Additional Services. A school may be able to provide consent for Core Services on guardians’ behalf, subject to the laws applicable to that school, which customers themselves are best situated to evaluate. Google aims to give schools the information they need about its services and its privacy and security practices so they can keep parents well informed.
Did you notice that “Customer consents as required under the Children’s Online Privacy Protection Act” language in Section 2.5 (emphasis added by me)? But is it required if we are talking about a Canadian school district as Google’s “customer?”
So after waiting for months, we still had no clear answers, with the parents’ strongest case, perhaps, being under MFIPPA.
PogoWasRight.org is not a law site, of course, and this blogger is not a lawyer. I spoke with a Canadian advocacy organization who has now gotten involved in pursuing the parents’ concerns, and I look forward to seeing some update at some point in the future.
But why is Ontario so lax about requiring more privacy protections and consent provisions for use of EdTech with students? In this day and age, when we have seen so much evidence of privacy breaches and companies selling or misusing student data, why isn’t Ontario taking a firm stand that says parents must be given notice about the use of EdTech that includes the types of personal information being collected, how and for how long it will be retained, what its intended and acceptable uses are, and how parents can request deletion on their child’s data if it is no longer needed by the district for educational purposes. And if the regulations are already in place requiring that, why aren’t they being enforced more rigorously?
Kudos to these parents who began their own advocacy efforts to uncover how the district does and does not implement notice and consent. Perhaps their efforts will lead to the birth of a more active association of privacy-concerned Canadian parents.