A new wave of advancement in the education industry has emerged. Schools, universities and colleges are relying more on technology now than they ever have before – and this reliance on technology will only increase in the coming years. Educational institutions are using technological solutions to assist in teaching, engaging in discussions with their students and more recently, in evaluating student performance and proctoring examinations on a remote basis.
As an educational institution entering into contracts with service providers who are offering ed-tech solutions or as a company providing such technological tools to various institutions, it is important to consider privacy implications and comply with obligations concerning processing of personal information. Similar to other areas such as financial services and healthcare, the education sector comes with various regulatory requirements. For an ed-tech startup looking to attract potential investment or acquisition opportunities, compliance with such regulations becomes increasingly important as it may impact diligence conducted by potential investors and acquirers down the road.
The following are some aspects to consider when procuring or providing an ed-tech solution or when conducting due diligence into an ed-tech company.
- Is the company limiting collection of personal information to information that is relevant and required? As an educational institution that is onboarding new technology and requiring students to download new tools onto their devices, it is important to consider whether the service provider is in compliance with applicable privacy laws. This includes, for instance, ensuring that the service provider is only collecting personal information that is limited to what is necessary for the specified purpose. For example, if the ed-tech tool is used for proctoring exams, consider if it would be reasonable to collect financial information of students.
- Is the company collecting biometric data? With the increased reliance on video- and voice-calling, it is important to consider what biometric data is being collected and how is it being used and disclosed. For example, facial images may be collected and used by service providers to authenticate students’ identities or to track student activity during online examinations. According to the Information and Privacy Commissioner of Ontario, unlike other personal information, biometric identifiers are directly associated with the human body and cannot be easily hidden or changed. Therefore, biometric data are worthy of the highest standard of privacy protection. Consider whether it is necessary to collect biometric information and if so, ensure processes are implemented to ensure proper use, disclosure and security of such data.
- Is the data required to be stored locally? For instance, the Office of the Privacy Commissioner of Canada (“OPC”) recommends that biometric data be stored locally rather than in central databases. Centralized storage may result in increased risk of data loss or the inappropriate cross-linking of data across systems.
Privacy Policies and Practices
Consider if the company’s privacy policies and practices in compliance with applicable laws. As a service provider that is now offering a product for use in other jurisdictions, consider if the internal and external privacy policies and practices need to be revised in order to comply with the new scope of business. An educational institution might also want to consider implementing practices to provide students with additional information regarding collection of their personal information, including a forum for submitting queries regarding the institution’s privacy practices as well as each tool’s privacy practices.
- Are the students located in Canada or outside Canada? With students taking courses remotely (for example, an international student taking courses remotely from their home country), consider if there might be a need to comply with any laws, including privacy laws, of other jurisdictions such as the General Data Protection Regulation or the California Consumer Privacy Act?
- Is the company collecting personal information of children? Although the Personal Information Protection and Electronic Documents Act (“PIPEDA”) does not differentiate between adults and minors, the OPC has consistently viewed personal information relating to children as being particularly sensitive. As a result, OPC recommends that consent for the collection, use and disclosure of the personal information of children under the age of 13 must be obtained from their parents or guardians. If applicable, service providers must also consider other legislation in other jurisdictions such as the Children’s Online Privacy Act and the Family Educational Rights and Privacy Act in the U.S.
- Are there any education specific laws or requirements? Ontario educational institutions, for instance, must comply with the Municipal Freedom of Information and Protection of Privacy Act (“MFIPPA”) and the Education Act (Ontario). School boards as a result, may be responsible for information management practices and may be required to implement practices to ensure compliance with MFIPPA. Using a tech solution may result in the breach of students’ and parents’ privacy rights.
- Is the ed-tech solution accessible? As an institution, evaluate whether the tool that is being onboarded as part of the new e-learning program accommodates for students with disabilities. This may be required under the Accessibility with Ontarians with Disabilities Act or similar applicable legislation, but is recommended as a best practice for developing accessible e-learning programs.
Stay informed on M&A developments and subscribe to our blog today.