Issues surrounding students’ data and schools’ use of educational technology (EdTech) are in the spotlight as school boards in six provinces respond to a “significant cyberattack” on an administration software platform.
According to CTV, the company PowerSchool informed school districts that “hackers infiltrated its systems using a compromised credential to gain access to one of their portals, PowerSource.” The infiltration happened between Dec. 19 and 23, 2024. The breach “may have compromised sensitive personal information of students including names, addresses, health card numbers and medical details” as well as “personal and sensitive information,” of staff.
The news is unsettling. Parents and caregivers know that today, for a child’s schooling, they or their child must deal with an EdTech service for communication, homework, scheduling, exams or general learning tasks. “Learning management systems,” web-based technology for different aspects of learning, are becoming ubiquitous in today’s schools.
The data-hungry design of the EdTech systems makes upholding the privacy of young people very challenging. Schools’ use of these technologies has already come under scrutiny in Ontario and beyond.
In Ontario and elsewhere, we need reforms that give decision-makers at the appropriate levels the power to bring robust democratic oversight to EdTech in schools.
Companies in the middle of interactions
Companies are now in the middle of interactions that once happened through direct connections among educators, students and parents. Where educators communicate with parents through an EdTech system, it can be akin to having a company sitting in on a parent-teacher conference. Exchanging messages about a student through an EdTech service means that the information shared no longer stays between a parent and teacher. The service provider has access to the information to provide the service.
These services pose novel threats to students’ privacy.
Because of these privacy threats, schools are under immense pressure to vet EdTech procurement and deployment.
The complex ecosystem of providers, services, protocols and plug-ins sets schools up for the difficult task of making sense of it all. Functions are delegated to other services and platforms through third-party plug-ins. This means that even if the user-facing experience is delivered by one company, in the background there are many.
The use of generative AI in the classroom
will exacerbate this problem. EdTech providers will rely on the offerings of the likes of dominant players such as OpenAI, integrating these companies’ offerings into their services and sharing further data.
School boards, regulators face huge task
Protecting students’ privacy is a huge task for school boards and for regulators to undertake. The underlying business model of EdTech providers is to sell more services to schools. These services aim to generate and analyze more student data without requiring a connection to improving outcomes for students or educators.
EdTech is inscribed in a larger constellation of unequal power relationships. In most cases schools have little power to influence the underlying infrastructure that enables porous boundaries between services, providers and experiences. This is a central issue for ensuring robust governance and privacy protection.
Both the data chain and the power asymmetries become more complex with more entities involved in the collection, use and disclosure of students’ personal information, especially when such services invite reliance.
As the editorial board of the Globe and Mail has recognized “the root of much of the problem [of harms caused by technology] is the power these companies wield.” This recognition joins a growing chorus of researchers and regulators who draw a close connection between the concentration of digital power and issues such as privacy and democratic governance.
It is for this reason that current market dynamics will not deliver robust privacy protections for young people (or for any of us).
Schools must simply trust EdTech providers?
Schools heavily rely on contracts, which are mere promises at their core, to protect student privacy. Yet schools have neither the insight into nor the power over the infrastructure: most often they must simply trust the EdTech providers’ conduct.
Existing and proposed law and policy fall short because they regulate information types and purposes, without thoroughly considering information flows and infrastructure — meaning all the “piping” of the digital environment, and multiple points at which data can be compromised. Canada is not alone, though. Data privacy laws globally remain based on an approach initially articulated half a century ago.
This said, there are promising turns: Europe has begun to regulate digital services and markets with power relationships in mind. The Information and Privacy Commissioner for Ontario’s Digital Privacy Charter for Ontario Schools underscores the need to make sure EdTech services do not siphon off young people’s personal information.
Ontario’s recent enactment of Bill 194, which gives the Minister of Public and Business Service Delivery and Procurement the ability to issue technical standards for public schools’ use of EdTech, is an important step towards regulation.
But the values surrounding education in a liberal, democratic society must inform schools’ EdTech procurement standards — for example, with legislation ensuring that robust public consultation become part of schools’ decisions for EdTech. Currently, Bill 194 makes no such provision.
Significant reforms needed
Significant reforms are needed, in the following ways, to ensure the public has a say in regulation and student privacy is safeguarded.
1. Infuse the governance of EdTech with democracy. We need the power of the people to counter the power of platforms. Currently, there is widespread failure to bring robust democratic oversight to EdTech ecosystems. We need constant reassessment of existing governance institutions and ways to gauge societal expectations. This includes establishing governance mechanisms for reacting to ongoing feedback from communities and detecting disruptive information flows.
2. Privacy as contextual integrity. We need approaches that consider contextual norms and respect social values, since privacy is about respecting the integrity of a social context. The values in the educational context have evolved over generations to ensure information flows in appropriate ways.
Embracing this perspective would help to explicitly think and communicate about the underlying piping of the data economy to ensure better transparency and accountability of information practices.
3. Law as integrity. We need principle-based, privacy-preserving rules that are informed by social values — a perspective that the Information and Privacy Commissioner of Ontario likewise shares. This puts the onus on companies to adhere to social norms about information practices. The goal would be to ensure that, for example, we scrutinize EdTech services that collect student data to make performance profiles based on how such profiles contribute to educational values and purposes.
Bringing about these reforms will not be easy. But the difficulty of the road ahead should not deter us from creating a better future for students and citizens alike.