Project Updates and Events
Vetting of Application Security and Privacy (VASP)
The OASBO Joint ICT-PIM Working Group has established and tested a process for conducting risk assessments on educational web applications. We conduct risk assessments centrally for the benefit of all boards. The outcome of each assessment includes a list of risk mitigation strategies that boards and schools can implement in order to use the application safely.
Our process for assessing applications is based on our Student Digital Privacy Standard and embodies progressive privacy and security protections that align with those endorsed by regulators and experts across North America and the European Union.
The OASBO Joint ICT-PIM Working Group has established and tested a process for conducting risk assessments on educational web applications. We are moving forward with our plans to conduct risk assessments centrally for the benefit of all boards. The outcome of each assessment includes a list of risk mitigation strategies that boards and schools can implement in order to use the application safely.
Please note, we are also looking for volunteers to assist in the review of applications! Shadow the experts as you gain skills during the review process. This is a great opportunity to build expertise in your board. Scheduling is flexible; your commitment can be as little as a couple of hours per week. We need people with Privacy, Security, or Risk Management expertise. If you are interested or want to learn more, submit your name, school board name, email address and area of expertise to Wayne Toms via email at firstname.lastname@example.org.
Student Digital Privacy Standard
Used for Classroom Applications, Software and Web Services to ensure that web apps, software and online services used in Ontario school boards adhere to uncompromising high standards of protection. These criteria are based on data protections for children endorsed by regulators and experts across North America and the European Union. This standard is intended to shift the data protection landscape and raise the bar for student digital privacy in Ontario schools.
- Providers must state all data elements that their classroom web apps or services collect and provide reasons for the collection/processing of each element.
- Schools must ensure there is verifiable parental consent for the collection, use and disclosure of personal information of children under 18 if there is no legal basis for using classroom web apps/software/services as determined by law or established by regulators.
- Unless consent is obtained, providers must allow students to maintain ownership of and be in control of the content they create and upload to the classroom web app/software/service.
- Providers must offer consent options so that users (or parents/guardians) can consent to the collection and use of personal information necessary to provide the service without consenting to the use or disclosure of that information to third parties for other purposes (e.g., marketing).
- Providers must collect only the personal information required to operate the classroom web app/software/service, e.g., no accessing browser history, contact lists, search terms, preferences, device identification, location, etc. unless directly related to providing the service.
- When apps are to be downloaded onto mobile devices, providers must offer choices to users regarding disclosure of data on their device such as location, identifiers, contacts, etc.
- Providers must never collect personal information covertly, i.e., without the user’s knowledge, particularly audio/video information via the user’s own device.
- Student profiles and activity within the web app or service must be kept private so that they cannot be seen or collected by others unless the app/service itself is collaborative and requires this type of sharing.
- Educators should be allowed to create generic accounts for children (e.g., student 1, student 2, etc.) and/or create profiles using as little personal information as possible in order to avoid the excessive collection of personal information.
Use, Retention, Disclosure
- Providers must use, disclose and retain personal information only for the purpose of providing the classroom web app/software/service.
- Providers must not benefit or profit from student personal information.
- Providers must not profile children for marketing purposes or in ways that lead to unfair, unethical or discriminatory treatment.
- Providers must not repurpose student data or use it for research without express consent, unless authorized by statute or anonymized.
- Providers must securely destroy or make anonymous in a timely manner all personal information that is no longer required to provide the app/software/service and they must explicitly identify retention timelines.
- The provider must have a comprehensive security program in place that is reasonably designed to protect the security, privacy, confidentiality, and integrity of student personal information against risks, (e.g., unauthorized access or use, unintended or inappropriate disclosure) through the use of administrative, technological, and physical safeguards appropriate to the sensitivity of the information.
- Providers must define the safeguards in place.
- Providers must ensure that all vendors they use to provide the service implement the same security safeguards.
- Providers must ensure that all successor entities are obligated to implement the same security safeguards for personal information previously collected.
- Providers must have breach protocols in place.
Openness and Transparency
provider and any third parties.
to find after the account has been created.
- Providers must identify the third parties to which they disclose personal
information for processing, the specific data elements involved, and a summary
of protections/assurances in place.
- Where providers use data for statistical analysis and profiling, for making
subjective assessments, for predicting behaviour or as part of a decision-making
process it should be clearly communicated by providers to users along with a
mechanism to challenge these assessments.
- Providers must state whether or not the classroom app/service allows users to make personal information publicly available online.
- Providers must directly inform users before changes are made to policies
terms they were initially provided.
- Providers must disclose the presence and use of third party cookies and
provide options for managing them.
- Provider must confirm that they are in compliance with all laws.
Access and Correction
- Providers must make available the name and contact information of an
operator who will respond to inquiries and challenges from users or parents/
guardians about privacy policies, data handling practices, accuracy, completeness and use of personal information.
- Providers must have a mechanism for users to access, correct, erase, and
download content they created in a useable format.
- Users have the right to erasure of their data, including metadata inferences, assessments and profiles (if not required for administrative purposes by
the provider or the school board) and providers will not charge a fee for this service.
- Providers must ensure that when a student deletes their work in their account created by an educator where the educator maintains exclusive administrative rights, the copies in the educator account must disappear, also.
- Providers must ensure that educators have the ability to delete their own
accounts and virtual classrooms.
- Providers must not require users to surrender their copyright to their own
work if they post it to the application or service’s site.