17. Security and Privacy

17.2. Cloud - Based Services and Privacy

However, in recent years, more and more online services have moved ‘to the cloud’, hosted on massive servers whose physical location is often unknown even to the institution’s IT services department. Contract agreements between an educational institution and the cloud service providers are meant to ensure security and back-ups.

Nevertheless, Canadian institutions and privacy commissioners have been particularly wary of data being hosted out of the country, where it may be accessed through the laws of another country. There has been concern that Canadian student information and communications held on cloud servers in the USA may be accessible via the U.S. Patriot Act. For instance, Klassen (2015) writes:

Social media companies are almost exclusively based in the United States, where the provisions of the Patriot Act apply no matter where the information originates. The Patriot Act allows the U.S. government to access social media content and personally-identifying information without the end-users’ knowledge or consent. The government of British Columbia, concerned with both the privacy and security of personal information enacted a stringent piece of legislation to protect the personal information of British Columbians. The Freedom of Information and Protection of Privacy Act (FIPPA) mandates that no personally identifying information of British Columbians can be collected without their knowledge and consent, and that such information not be used for anything other than the purpose for which it was originally collected.

Concerns about student privacy have increased even more when it became known that countries were sharing intelligence information, so there remains a risk that even student data on Canadian-based servers may well be shared with foreign countries.

Perhaps of more concern though is that as instructors and students increasingly use social media, academic communication becomes public and ‘exposed’. Bishop (2011) discusses the risks to institutions in using Facebook:

  • Privacy is different from security, in that security is primarily a technical, hence mainly an IT, issue. Privacy needs a different set of policies that involves a much wider range of stakeholders within an institution, and hence a different (and more complex) governance approach from security.
  • Many institutions do not have a simple, transparent set of policies for privacy, but different policies set by different parts of the institution. This will inevitably lead to confusion and difficulties in compliance.
  • There is a whole range of laws and regulations that aim to protect privacy; these cover not only students but also staff; privacy policy needs to be consistent across the institution and be compliant with such laws and regulations.
  • Facebook’s current privacy policy (2011) leaves many institutions using Facebook at a high level of risk of infringing or violating privacy laws – merely writing some kind of disclaimer will in many cases not be sufficient to avoid  breaking the law.

The controversy at Dalhousie University where dental students used Facebook for violent sexist remarks about their fellow women students is an example of the risks endemic in the use of social media.