As our school moves into implementing our co-teaching model, a reoccurring question has been around the topic of assessment and the sharing of information; in particular student assessment observations, assessment results, behaviour tracking and work programs.
Many of our staff have access to iPads and are keen to use these as part of their teaching. Some are exploring the use of Google Docs, some are exploring the Ultranet and some are exploring other options.
The question of privacy and security of information was raised with regards to access to information that is stored within ‘the cloud’.
This lead to me completing a bit of an investigation of DEECD and Victorian Government policies on where we stand with regards to storing information online using Google Docs, Evernote and other web based applications.
I dug through the DEECD ICT Acceptable Use Policy, the iPads for Learning resource booklet, the terms and conditions for using Google Docs, the DEECD guides regarding public records and archives and the Public Record Office Standard for Retention and Disposal of School Records without finding much to help me.
I eventually stumbled across the Office for the Victorian Privacy Commissioner’s information sheet around the use of cloud computing and how it impacts on the Information Privacy Act 2000 (Vic)
Cloud Computing is the term being used for information technology infrastructure that hosts data or applications in the “cloud” – that is, refers to offsite, geographically remote software or data storage accessed via the Internet. Data applications are usually accessed on demand through a web browser instead of being stored on individual computers. Cloud computing technology is increasing being used by Victorian Government Agencies to reduce capital and operational costs….. Cloud Computing also allows departments to pool resources efficiently and quickly.
The part that interest me was the following paragraph:
The Information Privacy Act will only apply where the data stored includes personal information about an identifiable individual.
Based on my interpretation of this, data that would contain even a student’s first name would be considered identifiable.
The information sheet goes on to describe the different types of cloud computing in relation to where the server\s are located or stored. It breaks them up into the following categories:
Private Cloud – within the organisation only – the government hosts the cloud in Victoria and uses cloud technology within its organisation.
Community Cloud – Within the Victorian Government – a centrally hosted cloud in Victoria that us used by various government Departments and organisations.
Public Cloud – Either within Australia but outside of Victoria (with the data hosted in Australia) or offshore (hosted by a cloud computing service provider whose data servers are located overseas)
Again, based on my knowledge and research, Google Docs and Evernote would be Public Clouds under the definition of the act given that their servers are located around the world.
With regard to the use of public clouds, the information sheet had this to say:
Where the provider is outside of Victoria or offshore, taking reasonable steps to protect personal information from misuse, loss, unauthorised access, modifications or disclosure under IIP4 (IIP4 is ——) is difficult or even impossible. By using the cloud service, the governemnt agency is relinquishing some – if not all – control over their data. This includes being able to control security measures.
As noted above, it is likely that a cloud service provider will be an agent for a Victorian government organisation. This means that if there is a data security breach, the government agency will remain responsible for any breach that occurs. The risks for the Victorian government organisation are compounded when information is stored offshore, as the organisation cannot control who can access the data or any security or encryption methods. There is also a real problem of enforceability or remedying a breach if it occurs in relation to data stored in an offshore server.
Given that many cloud computing service providers are in jurisdictions which do not have similar privacy or data protection laws, if a security breach occurs, an individual in Victoria will be powerless to take action against the cloud service provider and will only be able to complain to the Victorian government organisation, which may similarly be unable to assist due to its lack of control over the data.
Where the cloud server is located offshore, it may also be possible for foreign governments to access the information if that government requires it. For example, the PATRIOT Act and associated anti-terrorism legislation in the United States contain provisions allowing the US Government to access data in specified circumstances, but prohibiting the data custodian notifying anyone. Allowing access to foreign governments could be a breach of the unauthorised access restriction in IPP 4. Depending on the type of information held, foreign governments may also put pressure on the cloud service provider to remove information or stop providing the cloud service in breach of the Information Privacy Act. This could have other serious implications, including under the Public Records Act.
Some cloud service providers may host Victorian government data across servers located in several different jurisdictions (some of which may have privacy laws and some which may not), making data security compliance impracticable. Data might also not reside in one particular place, resulting in confusion if a breach occurs.
By this point, my head started hurting and I came to the conclusion that we no longer use our online tools.
Having read a few tweets and blog posts from those who use Evernote and Google Docs and other online tools to assist them in their work, I’m keen to hear how others go about doing this. I’d also love a link or reference to an official DEECD stance on the use of cloud computing.
Can you help ?!?
Do you use Google Docs, Evernote or another cloud based tool for your planning ? Your assessment records ?
Do you have documentations\research that supports their use in Victorian schools ?