Data protection in EdTech is the need of the hour

Rohan (name changed) was apprehensive when the education website for IPMAT practice exams asked for his date of birth, email, phone number and address. It was the third website asking for the same data. An exasperated Rohan brushed aside his misgivings, punched in the data the portal required and started practising his mock tests.

Rohan's experience is similar to that of thousands of students. The issue of education websites asking for such data gains importance. It is of concern in the context of the new Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, which took effect recently.

Increased demand and diverse education systems have witnessed many new EdTech (Education Technology firms and start-ups) players. EdTech companies are capitalising on the current opportunities and making a fortune with customised products from self-learning materials, interactive educational contents, online classes, customised tuitions, student engagements and sample tests.

While online education and EdTech companies are making learning more interesting, a significant area of concern is how user data is collected, stored, processed, used and potentially monetised. Malicious use of this sensitive data by unauthorised people and groups could result in social engineering, financial crimes and frauds, cyberbullying, user tracking, identity theft, or other means for targeting children.

In May 2020, firewalls of one of the biggest EdTech companies of India was breached by cyber threat actors and threat groups, who put up personally identifiable information of the users for sale on the dark web. It is, therefore, imperative to take measures to protect, regulate, govern and control the insurmountable pile of personal data of the students, parents and end-users. As the user base of EdTech providers is growing exponentially, the need for strong governance and regulation from the government is essential to dispose of apprehensions about privacy concerns, lack of transparency and accountability on the educational contents delivered through these platforms.

India's EdTech industry is growing exponentially, being the second biggest globally and is poised to touch $3.2 billion by 2022. Private equity and venture capital funding in EdTech are rising with approximate $1.5 billion funding as of September 2020, a four-times increase than 2019.

EdTech enables scale and speed using a direct to the device model, breaks down geographical barriers helping students access high-quality education from top institutes. Teachers became facilitators and curators, managing remotely.

The current K-12 school system in India is one of the largest in the world, with more than 1.4 million schools with 250+ million students. According to IBEF's Indian Education Sector Industry Report, August 2020, India is the second-largest market for e-learning after the US. Conversely, India is 115th in education in the Legatum Prosperity Index 2020, where Singapore is first and the US second; India was at 104 in 2018.

The significant concerns go beyond content and frameworks. There is a need to swiftly address critical challenges like data security, privacy, social, and ethical issues. The privacy policies of the EdTech companies are indecisive and ambiguous and assume that consent and responsibility lie with the user. Most of the consumers of these EdTech platforms are neither briefed nor have the legal know-how.

This disruption in the education domain raises ethical and social concerns. Some critical areas of concern in social and ethical aspects are biased content delivery, implicit influence on career decisions, minimal historical data availability for efficient data modelling and machine learning leading to inaccurate profiling of students, increased unemployment of conventional educators, less upskilling and reskilling of educators and standardisation and moderation of content without regulatory approvals.

One fundamental perspective to look at is whether an EdTech organisation is based on a vision of learning and uses the power of technology to achieve its goal, or is it one with a technology-first approach and uses education to test their innovations and monetise?

Role of the data protection bill in the education sector

Section 16(2) of the Personal Data Protection Bill, 2019, states that the data fiduciary shall, before processing any personal data of a student, verify their age and obtain the consent of their parent or guardian, in such manner as may be specified by regulations by the Authority under the Act.

It is the responsibility and accountability of EdTech companies to ensure they deploy sophisticated systems, frameworks and programmes to defend against cyber-attacks, data breaches and data infringements proactively.

The way forward and the need for measurable controls

There is a need to educate, inform and increase awareness of end-users of the risks and challenges associated with app-based learning. Educational institutions and government education departments should facilitate awareness campaigns, conduct regular auditing and performance reviews of these Edtech programmes.

Contact details of data privacy and legal offices of EdTech firms should be made available to end-users. There should be well-documented processes and policies on how the data is being collected, stored, processed, analysed and used. Additional due diligence, including the appointment of nodal and grievance officers, is another requirement with proper content review and moderation.

There are no or minimal regulatory bodies in India today for controlling these concerns in the dynamic educational sector. A well-defined regulatory framework has to be in place to manage the ethical aspect of forced learning, behavioural and psychographic data drainage, content regulation, standards and compliances.

Given the prolonged process of passing the data protection laws in India, the judiciary may oversee and provide necessary guidelines to ensure that EdTech companies implement systems and procedures to address concerns and challenges.

There are progressive steps taken by many countries already on data privacy and data protection of its customers. GDPR (General Data Protection Regulation) by the European Union is one prominent example of a robust regulatory framework addressing the data privacy management of its citizens.

The pandemic created a watershed moment that transformed education, but technology in education opened up a gateway to students' privacy. Therefore, it is essential to scrutinise how education technology is paving and regulating the new path of learning.

(Ranjana Mary Varghese is Deputy Director, Xavier Leadership Centre, XIME, Kochi and Philip Varughese is VP and Lead Cyber Defense and Security, Accenture.)

Disclaimer: The views expressed above are the author’s own. They do not necessarily reflect the views of DH.