You are on page 1of 16

Running head: FIPPA and BCED

Freedom of Information and Protection of Privacy and British Columbia Public

Education: First Questions about Effectiveness and Next Steps

Danny Leeming

University of British Columbia - Masters of Educational Technology Program.

Running head: FIPPA and BCED 1

There is, without question, great educational value in the use of technology. The use

of cloud based tools and web based applications is revolutionizing regular face to face

classrooms by blending the teacher-student relationship and contact times to a much more

fluid and flexible one. In my own classroom, through the use of the Google Apps for

Education platform, students are now able to work synchronously in groups whether they are

able to attend class, or they are on a bus travelling for extracurricular sports. They are also

able to edit and reflect, peer-share and connect, asynchronously. While the anchor of our

school buildings, and face to face contact, form the bedrock of our relationship the use of

these tools is invaluable at meeting learning where and when they are most comfortable

engaging in learning, reflection, and assessment. At what legal and personal cost do these

opportunities come?

It is my contention that the Freedom of Information and Protection of Privacy (FIPPA)

legislation in British Columbia is a good, intermediate step towards more mindful privacy

legislation. However, given the complex and evolving nature of cloud and web platforms, it

will require a much broader, international framework to be truly successful as there are many

holes in compliance, data handling, and interconnectedness that make its full intention hard,

if not impossible, to achieve.

In 2011, the Province of British Columbia enacted some of the most aggressive,

forward thinking, privacy legislation in North America (Hengstler, 2013). This privacy

legislation, the Freedom of Information and Protection of Privacy Act (FIPPA), affects the

employees and clients of public bodies in the province. This legislation was the result of

several complaints and lawsuits. FIPPA, in practice, essentially sets the legal boundaries for

the use of technology, and its interaction with student information, for all BC public schools.

The impetus for change to existing privacy laws was brought on by the aftermath of

September 11, 2001, and the subsequent passing of the US Patriot Act (Privacy and the US
Running head: FIPPA and BCED 2

Patriot Act, 2004). The Office the Privacy Commissioner in BC put forward a lengthy report,

stemming from lawsuit brought by the BC Government Employees Union, to discuss the

privacy implications for government bodies using 3rd party companies based outside of BC

(“Privacy”, p. 11, 2004). While the report initially concerned itself with specific questions

about privacy, data, and US/foreign access, it tackled much deeper, broader questions and

determined that British Columbia “cannot wait for historians to tell us whether or how much

the shift towards a national security focus has imperilled our hard-won rights and liberties”

(“Privacy”, p. 11, 2004). The report was pivotal in taking an assessment of the current online

world being built and recognized that the fundamental pieces of privacy had changed


“Advanced technologies have created the ability to merge isolated

databases into massive banks of information about identifiable
individuals. This, in turn, enables data mining—the application of
database technology and techniques to uncover patterns and
relationships in data and to undertake the prediction of future results or
behaviour. The hidden patterns and subtle relationships that data mining
detects are recorded and become personal information about the
individual whose characteristics or habits are being searched and
analyzed” (“Privacy”, p. 13, 2004)

The Privacy Commissioner made many thoughtful recommendations based on input from

citizens, ministries, foreign police agencies, and more. These recommendations included

many key provisions in the 2011 legislation including the restriction of out of province data

storage, new conceptions of personally identifiable information, and the process for which

clients/users are informed and can consent to the sharing of their personal data (“Privacy”, p.

134, 2014).

To understand whether or not the implementation and goals of FIPPA are being met

we must first understand and define the theoretical backing of the legislation, its concerns,

and the goals it had for privacy in BC public education.

Running head: FIPPA and BCED 3

The foundation of privacy law has, and continues to rest, on a concept called

personally identifiable information, or PII. The shifting nature of PII is incredibly problematic

for modern privacy legislation. The term PII, coined inis the late 19th century, is the

founding concept of privacy legislation across the globe and it primarily concerns itself with

key identifiers that directly attribute information to an identifiable person (Schwartz & Solove,

p. 1816, 2011). If a piece of information that directly identifies a user in a given set of data is

omitted, deleted, or removed then there is no privacy violation because anonymous data

was, and in many cases still is, considered non-identifiable (Schwartz & Solove, p. 1817,

2011). A practical example of this in action, under traditional conceptions of privacy laws,

would be if a teacher, school or district use exam data from a standardized test, such as the

English 12 provincial exam, and removed the names of students, their personal education

numbers, and their school and release or share the remaining grade and assessment data,

including written responses. This would be considered anonymous because no single piece

of data could be identified as any single student alone.

The advent of web based tools, powerful and sophisticated data crunching

databases, and an ever increasing amount of data have made this traditional approach to

privacy very problematic. One does not need to look far to find the terrifying instances of

deanonymization on a massive scale. For example, researchers were able to quickly identify

individuals from a database of anonymized search queries released by America Online,

even though the data had no IP addresses attached, and had been “scrubbed” of names,

dates, locations (Ohm, p. 1717, 2009). Despite that, researchers quickly identified searchers

as real people and were able to contact them. Similar stories have emerged that further

illustrate this point. Researchers were also able to identify Flickr and Twitter users, despite

no links between their accounts, based only on patterns of posting and sharing (Ohm, p.

1743, p. 2009). Luckily, these examples were simply research experiments but the

ramifications in the wrong hands are easy for one to imagine. Ohm warns us of the danger,
Running head: FIPPA and BCED 4

stating that “re identification has formed the database of ruin and given our worst enemies

access to it.” (p. 1748, 2009). He also argues that every instance of re identification creates

a ‘snowball effect’ where any reidentification can never be undone, and will further

strengthen the next attempt at re identification by building a much larger series of points and

known connections (Ohm, p. 1742, 2009).

In a world where our the average person's digital footprint doubles in size every two

years with data mostly managed outside of their direct control the threat of linkability and

deanonymization becomes greater and greater each passing day ​(Rigele & Debbie, 2016).

This provides a clear context for why, in public education, the data we release about our

students for learning intentions, or not, has huge privacy implications going forward.

The approaches to defining and legislation the management of PII have traditionally

taken three models. The non-public approach legislates what PII is not. (Schwartz & Solove,

p. 1830, 2011.) For example, to once again use assessment data as an example, it could

define that aggregate grading data and anonymized written submissions are not PII, but

names, grades, and schools are. This is closely related to the specific types approach which

strictly defines categories like name, birth date, blood type, zip code, etc as strictly defined

categories that make information identifiable (Schwartz & Solove, p. 1829, 2011). These

have proven to be far too limiting, especially with the evolution of technology, because as we

have seen with the aforementioned deanonymization examples, what is and is not PII can

change rapidly. As stated by Schwartz and Solove, ‘[t]he line between P11 and non-PII is not

fixed, but depends upon technology. Thus, today's non-PII might be tomorrow's PII.” (p.

1846, 2011). Paul Ohm concurs stating that defining and constraining PII is a game of

whack-a-mole and it trusts “lawmakers can evaluate the inherent riskiness of data

categories, assessing with mathematical precision whether or not a particular data field

contributes to the problem enough to be regulated.” (Ohm, p.1734, 2009). FIPPA finds itself

taking a third approach, tautological, which is open and flexible in its definition and leaves
Running head: FIPPA and BCED 5

the specifics very open ended to changing landscapes (Schwartz & Solove, p. 1829, 2011).

The criticism of this approach is that there is no clear guidelines for what is, and is not,

acceptable. This can be problematic, especially in complex systems like public education,

but leaves the privacy protected for new developments. As we will come to see, this

approach is well intentioned but problematic for FIPPA in British Columbia.

Clearly the mere act of legislating privacy is difficult in the modern world. Ohm states

that restricting the flow of information has serious consequences, saying:

“The free flow of information fuels the modern economy, nourishes

our hunger for knowledge, shines a light on the inner workings of

powerful institutions and organizations, and represents an exercise

of liberty. Before enacting any privacy law, lawmakers should weigh

the benefits of unfettered information flow against its costs and must

calibrate new laws to impose burdens only when they outweigh the

harms the laws help avoid.” (Ohm, p. 1736, 2009)

FIPPA legislation could not just forbid the flow of information in the name of privacy. The

power of information, so succinctly described by Ohm, is the definition of a double edged

sword. Our modern systems need the ability to draw upon information to make our current

way of life possible and to cut off the flow of information completely would have serious

consequences. It should not be surprising that FIPPA took a firm, but open, approach to

privacy with public bodies and tries to balance the needs of personal privacy without

forbidding public bodies to use new services under specific rules.

The implementation of FIPPA is a reflection of the changing scope, and definitions of,

privacy. This is deeply connected to the proliferation of cloud and web based services, and

the interconnected nature of data points in the modern world. Our schools suffer this shifting

reality with student data.

Running head: FIPPA and BCED 6

FIPPA has done an adequate job at mitigating the theoretical and practical concerns

raised by modern computing. One of the foundational pieces of FIPPA is based around its

obligation for public bodies to create informed consent for data being shared. The

requirement for public bodies to tell citizens exactly how their data will be used, shared,

stored and disclosed in detail is a very forward thinking solution and allows users to weigh

the positive and negatives of their decisions. In a world where something as innocuous as an

anonymized search query on AOL can lead to your direct identification, consenting to each

type of information that is being disclosed is an important protection. Section 30 of FIPPA

contains many important and relevant regulations for public education and this includes the

requirement of detailed, informed consent for any and all information disclosed by a public

body (Freedom of Information and Protection of Privacy Act [FIPPA BC], 2016). A primer on

FIPPA prepared by the Office of the Privacy Commissioner details how FIPPA requires any

information that could be considered identifiable to be consented to, even to the point of

requiring something like a student journal that details information about several individuals to

gain the consent of every person involved (​Cloud Computing Guidelines for Public Bodies, p.

4, 2012). While cumbersome, this certainly delivers on FIPPA’s goal of protecting user data

from unknown disclosure. It might read to some as ‘overkill’ but based on the power of

computers it does not take much to imagine the plethora of personal information stored in a

single student’s ‘What I did this summer’ assignment.

FIPPA also tackles storage and the risk of storing data outside of Canada (FIPPA

BC, 2016). Section 30 also strictly forbids unconsented storage of any personal information,

identifiable or potentially identifiable, outside the borders of Canada (FIPPA BC, 2016.) Julia

Hengstler, an instructor at Vancouver Island University, and others wrote a comprehensive

overview of what FIPPA requires of teachers to share student work or data online

(Hengstler, ​K-12 Primer,​ 2013). Any disclosure of data must answer what she has called

the “Key Questions” to be FIPPA compliant. These are:

1) Who does the content belong to?

Running head: FIPPA and BCED 7

2) What, exactly, is being shared? Specific things - Work, birthdays, names, etc.
3) What content will be posted and how will it be identified?
4) Where will the content be posted & who will see it?
5) How and When is accessed?
6) Where is the data stored? What does that mean for my stuff?
7) Who is in charge of this at my school or at the school board office? What are they
doing to protect my information?
8) What if something changes? Or there is a data leak?
9) Is this written in a way that my parents and I can understand? (Hengstler, 2013).

This series of obligations any consent form must have greatly enhances the knowledge and

consent for students in public education and greatly enhance their ability to make a

reasoned decision on their personal information.

Perhaps one of the most positive benefits of current BC privacy legislation is that it

may be contributing to a more thoughtful and positive conversation around privacy in our

schools. Digital citizenship as a curricular goal has never been more prominent, and with the

curriculum change currently being undertaken in British Columbia, this trend will continue.

FIPPA allows us as instructors, teachers, and leaders in student learning to engage in

meaningful and practical conversations with our students every time we approach them, and

their families, about a digital or web tool we wish to use with them in their learning. It should

be clear the hypocrisy of schools advocating educational programs to produce digital literate

citizens but not contemplating their own digital actions and tool use. The linkage between

legitimate care about student privacy through respecting and honoring the goals of FIPPA

legislation and the profession's desire to create digital citizenship, responsibility and

knowledge should be crystal clear.

The law addresses this need and demand in our schools. A study completed by the

Fordham Institute on a sample of several US school districts found that cloud computing

platforms were being used in some capacity, totaling 95% of schools examined, and found

that privacy of student data was “poorly understood, non-transparent, and weakly governed.”

(Rigele & Debbie, 2016) T​he study also found that there was “rampant gaps” in the way privacy
Running head: FIPPA and BCED 8

was enforced, the types of agreements between schools, or districts, and service and

content provides, and the information received by students and parents (Rigele & Debbie,

2016). Speaking anecdotally, in the schools and districts I have worked with as a teacher,

this study rings as true in British Columbia. Privacy forms, even in the age of new FIPPA

legislation, show widely different interpretations of privacy law from school to school and

district to district.

With all the above in my mind, there are some areas in which FIPPA is not meeting

the needs of BC students, teaching professionals and districts. One of the most vocal critics

of British Columbia’s approach to privacy with regards to public education is Dr. Alec Couros.

He performed a review of legislation in 2016 and said outright that the way the legislation

function in practice is “not compatible or commensurate with the sector specific needs of

education bodies” (​Couros & Hildebrandt, p. 5, 2016). He criticizes its strict, unclear nature,

and its restrictive grip on teacher creativity that are depriving BC student’s from valuable

learning experiences (Couros & Hildebrandt, p. 5, 2016). He also takes issues with the

tautological approach of the legislation and states that the open ended way in which it is

written essentially creates a situation where anything not mentioned as potentially disclosed

can open bodies up to legal action and as a result, freezes innovation, new technology

adoption, and learning ​(​Couros & Hildebrandt, p. 7, 2016).

He fairly criticizes the concept of storage location as creating a false sense of

security for Canadian users and supports this stance by highlighting data sharing legislation

between the US and Canadian governments, and referencing revelations about data spying

by various governments ​(​Couros & Hildebrandt, p.8, 2016). Finally, he focuses on how wildly

different the legal interpretations have taken and how some districts have just said ‘no’ to the

educational opportunities made possible by cloud and web based tools (Couros &

Hildebrandt, p. 10, 2016). To summarize his very detailed and well argued critique, British

Columbia students are being prevented from incredibly valuable learning by poorly written,
Running head: FIPPA and BCED 9

unclear privacy legislation that is mostly based on inadequate understandings of data

transmission that, at the end of the day, does very little to actually protect information.

Building on Couros’ argument about varied and different interpretations, one needs

only look at privacy forms from various school districts to see that FIPPA is seeing wildly

different methods of enforcement and adherence. The approaches districts have are widely

varied. Some districts, like SD57 in Prince George, have board office positions dedicated to

meeting privacy commitments, while others such SD36 still use blanket unspecific waivers

that, in my opinion and the advice given by Julia Hengstler and the Office of the Privacy

Commissioner, do not meet the obligations of FIPPA. I contacted several districts informally

requesting access to their waivers and information about their wireless infrastructure. While

this is very incomplete, it provides the ability to make some basic conclusions about FIPPA

in British Columbia.

District Waiver Exemplar Meets Fippa WiFi System Waiver for Wifi Access
Checklist by or FIPPA privacy in
Hengstler? Network Access

School District 8 Yes Yes Meraki by Cisco No


School District 20 For image/media No Meraki by Cisco No

release only .

School District 10 For media only No Meraki by Cisco No

School District 36 Yes No Aruba Wireless (HP) No

School District 57 Not available to Yes Unknown No


School District 61 Yes Yes Meraki by Cisco Cloud portal turned off, all Access points locally
managed to protect
privacy N/A

School District 37 Yes Yes Ruckus ZoneFlex Ruckus data is internally stored on district servers.
Running head: FIPPA and BCED 10

School District 62 Yes Yes No response n/a

Table 1: FIPPA processes in a sample of British Columbia School Districts.

I also inquired to districts about their wireless internet infrastructure. This is

connected to my own concerns that build on what Couros is discusses. While classroom

teachers are very concerned with the classroom disclosures of information, and their legal

and ethical responsibilities to safeguard their students information, there are many systems

in place by school districts on the “business” side of education that may need an overhaul

with regards to privacy. Access to WiFi internet systems is quite common in British

Columbia schools, especially at the secondary level. Often, for practical reasons, these

wireless internet systems are built and maintained, and then managed remotely over

geographic distances by district IT staff. They allow staff to monitor connections, uptime,

security threats, and apply policies all through central web dashboards. With that, however,

comes the potential to track a plethora of student information.

Some of the popular systems include the Meraki system by Cisco Systems, and the

Aruba system by HP. These are only two examples known to be deployed in some BC

school districts. The issue with these services is the way in which identifiable data about

students is tracked and stored in the United States in contravention of FIPPA without student

knowledge or consent. Cisco Meraki uses a web based management dashboard, hosted in

the United States, which collects information from connected client devices, for example

student owned devices, such as MAC address, device type, physical geo location, operating

system, device name (Cisco Meraki Privacy Policy, 2013). If this was not concerning

enough, they are also able to track hostnames, different protocols running on the device,

port and IP information (Cisco Meraki Privacy Policy, 2013). To simplify that statement,

Meraki can track a student's device name, their device unique MAC address, and tie that to

their app and web history, and their physical location at different times of day (Cisco Meraki

Privacy Policy, 2013). Despite not having traditional red flag identifiers like full names, in a
Running head: FIPPA and BCED 11

world where users can be identified by anonymized AOL search queries the volume of

information Meraki and Cisco can collect about students can easily be used to not just

personally identify them, but build a very robust profile of their web and social media habits.

A further reading of the privacy policy reveals that Meraki has the right to disclose their

collected information to other service providers, for business purposes, to any affiliated

company who “may use and disclose personal information” disclosed to them by Cisco at

their discretion (Cisco Meraki Privacy Policy, 2013). Only one school district - SD61 in

Greater Victoria - using Meraki, as noted in Table 1 above, took this privacy worry into

consideration and has turned off the cloud dashboard in their Meraki system.

While my sample is incomplete, and my beginning inquiry is not of empirical nature, I

have deep concern about the implications for both educational technology and our legal and

ethical duties to our profession and our students. Let us propose a scenario in which a

district blocks any improper web and cloud tools in their classrooms and develops a rigorous

FIPPA approval process, but utilizes a system like Cisco Meraki for their wireless internet.

Even if a student is not using a teacher suggested tool, such as Google Apps, and is simply

using their own device to browse and search up basic information online, or browse social

media on their lunch break, the use of infrastructure such as Cisco Meraki opens up an

incredible amount of PII to a corporation which can buy, sell and trade the student

information without their knowledge or consent. This situation is one that needs remedy. On

Table 1, I have included information about several districts who use Meraki or something

similar. A complete, empirical study and further research is needed to determine the extent

of this problem that I have not seen mentioned in any of my research. Is this infrastructure

privacy concern being weighed and considered? How can schools deal with this and still

respect FIPPA? Should schools be forced to shut down wireless internet until further notice?

Must we end the culture of BYOD in our schools until we can properly protect student

information? Can we put this proverbial cat back into the bag?
Running head: FIPPA and BCED 12

FIPPA has been written with the very best intentions and has made a valiant and

substantial attempt at protecting British Columbia students from violations of their privacy

that could have long term and lasting impacts on their lives. Often, when discussing why

FIPPA is important with colleagues I often ask them if they would be okay if I were to set up

and run their child’s Facebook profile, or if they would be alright with a field trip permission

form that stated only that I may take their child on a field trip, on an unknown date, to an

unknown location, and that we cannot guarantee we will ever return. Once they finish looking

at me quizzically,the analogy holds true and FIPPA is understood as a necessary piece of

the privacy puzzle. Clearly, though, it is not perfect. As a practicing British Columbia teacher

I often weigh the time and work of developing adequate waivers versus the opportunity

offered by different tools and often opt for options that may not deliver the same impact, but

carry less privacy concerns. Many colleagues do not respect the legislation, avoid

technology at all costs, or find themselves on the lower end of what Julia Hengstler refers to

as the “Compliance Continuum” (Hengstler, Compliance Continuum, 2014).

Hengstler, I believe correctly, writes that full compliance with FIPPA in its current

form is “ill defined” if not “unattainable” (Hengstler, Compliance Continuum, [Compliance

Continuum] p. 6, 2014). She also describes other stages of teacher reaction to tough FIPPA

restrictions in terms such as “Avoidance”, “Ignorance” and “Knowledgeable Non

Compliance” (Compliance Continuum, p. 1, 2014). Our goal should always be complete

compliance legislation, but the practical reality is a situation where it may never happen. If

that is the case, has FIPPA been truly effective? And what about the very serious concerns

raised here over the very infrastructure we use to access the internet in our schools?

I believe the proper approach to FIPPA is to elevate the conversation to the national

and international level. The report on cloud computing that made many of the

recommendations that found their way into current FIPPA legislation was prophetic in the

sense that it also recommended this next step as the only way to truly create a new privacy
Running head: FIPPA and BCED 13

framework that truly dealt with the instantaneous transmission of information across

international borders and the powerful, integrated computer networks that can harness and

connect so much information (“Privacy”, p. 134, 2004). That report on privacy recommended

these changes to FIPPA only in light of a pending multinational approach, and knew that was

the key to real change (“Privacy”, p. 134, 2004).

I cannot help but back up this recommendation. I see immense value in the

protection of student privacy. Kids will post things that will be potentially socially

embarrassing and have impacts on things like future employment. Many also struggle with

deeply personal family or mental health issues that could show up in their work and writing.

As one author calls it, “the right to be forgotten” is an important part of youth and privacy

protections (Newman, p. 507, 2015). Newman talks of adolescent exploration, trial and error

nature of development, and other factors as things that should not follow people around as

they mature (Newman, p. 508, 2015). Only by uniting with the international community on

issues of data sharing, deanonymization, reselling of data, encryption, and handling can we

hope to tackle modern privacy issues. The current patchwork of province to province, state

to state, country to country frameworks can create something similiar to a taxation ‘race to

the bottom’. Firms which wish to be nefarious with user data can always find a new, more

lenient jurisdiction from which to operate and only by creating a universal set of principles

can we really provide adequate privacy protections. Furthermore, the question of

infrastructure, and how it interacts with student data, leaves the door open for much more

important research. I applaud the British Columbia government's leadership position on this

very important issue, but there is more work to be done on behalf of students, teachers, and

employees of British Columbia public education.

Running head: FIPPA and BCED 14


Canada, Office of the Information and Privacy Commissioner for British Columbia. (2012). ​Cloud
Computing Guidelines for Public Bodies​ (pp. 1-7). Victoria, BC: OIPC.

Cisco Meraki Privacy Policy. (2013, December 17). Retrieved July 10, 2016, from

Couros, A., Dr., & Hildebrandt, K. (2016, January 25). STATUTORY REVIEW OF THE FREEDOM
PRIVACY ACT.​ Retrieved June 10, 2016, from

Freedom of Information and Protection of Privacy Act. (2016, June 22). Retrieved July 05, 2016,
from ​

Freedom of Information and Protection of Privacy Act, R.S.O. 1990, c. F.31. (2016, April 19).
Retrieved July 05, 2016, from ​

Hengstler, J. (2013). A K-12 Primer for British Columbia Teachers Posting Students' Work Online.
Vancouver Island University​. Retrieved June 10, 2016, from

Hengstler, J. (2014, April 24). The Compliance Continuum: FIPPA & BC Public Educators.
Retrieved June 18, 2016, from

Kelly, A. E., & Seppälä, M. (2016, August). Changing Policies Concerning Student Privacy and
Ethics in Online Education. ​IJIET International Journal of Information and Education
Technology,​ ​6​(8), 652-655. doi:10.7763/ijiet.2016.v6.768

Newman, A. L. (2015, January 29). What the "right to be forgotten" means for privacy in a digital
age. ​Science,​ ​347​(6221), 507-508. doi:10.1126/science.aaa4603


SURPRISING FAILURE OF ANONYMIZATION. ​UCLA Law Review,​ ​57,​ 1701-1777. Retrieved
June 10, 2016, from

Rigele, A., & Debbie, A. (2016, March). I Agree, but Do I Know? Privacy and Student Data.
Knowledge Quest,​ ​44​(4), 10-21. Retrieved from

Russom, M. B., Sloan, R. H., & Warner, R. (2011, December 6). Legal concepts meet technology.
Proceedings of the 2011 Workshop on Governance of Technology, Information, and Policies -
GTIP '11,​ 29-37. doi:10.1145/2076496.2076500
Running head: FIPPA and BCED 15

Schwartz, P. M., & Solove, D. J. (2011). Pii problem: Privacy and a new concept of personally
identifiable information, the. ​NYUL Rev.​, 8
​ 6​, 1814.