Could Universities’ Use of Surveillance Software Be Threatening Students?
Many universities have sought to address this by turning to remote monitoring tools to track students’ online activities. These tools track students’ attendance at lectures and seminars as well as library visits and other ‘points of engagement.’ The idea is that this then shows universities how engaged each individual student is with their studies.
The question is as follows: How are these new ways of learning affecting students? Are they putting student data at risk?
The facts and figures
At least 27 UK universities have been using this type of tracking software, including 23 out of the 24 Russell Group universities, Nottingham Trent University, the University of Hull and York St John University. It is likely that the use is even more widespread or will become so in future.
Exactly what is being monitored depends on the university and the particular software being used. One popular tool tracks data including how often students:
- Attend lectures, seminars and workshops
- Log onto their virtual learning environment (VLE)
- Log onto university computers
- Submit work
- Access online content
- Check books out of the library
- Print, scan or photocopy documents
In theory, monitoring students’ engagement with their studies could be a good thing. Where a student is deemed to have low engagement, it could trigger the university to investigate why and offer any extra support the student needs.
However, there are concerns about exactly how this data will be used, including whether students may be penalized for repeated low engagement. What’s more, it’s also a concern that this data could end up in the hands of third parties and be used to potentially harm students.
Why should students be concerned about university remote monitoring software?
Most people don’t like the idea of being constantly monitored, and universities’ use of remote tracking software could cause students significant anxiety as to whether they are ‘doing enough.’ Given that university is often highly stressful for students and that many already struggle with their mental health, there is a real danger that this active monitoring could make things worse.
However, there are also significant potential risks that could rise from the actual data that universities are collecting about their students.
Concern 1: student mental health
One concern is how universities will use the data themselves. For example, if students are considered to be not sufficiently engaged, what action will the university take?
If, for example, this triggers a conversation with a personal tutor of the offer of extra support, this could be positive. However, if there is the potential for students to be kicked off their course if they fail to meet the required level of engagement, this could add an increased level of stress.
Concern 2: whether the data will be truly reflective
Students could also become ‘victims of the algorithm’ if, for example, they miss an online seminar for a legitimate reason, but this is still recorded as an absence. While a tutor might be understanding, there is no guarantee this will be reflected in the held data about a student. This could affect decisions about their level of engagement.
Concern 3: breaking GDPR principles
There is also the possibility that universities might pass on data about students to third parties, such as potential future employers. For example, if a former student has been offered a job, checking their level of engagement with their studies could become a part of the background check process. This could mean that any perceived issues with a student’s engagement could affect their future employment.
Concern 4: data breach risks
Another risk that cannot be overlooked is what would happen if the university suffered a data breach. Richard Forest, Senior Associate at the UK’s leading data breach claims solicitors, Hayes Connor, commented on this area of the issue. He said:
Should a university’s systems be hacked or data about students be accidentally leaked, all sorts of sensitive information about students could potentially be accessed by cybercriminals.
A data breach could put students at serious risk of fraud, blackmail and other crimes. Ultimately, the more information a university has about students, the more valuable that can be to cybercriminals.
What students can do to protect their data rights
If you are a student or parent of a student whose university is using remote monitoring software, there are several things you can do to make sure you understand and minimize any risks.
1. Read the university’s privacy notice
Firstly, your university should have issued a privacy notice covering important points such as:
- What data is being collected,
- How it will be used,
- How long it will be stored for, and
- Whether it can be passed to third parties.
While nobody much likes reading privacy notices, it is really important to do so in this case so you know exactly what you are agreeing to.
Ideally, this data should only be held for the duration of your studies and should be kept within the institution i.e. not shared with or sold to third parties such as employers and insurers. If you are unclear on either of these points, you should contact your university for answers.
2. Be vigilant for data breaches
Secondly, you need to be alert to the possibility of a data breach occurring at your university. If their systems are hacked or an accidental data leak occurs, sensitive information about you could become available to cybercriminals, putting you at risk of fraud.
Your university will be legally obliged to inform you if they discover a data breach, but you can also use sites such as haveibeenpwned.com to check whether your university email address has been compromised in a data breach. This can provide a good early warning that there might be a problem.
3. Concerned about the university using your data?
Finally, if you are concerned about the way your university is collecting or handling data about you, you have a number of options. You can raise the issue with your university who should be able to inform you who is responsible for dealing with data collection and processing so that you can contact them directly. You can also contact your student union, who may be able to escalate the matter.
If your concerns are not addressed, you may need to make a complaint to the Information Commissioner’s Office (ICO), which is the UK independent regulator for data privacy. ICO can order organizations to make changes to the way they handle data. It also has the power to issue fines where the Data Protection Act has been breached.
Ultimately, it is likely that this type of remote monitoring of students is here to stay. Therefore, it is essential to be aware of the risks and make sure you take the right steps to protect yourself during your studies and in the future.
About the Author: Christine Sabino is a Senior Associate at the UK’s leading data breach claims solicitors, Hayes Connor. She has represented clients in some of the most complex and high-value data breach cases, and also manages the Hayes Connor team on a day-to-day basis. Their main focuses include identity theft, phishing, hacking, fraud, copyright infringements, cyber extortion, and online harassment. If you feel you’ve been affected by a data breach, head to hayesconnor.co.uk for more information.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.