By Colin Anson
The digital era has given rise to a culture where taking photos and sharing them are the norm. What does this mean for photos taken at and for educational institutions? How can educators ensure the privacy of students in their care?
When Teach Queensland ran an image on its Facebook page to promote teaching as a profession, it did not anticipate the backlash it received for using a student photo without permission. The image depicted a teacher surrounded by young boys of Indigenous appearance marked with white body paint and wearing red bandannas. The caption read, “I always had a soft spot for the trouble makers, the misunderstood, the kid that everyone thought wouldn’t make it.”
Academic Dr Chelsea Bond condemned the image for its derogatory implication – that Indigenous boys are trouble makers and less likely to ‘make it’ – and doubled down on the organisation’s use of the image because one of the boys was her son and she had not given permission for Teach Queensland to use it.
There are a number of risks associated with image sharing, and many parents and educators know about well-publicised negative outcomes, from cyberbullying and identity theft, to stalking and child photo harvesting by paedophiles. But the seemingly innocent uses, such as Teach Queensland’s, are less well known and can actually have lifetime implications for some children.
Consider a child, already embarrassed by his or her learning difficulties, who becomes the brochure image for the remedial learning department, or a shot of an awkward teen competing at the dreaded swimming carnival used in the school newsletter. Using photos inappropriately or without consent can cause a lifetime of pain, especially in children susceptible to anxiety or depression. In this Instagram-driven world where, since the introduction of social media ten years ago, there has been a 68 percent increase in girls 17 years old and under self-harming due to the rise in body dissatisfaction, insecurity and low self-esteem about their appearance, I think it is time we should all start to worry.
In this digital age, image control and privacy management are essential, especially at educational institutions where there is a duty of care.
Image Control and Duty of Care
An institution has a responsibility to ensure that any personal information shared by students and their caregivers is always kept secure, well-protected and private. Images and recordings are part of this remit. The issue is that images form part of many school activities – from identifying students to marketing and communications – so how should an organisation approach security and privacy while still maintaining functionality?
To be effective, the consent process must not be coercive. For example, schools cannot say if consent is not provided, a student cannot enrol – that is a condition of entry. Moreover, different types of consent should not be bundled; bad consent forms will often lump everything on one form with an ‘all or nothing’ sign-off in the hope that it will make administration easier, when it actually makes the process more complicated.
There will also be special cases where parents or a court order have requested no photos of their children are ever to be taken, shown or shared, and schools struggle with adhering to these wishes because they have not kept an adequate record of these students and restrictions.
If images are necessary for the school to function, such as to identify students at the daily roll call or for medical purposes, for example, to identify those who are at risk of anaphylactic allergic reactions, these conditions should be clearly and visibly stated in a school’s Collection Statement or Privacy Notice for a student to read and understand before they supply personal information.
Dealing with Technical Issues
Protecting student images must be a core component of any responsible effort to use data and technology to improve school and student outcomes. The issue is that many institutions are not set up for complex image management because there are few technical solutions that are fit for this purpose.
Heard about the school that pinned up images of students who did not consent to having their photo taken, so the teachers would remember the special cases? What about the one where teachers spent hours matching kids in photos with parents? Or the case where using the photo management tool involved a 32-step process to upload and access an image?
For starters, many schools do not have a central repository to store and retrieve images. Images might be scattered across multiple servers, hard drives and devices across the entire school community, which means it is easy to lose track of what has been captured, who has it and where it has been stored – not just an issue of storage and accessibility, but also risking security breach.
Photo management is a time-consuming and laborious task for teachers and school administration staff. The files need to be properly tagged with the student’s name, organised by consent and permissions, and then stored (preferably together) somewhere safe and secure where they can only be accessed by those authorised to use them.
It is common for this role to fall to one person, and oftentimes it is not their primary role, merely added on to their main job of teaching, administration, or marketing. Even if the school does have a full-time photo manager, once that person leaves or retires, who takes on this responsibility? It is a major resourcing issue and strain for schools today as their image collection continues to grow at a rapid pace, and demand from parents to gain access to everyday school content of their children increases.
Educational institutions need a solution that not only meets all the criteria to provide duty of care but has been built with security and privacy as a priority. Schools without a way to collect and apply explicit and specific consent via an automated, central system that stores, identifies, classifies and matches consent wishes at the asset level are at risk. Negative outcomes do not just put children in harm’s way; image mismanagement means the school is unable to comply with privacy law and practise duty of care, which exposes the institution to legal ramifications and damage to school reputation.
Preventing Data Breaches
In Australia’s privacy laws, schools have obligations in relation to ensuring that personal information is kept secure. These obligations include taking reasonable steps to prevent unauthorised access, use or misuse, disclosure, destruction or loss of personal information, dependent on the type of personal information they hold, the format it is kept in, and the degree of sensitivity it has to the individual. Additionally, there are obligations regarding the transfer of personal information overseas.
Schools are increasingly using cloud-based services for image management. Schools remain responsible for ensuring the privacy and security of personal information collected from students, even if they pass along the management of that personal information to someone else.
The Deloitte Australian Privacy Index ranks the education sector as one of the weakest sectors on privacy. Using digital technologies or cloud services to deal with student images? Then:
- read and understand their terms and conditions
- check they are subject to the requirements of the Privacy Act 1988
- agree to all the uses and disclosures of the school’s and its students’ information set out in those documents
- check they have adequate controls in place to secure personal information
- check they do not store data in a jurisdiction that is less secure than Australia
- check that clients have control over the service should the service do the wrong thing: Will they stop? Will they be able to get the information back? Can clients seek remedy for any harm suffered as a result of their action?
Schools that give their business to privacy compliant local providers arguably reduce their risk, so consider using Australian companies or an Australian subsidiary of a global outfit, and make sure they manage and store data and any backups securely in Australia.
Technology has certainly made it easier for a school to store and use the information it collects about students, but the digital age also brings new challenges with regard to image control and privacy management. An educational organisation with a clear policy and robust consent processes is already streets ahead of the industry when it comes to protecting its students, meeting its legal obligations and maintaining its reputation. Finding the right tool to implement these elements is the next step.
Colin Anson is a digital entrepreneur and the CEO and co-founder of the child image protection and photo storage solution pixevety (https://pixevety.com/). In 2012, Colin saw an opportunity to create a unique business within his area of passion – photography. He witnessed first-hand the potential risks and harm the mismanagement of photos can have on children. He became an advocate for protecting every parent’s right to determine how their child’s photo is used and protecting every child’s right to safety and digital privacy. After learning of the minefield of privacy laws and the daily stress for schools in managing and sharing the photos of every single student, Colin decided to do something about it. And pixevety was born.
Latest posts by Education Technology Solutions (see all)
- Why Bridging the Cybersecurity Knowledge Gap in Education is a Collective Responsibility - April 29, 2021
- Keystroke biometrics – a happy medium for schools - April 20, 2021
- Safely Manage Remote Learning - April 1, 2021