Could universities’ use of surveillance software be putting students at risk?
Christine Sabino, Senior Associate at Hayes Connor, explores concerns over the ways universities are using student data.
Life for university students has changed massively during the coronavirus pandemic, as it has for the rest of us. While some in person lectures and seminars are still taking place, there has been a big shift to remote learning. This has, perhaps understandably, led to concerns about how well students are engaging with this way of studying.
Many universities have sought to address this by turning to remote monitoring tools to track students’ online activities. These tools track students’ attendance at lectures and seminars, as well as library visits and other ‘points of engagement’. The idea is that this then shows universities how engaged each individual student is with their studies.
The question is, how are these new ways of learning effecting students, and are they putting student data at risk?
The facts and figures
At least 27 UK universities have been using this type of tracking software, including 23 out of the 24 Russel Group universities, as well as Nottingham Trent University, the University of Hull and York St John University. It is likely that the use is even more widespread or will become so in future.
Exactly what is being monitored depends on the university and the particular software being used. One popular tool, Solutionpath Stream, tracks data including how often students:
- Attend lectures, seminars and workshops
- Log onto their virtual learning environment (VLE)
- Log onto university computers
- Submit work
- Access online content
- Check books out of the library
- Print, scan or photocopy documents
In theory, monitoring students’ engagement with their studies could be a good thing. Where a student is deemed to have low engagement, if could trigger the university to investigate why and offer any extra support the student needs.
However, there are concerns about exactly how this data will be used, including whether students may be penalised for repeated low engagement. What’s more, whether this data could end up in the hands of third parties where it could be used for purposes that may be harmful to the students in question is also a worry.
Why should students be concerned about university remote monitoring software?
Most people don’t like the idea of being constantly monitored, and universities’ use of remote tracking software could cause students significant anxiety as to whether they are ‘doing enough’. Given that university is often highly stressful for students, and many already struggle with their mental health, there is a real danger that this active monitoring could make things worse.
However, there are also significant potential risks that could rise from the actual data universities are collecting about students. These include:
Concern 1: student mental health
One concern is how universities will use the data themselves. For example, if students are considered to be not sufficiently engaged, what action will the university take?
If, for example, this triggers a conversation with a personal tutor of the offer of extra support, this could be positive. However, if there is the potential for students to be kicked off their course if they fail to meet the required level of engagement, this could add an increasingly level of stress.
Concern 2: whether the data will be truly reflective
Students could also become ‘victims of the algorithm’ if, for example, they miss an online seminar for a legitimate reason, but this is still recorded as an absence. While a tutor might be understanding, there is no guarantee this will be reflected in the held data about a student. This could affect decisions about their level of engagement.
Concern 3: breaking GDPR principles
There is also the possibility that universities might pass on data about students to third parties, such as potential future employers. For example, if a former student has been offered a job, checking their level of engagement with their studies could become a part of the background check process. This could mean that any perceived issues with a student’s engagement could affect their future employment.
Concern 4: data breach risks
Another risk than cannot be overlooked is what would happen if the university suffered a data breach. Christine Sabino, Senior Associate at the UK’s leading data breach claims solicitors, Hayes Connor, commented on this area of the issue. She said:
“Should a university’s systems be hacked or data about students be accidentally leaked, all sorts of sensitive information about students could potentially be accessed by cybercriminals.
‘A data breach could put students at serious risk of fraud, blackmail and other crimes. Ultimately, the more information a university has about students, the more valuable that can be to cybercriminals.”
What students can do to protect their data rights
If you are a student or parent of a student whose university is using remote monitoring software, there are several things you can do to make sure you understand and minimise any risks.
1. Read the university’s privacy notice
Firstly, your university should have issued a privacy notice covering important points such as:
- What data is being collected;
- How it will be used;
- How long it will be stored for;
- and whether it can be passed to third parties.
While nobody much likes reading privacy notices, it is really important to do so in this case, so you know exactly what you are agreeing to.
Ideally, this data should only be held for the duration of your studies and should be kept within the institution i.e. not shared with or sold to third parties such as employers and insurers. If you are unclear on either of these points, you should contact your university for answers.
2. Be vigilant for data breaches
Secondly, you need to be alert to the possibility of a data breach occurring at your university. If their systems are hacked or an accidental data leak occurs, sensitive information about you could become available to cybercriminals, putting you at risk of fraud.
Your university will be legally obliged to inform you if they discover a data breach, but you can also use sites such as haveibeenpwned.com to check whether your university email address has been compromised in a data breach. This can provide a good early warning that there might be a problem.
3. Concerned about the uni using your data?
Finally, if you are concerned about the way your university is collecting or handling data about you, you have a number of options. You can raise the issue with your university who should be able to inform you who is responsible for dealing with data collection and processing, so you can contact them directly. You can also contact your student union, who may be able to escalate the matter.
If your concerns are not addressed, you may need to make a complaint to the Information Commissioner’s Office (ICO), which is the UK independent regulator for data privacy. ICO can order organisations to make changes to the way they handle data, as well as having the power to issue fines where the Data Protection Act has been breached.
What’s next for the use of student data?
Ultimately, it is likely that this type of remote monitoring of students is here to stay. Therefore, it is essential to be aware of the risks and make sure you take the right steps to protect yourself during your studies and in the future.
If you have concerns over the way your university is using your data, and think you have been a victim of a breach, head to https://www.hayesconnor.co.uk/data-breach-claims/ for more information.