Three of Canada's privacy regulators (the Office of the Privacy Commissioner of Canada (OPC), the Information and Privacy Commissioner of Ontario (IPC), and the Office of the Information & Privacy Commissioner for British Columbia (the OIPC)), along with 21 other data protection regulators from around the world, participated in the Global Privacy Enforcement Network (GPEN)'s 2017 annual privacy sweep.
GPEN's 2017 privacy sweep was lead by the UK Information Commissioner's Office (ICO), and the overarching theme for this year's sweep was "user controls over personal information".
This year's sweep included twenty-four data protection regulators examining the privacy notices, communications and practices of 455 website and applications, and considering whether, from a user's perspective, it was clear on those websites and applications what personal information was collected, for what purpose(s), and what use(s) would be made of the personal information.
The OPC, which enforces Canada's federal private sector privacy law (the Personal Information Protection and Electronic Documents Act), teamed up with the IPC, which enforces the provincial Municipal Freedom of Information and Protection of Privacy Act , theFreedom of Information and Protection of Privacy Act, and thePersonal Health Information Protection Act, 2004, to examine how educational applications targeted towards children and youth (between kindergarten and grade 12) are addressing privacy issues.
The OPC and IPC jointly examined 27 online educational services that had been selected because educators had identified the services as being used in English and French classrooms and the services were available free-of-charge (at least on a trial basis). In examining the services, the OPC and IPC did so through the perspective of an 8 year old and a 15 year old. The sweep by the OPC and IPC demonstrated that most of the services made available to users information about how the services used personal information; however, the quality of the information varied and, in some instances, the information was difficult to locate.
The manner in which a significant number of the services obtained age appropriate consent from students or parents/guardians also raised concerns. More than one-third of the services examined did not seek consent from either students or parents/guardians. Instead, the services relied on consent from teachers.
Some of the services were not engaging in practices that minimized the personal information of students that was collected and disclosed, nor were they enabling teachers and parents/guardians to establish age-appropriate limits and monitoring on the collection and disclosure of students' personal information. Several of the services examined committed to not sharing children's personal information with third parties for marketing purposes, which pleased the OPC.
The inability to remove/delete personal information from the services was a major concern for the OPC and IPC. Many of the services did not make it straight-forward, nor possible, to remove/delete personal information from the services, and less than half of the services examined provided readily available information to users about the services' retention practices for inactive/dormant accounts.
As a result of the OPC, IPC and OIPC's participation in the 2017 GPEN privacy sweep, additional public education will be provided to Canadians.