Three of Canada's privacy regulators (the Office of the Privacy Commissioner of Canada (OPC), the Information and Privacy Commissioner of Ontario (IPC), and the Office of the Information & Privacy Commissioner for British Columbia (the OIPC)), along with 21 other data protection regulators from around the world, participated in the Global Privacy Enforcement Network (GPEN)'s 2017 annual privacy sweep.

GPEN's 2017 privacy sweep was lead by the UK Information Commissioner's Office (ICO), and the overarching theme for this year's sweep was "user controls over personal information".

This year's sweep included twenty-four data protection regulators examining the privacy notices, communications and practices of 455 website and applications, and considering whether, from a user's perspective, it was clear on those websites and applications what personal information was collected, for what purpose(s), and what use(s) would be made of the personal information.

The OPC, which enforces Canada's federal private sector privacy law (the Personal Information Protection and Electronic Documents Act), teamed up with the IPC, which enforces the provincial Municipal Freedom of Information and Protection of Privacy Act , theFreedom of Information and Protection of Privacy Act, and thePersonal Health Information Protection Act, 2004, to examine how educational applications targeted towards children and youth (between kindergarten and grade 12) are addressing privacy issues.

The OPC and IPC jointly examined 27 online educational services that had been selected because educators had identified the services as being used in English and French classrooms and the services were available free-of-charge (at least on a trial basis). In examining the services, the OPC and IPC did so through the perspective of an 8 year old and a 15 year old. The sweep by the OPC and IPC demonstrated that most of the services made available to users information about how the services used personal information; however, the quality of the information varied and, in some instances, the information was difficult to locate.

The manner in which a significant number of the services obtained age appropriate consent from students or parents/guardians also raised concerns. More than one-third of the services examined did not seek consent from either students or parents/guardians. Instead, the services relied on consent from teachers.

Some of the services were not engaging in practices that minimized the personal information of students that was collected and disclosed, nor were they enabling teachers and parents/guardians to establish age-appropriate limits and monitoring on the collection and disclosure of students' personal information. Several of the services examined committed to not sharing children's personal information with third parties for marketing purposes, which pleased the OPC.

The inability to remove/delete personal information from the services was a major concern for the OPC and IPC. Many of the services did not make it straight-forward, nor possible, to remove/delete personal information from the services, and less than half of the services examined provided readily available information to users about the services' retention practices for inactive/dormant accounts. 

In its post-sweep report, the IPC noted that school boards are accountable for the information practices of their educators, and that the school boards must ensure that the information practices comply with the law. The IPC has recommended that educators read the privacy policies and terms of use/service that are associated with any online educational service, and that educators consult with their school board, school principal and/or administrators prior to using any service. Furthermore, the IPC has recommended that educators provide timely and ongoing guidance to students about appropriate uses of online educational services, and that educators seek, where appropriate, the involvement and express consent of parents/guardians before providing a student's personal information to a service. Lastly, the IPC has recommended that educators minimize the identifiability of students and the collection of their personal information.

The OIPC contributed to the GPEN privacy sweep by examining the privacy materials of five local polling firms. Although each of the five firms had a privacy policy, none of them cited the applicable privacy law. As a result, the OIPC has indicated "PIPA [the Personal Information Protection Act] applies to over 380,000 organizations in BC [British Columbia]. The law sets out specific responsibilities for organizations to follow, and includes important privacy and access rights for British Columbians. I will be reaching out to umbrella associations and non-profits to inform organizations about BC's privacy laws." This year's sweep has enabled the OIPC to glean that there is some local confusion about the applicability of Canada's federal private sector privacy law in the province of British Columbia.

As a result of the OPC, IPC and OIPC's participation in the 2017 GPEN privacy sweep, additional public education will be provided to Canadians.