A vast array of student information is collected under protective measures in secondary schools and colleges, yet the pupils are not always aware of what is being collected and how it is being stored and processed.
Children can be exposed to a variety of online harms, from cyber bullying to doxing and grooming, which they may not know how to deal with. Schools have a duty of care to ensure their pupils are protected from harm, but they often struggle to access the resources required for adequate protection.
A new industry has emerged to help schools better protect their pupils: adapting law enforcement technologies and deploying them in the education sector. Internet monitoring (including IP address tracking), CCTV and biometric scanners (fingerprints, voice and facial recognition, etc) are being offered to schools and colleges.
“The monitoring of devices has been sparked by the need to control security and what’s coming into the school network environment,” says Colin Tankard, managing director of Digital Pathways. “School IT departments are stretched, and they don’t have the resources. Sometimes they put something in place that’s really controlling, or they go the opposite way and do nothing.”
Hidden surveillance
Some schools now monitor what pupils do and where they go, as well as the websites they visit, what they type and the messages they receive, which may include financial and medical information.
“This technology effectively sits in a no man’s land – it’s not edtech, in the sense that it’s not used for teaching and learning, and it’s not used by the children themselves,” says Jen Persson, director of Defend Digital Me. “It’s usually invisible on machines and behind what they use. It’s not something that children tend to be aware of.”
Surveillance information is generally processed and stored by third-party companies, rather than by schools. Information may be reviewed by the surveillance company for indications of dangerous behaviour. If any evidence of potential risk or harm is found, a warning is sent to the school.
Ethical implementation of monitoring tools, grounded in transparency and care, is essential for protecting students while preserving their right to privacy Katherine Howard, Smoothwall
“To protect data, all information should also be encrypted in transit and at rest, and schools must ensure storage complies with local sovereignty laws across the UK, Australia, New Zealand and the US, with data automatically erasing after 15 months to minimise exposure,” says Katherine Howard, head of education and well-being at Smoothwall. “In this new era, ethical implementation of monitoring tools, grounded in transparency and care, is essential for protecting students while preserving their right to privacy.”
There is a danger in assuming that if there is no data processing by the school, then data protection does not apply. However, according to the Data Protection Act 2018, as schools directly collect the data, the school is regarded as the “data controller” and is responsible for the appropriate processing and storage of data by all third-party companies.
“It horrifies me to think that we’ve set up these tools that create very serious and substantive risks, but because they’re under the umbrella of safeguarding children, nobody wants to be the little boy and point at the emperor’s clothes to say, ‘We have a serious problem here’,” says Persson.
Teenagers are generally IT literate and may be technically more astute than their teachers and parents. For example, one school enacted a rapacious internet surveillance policy across the student network to protect its pupils, but many of the pupils immediately switched to using mobile data on their phones, thereby bypassing all of the protective measures the school had put in place.
Normalising the panopticon
Despite attempts by children to circumvent such monitoring, the degree of surveillance technologies focused on schools is still normalising the ideology that surveillance by authorities is acceptable in the name of security.
It could be argued that widespread acceptance of surveillance is what some companies are encouraging. There have been repeated attempts to deploy surveillance technologies across corporate networks, but such attempts are typically unsuccessful due to the negative impact it has on morale in the organisation.
“This is what employers of the future want from employees, explained one leading UK school safety tech company at an edtech marketing event,” says Persson. “In a talk on safeguarding, they said very explicitly, employers want children to be ‘on point, engaged, and to expect to be monitored in the future’.
“The selling point for their safety tech was that by getting children used to it at school, the staff would be teaching them how to accept surveillance that employers will demand in the future workplace. The idea that we are normalising this in our children is very explicit in some companies.”
Children should be protected from online harms, but the execution of many of these policies focuses on preventing them from accessing inappropriate materials or preventing cyber bullying on the school network, rather than tackling the root cause of the problem. Leadership teams might think they have resolved the challenge of online harm if it is no longer associated with the school network, but the problem can persist.
“Schools have got to do something to protect the children in their care, and that might mean security has to be more robust,” says Tankard. “I don’t think it should get down to monitoring what’s being said in messages, as that’s an invasion of privacy.”
Limited regulation
There has also been limited regulatory oversight for these technologies. Surveillance technologies that would be otherwise strictly controlled and regulated when deployed in public spaces are being deployed in schools and colleges.
The UK General Data Protection Regulation (GDPR) contains provisions intended to enhance the protection of the personal data belonging to anyone under the age of 18. Transparency and accountability are part of this: what, how and where the data is being stored needs to be clearly communicated to the pupils and their parents/guardians. In all circumstances, there is a need to carefully consider the level of protection given to that data.
Biometric data, such as fingerprints, is regularly used to enable payment for school meals. This confirms identity without relying on cash, which might be lost or stolen.
Biometric information has an additional layer of regulatory protection under the Protection of Freedoms Act 2012, whereby opt-out options must be made clearly available, with alternative viable methods provided.
The amount of data being collected and the potential harm it could have on children needs to be studied by the government and regulated. Research has shown that surveillance can have a chilling effect on free speech and education.
Education is lacking a government-level policy [for a] uniform level of connection [to provide] clear guidance in a recognised standard Colin Tankard, Digital Pathways
Machine learning and artificial intelligence (AI) tools are being used to automate the data review process, but because they essentially operate as a “black box”, there is little understanding of their decision-making processes. Furthermore, AI reasoning can be flawed due to bias in historical data and may generate false positives.
Cultural issue
Cyber bullying and online harms are not just a technological problem, but a cultural issue affecting everyone. Children and parents should be properly educated and informed about the dangers presented online and how they can safely navigate the internet. However, this takes time and resources, which many schools may not have.
There are a variety of online resources available for raising awareness of online dangers. Many schools mention these in their communications to families, but it is difficult to know whether such resources are being used.
Children should be protected, but this protection needs a balanced approach to data monitoring, rather than rapacious internet monitoring in schools that normalises the idea of continuous surveillance.
“What education is lacking is a government-level policy [for a] uniform level of connection,” says Tankard. “That would take away some of these issues, because it would be clear guidance in a recognised standard, and all vendors would have to ensure that they’re part of it. Education doesn’t have anything like that.”
The Department for Education was approached for comment, but did not respond.
