E-portfolio Privacy Guidelines

A report and draft guidelines have been released on privacy of e-portfolios. These were produced for the vocational training sector in Australia, but are likely to be useful for higher education as well. Funding guidelines for the 2010 E-portfolio Implementation Trials are to be released 24 March.

1. VET E-portfolio Privacy Draft
   Guidelines:
   Considerations for managers of learner information and
   e-portfolio service providers, by Christine Cowper and Malcolm Crompton (Information Integrity Solutions Pty Ltd), for Australian Flexible Learning Framework (Allison Miller), March 2010 (36 pages, PDF, 214 Kbytes).
   
2. VET E-portfolio Privacy Impact
   Assessment research report:
   Determining the privacy requirements for
   e-portfolio use in the Australian VET sector, by Christine Cowper and Malcolm Crompton (Information Integrity Solutions Pty Ltd), for Australian Flexible Learning Framework (Allison Miller), March 2010 (45 pages, PDF, 300 Kbytes).

1. Introduction and overview
These draft guidelines have been developed for e-portfolio service providers (service providers)1 and managers of learner information (MLI)2 in the vocational education and training (VET) sector.

They are intended to offer practical guidance and some tools to assist service providers to:
• comply with obligations under applicable privacy law and avoid compliance problems which could lead to the need for costly changes or for e-portfolio systems to be under-utilised and
• assure learners that they are in control of the personal information held in an e-portfolio system and that this information will remain secure and confidential, thereby building trust and confidence, and therefore take-up,
amongst learners.

These guidelines focus on privacy compliance and good practice for service providers. They are intended to complement, not replace, service providers’ existing
privacy policies and procedures.

The advice in these draft guidelines is not legal advice and should not be relied upon as such. Rather, it is general advice about good privacy practice. If there were any conflict between these draft guidelines and relevant law or existing service provider guidelines the latter would take precedence.

These draft guidelines contain:
• a checklist of matters of privacy to consider when establishing an e-portfolio system, with some explanatory notes and tools
• an overview of privacy principles and some tips for compliance
• sample e-portfolio use cases, identifying key privacy compliance issues
• issues to consider in developing terms and conditions for e-portfolio system use.

These draft guidelines are a result of a Privacy Impact Assessment (PIA) of the use of e-portfolios in VET in 2009. The PIA was undertaken by Information Integrity
Solutions (IIS) on behalf of the Australian Flexible Learning Framework’s (Framework3) E-portfolios business activity4, as outlined in the VET E-portfolio
Roadmap (Roadmap5). The VET E-portfolio Privacy Impact Assessment Report6 details the outcomes of this PIA.

1.1 About privacy

Broadly speaking, the concept of privacy includes information, bodily, territorial and communications privacy7. Put another way, privacy is “...the right to control access to one's person and information about one's self. The right to privacy means that individuals get to decide what and how much information to give up, to whom it is given, and for what uses8”.

Australia’s sets of privacy laws focus on protecting personal information (called data protection in some international jurisdictions). They operate by setting information handling rules called privacy principles. The rules follow the information life cycle (the flow of information through an organisation), and aim to balance and take account of the interests of individuals, organisations and wider society.

Generally, privacy principles set limits and expectations about the handling of personal information. For example:
• Personal information should only be collected if necessary, and only for a specified purpose.
• Individuals should be told about matters effecting their personal information, such as to who the information might be passed on to and, in some laws, asked for consent to the collection of sensitive information. Where possible and appropriate, the anonymity of the information should be maintained.
• Personal information should be used or disclosed only in ways consistent with the stated purpose of collection, unless exceptions apply including where consent is given or law enforcement or health or safety needs apply.
• Appropriate steps must be implemented to ensure personal information is held and managed safely, as well as be accurate, up-to-date and complete.
• Individuals’ rights of access to the information held about them, and the need for corrections to be made to any inaccurate information must be explained.

1.2 E-portfolios and privacy risks

E-portfolios are becoming increasingly popular in the VET sector. They are exciting and potentially powerful tools for learners:
• undertaking course work
• collating evidence of skills and achievements
• to assist in the recognition of prior learning (RPL), or
• when seeking employment.

However, e-portfolios can hold a variety of information, including personal information about learners, some of which may be quite sensitive.

While service providers often will be providing access to an e-portfolio for learning or assessment activities, learners will largely generate the content to be stored in the e-portfolio. Learners may also be primarily responsible for mediating access to their e-portfolio by service provider staff, employers or the wider world.
This combination of factors means there is considerable potential for learners’ personal information to be inappropriately disclosed or otherwise misused (including by learners themselves). For learners, privacy risks include:

• the potential for the learner to inadvertently disclose inappropriate information, for example about a health issue or a poor assignment results, to an employer or the world at large
• that the use of an e-portfolio exposes them to online security risks such as hacking or identity fraud or theft
• that the contents of an e-portfolio are used or disclosed in ways they did not expect or welcome, either by service providers or other parties and either intentionally or unintentionally.

The consequences for learners could be severe. There is potential for embarrassment, harm to reputation, impact on current or future employment, and possibly an increased risk of identity theft. The risk increases where the e-portfolio is not confined to the ‘walled garden’ of an organisation but rather is used to actively engage in the online environment.

For service providers, failure to set up procedures to govern access, use, or disclosure of personal information in an e-portfolio system, or to support learners to
use e-portfolios safely, may lead to privacy complaints, risk to reputation or under utilisation of the e-portfolio system. ...

1 An e-portfolio service provider is an organisation which hosts an e-portfolio system.
2 People within a RTO who are responsible for the information held about learners – for example, ICT and administrative support personnel, ICT and educational managers.
3 The Framework is the national training system’s e-learning strategy: http://flexiblelearning.net.au
4 The E-portfolios business activity supports the evelopment of national e-portfolio standards to improve the portability of learner-collected evidence of learning: http://flexiblelearning.net.au/e-portfolios5 The VET E-portfolio Roadmap is a national strategic plan designed to support the diverse requirements for e-portfolios in VET, and aims to assist in the evelopment of a standards based framework: http://www.flexiblelearning.net.au/content/e-portfolios-resources
6 VET E-portfolio Privacy Impact Assessment Report :
http://www.flexiblelearning.net.au/content/e-portfolios-resources
7 For a detailed discussion of the concept of privacy see the Australian Law Reform Commission’s Report 108 For Your Information: Australian Privacy Law and Practice: www.alrc.gov.au
8 Privacy Commissioner of Canada Speech at Freedom of Information and Protection of Privacy Conference, 13 June 2002.

From: VET E-portfolio Privacy Draft
Guidelines:
Considerations for managers of learner information and
e-portfolio service providers, by Christine Cowper and Malcolm Crompton (Information Integrity Solutions Pty Ltd), for Australian Flexible Learning Framework (Allison Miller), March 2010 (36 pages, PDF, 214 Kbytes).