Privacy

by Clint Lalonde on EdTech, Privacy, WordPress

Fall projects

I’ve got a busy fall on the go with some new initiatives and projects keeping me busy.

EdTech Demos

This is a new educational technology initiative here at BCcampus, designed to help expose the system to some new ideas and educational technologies. These are free 30-60 minute virtual  demonstrations done about once a month.  So far I’ve done 3 of these demo sessions (Canvas, FieldPress, H5P) and I’ve been very happy at the response and attendance from the post-sec system.

One of the goals I have is to try to make some space for open source educational technologies as these are often interesting projects that don’t have the marketing or promotional budgets of a commercial edtech company. But there will be a mix of commercial and open source, big and small to try to get a nice flavour of what is happening in the edtech space. I have 2 more schedule for this fall, one with D2L Brightspace on Learning Analytics at the end of October, and another with Hypothes.is in late November.

I’ve put together an email notification system that people can sign up for to get notified when these demos happen. I am shooting for about one per month.  I’m also looking for suggestions of edtech that you would like to see a demo of.

Guide on the Side Sandbox

I’m also coordinating a sandbox project with a group of academic librarians from aroun d the BC post-sec system for an open source application called Guide on the Side. Guide on the Side is an open source app developed by the University of Arizona to create guided tours of websites and web applications. We are just in the process of installing the software and forming our community. This sandbox project will run for the next 6 months as we test out the software. I am trying to put together some edtech evaluation frameworks (SAML, RAIT, etc) to use as a guide for evaluating the software. I imagine I’ll end up cobbling a few of these together to come up with a framework that works for what we want our sandbox projects to do.  We’ll be releasing our findings in the spring.

EDUCAUSE

I’ll be heading to EDUCAUSE in Anaheim at the end of the month. The last time I was at EDUCAUSE was in 2007 where I first met Bryan Alexander and learned about this new thing called Twitter. I don’t know if this one will be as memorable (Twitter became kind of a big deal in my life), but I am looking forward to attending.

I am in a bit of session overload right now as I plan to attend and put together my schedule. I forgot just how massive this thing is. Holy session overload! One time slot I am looking at has 53 concurrent sessions. Even when I filter from 7 to 3 streams, I still have 25 options. This one looks most relevant for how I feel at this moment.

capture

As I have written about before, I am intrigued by a few new technologies and ways of thinking about edtech that have been coming out of EDUCAUSE, specifically the idea of Next Generation Digital Learning Environment (NGDLE) and applications like CASA. These are the sessions I’ll be attending, along with some more on personalized and adaptive learning which I feel I have a good conceptual understanding of, but have yet to get a good grasp on some of the more practical applications of these technologies.

Privacy Impact Assessment & WordPress Projects

One of the other projects I have on my plate for this fall is some Privacy Impact Assessment work for the BC OpenEdTech Collaborative. We had a very productive meeting of our WordPress group where one of the barriers identified by the group was the lack of clarity about data sovereignty and privacy with the technical solutions we are looking at (EduCloud, Docker, and WordPress itself).

While we do have a FIPPA compliant hosting service in EduCloud, that is just one (albeit significant) piece of the FIPPA puzzle. But there may be other privacy considerations when it comes to using WordPress. For example, a plugin may potential disclose personal information to a server outside of Canada.

Since privacy and FIPPA (within the context of educational technology) is part of my wheelhouse, I’ve taken on coordinating a Privacy Impact Assessment for an EduCloud based WordPress project.  Since a privacy impact assessment is something that is done on an initiative and not just the technology used as part of the initiative, I’ll be taking a fairly in-depth look at one of our applications of WordPress and using it to construct a Privacy Impact Assessment report that can then (hopefully) be used as a template for other initiatives using similar, but slightly different technologies. I have an idea of how to do this in my head, but haven’t yet fully formed how to execute it yet.

Other stuff

There are a number of other projects I have on the go right now (including a big one with BCNET and UBC developing an onboarding process for institutions who wish to join the provincial Kaltura shared service), and participating on the SCETUG steering committee. But these are likely the ones I’ll be blogging about over the coming months.

Oh, and something unrelated to my work with BCcampus – I’ll be spending some time prepping to teach in the new year at Royal Roads University in the Learning & Technology program. The course (normally taught by George Veletsianos) is  LRNT505: Community Building Processes for Online Learning Environments, and I am thrilled to be able to get into a (virtual) classroom and work with students. Being that I have been out of an institution for the past 4 years, I am immensely grateful to have the opportunity to jump back into an institution as a faculty member & work directly with students.

 
by Clint Lalonde on Privacy

Privacy & Security Conference

Spent last week at the 17th annual Privacy and Security Conference in Victoria. The event is put on by the BC provincial Office of the CIO & Ministry of Finance. What follows are some notes from the sessions I took in.

Overall, the conference was better than I expected, although I found the huge number of vendor and vendor presentations disconcerting. The vast majority of attendees at this conference are primarily from government ministries and departments. As a bit of an outsider, I was troubled by the amount of prime time given to the likes of Oracle, IBM and Microsoft to pitch directly to those in government who make the decisions around IT, privacy and security. There were many problems raised that – surprise – there were solutions to. I’m not naive to believe that there isn’t a cozy relationship between government and big tech business, but seeing so much of the conference as a sales pitch to government raised the ick factor for me moreso than the usual conference vendor presence. I hope that, at the very least, BC taxpayers made a chunk of sponsorship cash from the conference.

That said, there were some good sessions. My interest was more on the privacy side over the security, so I passed on a lot of the security bits and stuck with mostly privacy sessions.

The first day was dedicated to pre-conference half-day workshops, and the two I attended (Privacy & Ethics, and Privacy Governance) were perfect primers for me coming into a new role that will have privacy and FIPPA as an integral component of the work I’ll be doing.

Privacy is a fairly new societal concept. It wasn’t until the 1890’s that this idea of personal privacy as a right began to appear in legal journals, driven by new information technologies of the day (the party line telephone and postcards). Interesting to see how technology remains the primary driver behind privacy discussions today.

Privacy is contextual was a reoccurring message throughout many of the governance and legal sessions I attended. Meaning that, while there is both constitutional and common law around privacy, there is still room for interpretation.

The legislation in BC is driven by some key principles of privacy governance – that the right information is gathered and used by the right person at the right time for the right purpose and in the right way. Practically speaking this means taking measures to ensure that you (as someone collecting personal information) only collect what you need for the purpose you need to collect it for, and only use that data for the purpose you collected it for.

Keynote: Richard Thieme

Richard Thieme did a good keynote on day one, although the title of his talk The Porous Borders of the Modern Imagination: Privacy, Trauma and Mass Media led me to believe there would be some critical analysis of the role of the mass media in shaping the narrative of security, privacy and state surveillance. It never materialized. But the keynote was enjoyable as Thieme provided some historical context around privacy that helped frame the themes of the rest of the conference for me. He also reminded me of how powerfully right McLuhan was when he said (to paraphrase), “we look to the future through a rearview lens”, and how that lens is both comforting and problematic.

ISO 27018

Chantal Bernier (former Privacy Commissioner of Canada) introduced me to the international code of practice for personally identifiable information in public clouds, also known as ISO 27018 standard. It’s a fairly new standard from ISO, but I can imagine we’ll begin to see this certification being stamped on all manners of services from IT companies offering cloud services. I wonder if this standard may be under consideration by the BC government as they review the current FIPPA legislation?

The TPP and BC’s FIPPA

BC Privacy Commissioner Elizabeth Denham did touch on the current FIPPA review (which a number of educators and educational technology groups have contributed briefs to). The big point in Denham’s talk that jumped out at me was that she believes that the BC privacy laws around local storage of data will hold a trade challenge should the TPP and its clause on allowing the free flow of data across borders be ratified in Canada.

Sketchnoting my way thru the conference

I tried something different this conference. Rather than firing up my laptop and taking part in the backchannel (which, whenever I checked, was crickets considering there were something like 700 people at the conference), I decided to work on sketching some notes during the talks I attended. I have to say, I loved doing this. I found I paid closer attention to the speakers, and my brain had to work hard to try to organize concepts and thoughts on the fly. I can see the appeal and will definitely be using this again in the future.

2016-02-09 16.52.15

2016-02-09 16.53.01

 
by Clint Lalonde on EdTech, Privacy

Amazon Web Services coming to Canada

In a blog post on the AWS site, Amazon Web Services Chief Evangelist  Jeff Barr announced that Amazon Web Services will be bringing their cloud computing service to Canada sometime this year.

This is potentially big news for edtech in Canada where our privacy laws have hindered the use of cloud based services where personal data may be stored outside of the country.

These days, it’s hard to find scalable edtech infastructure and services that are not built on AWS (or other) cloud services, and having data stored outside of Canada using cloud services has traditionally been a barrier to adoption for Canadian institutions. Not a deal breaker as there are ways to mitigate and still be compliant with privacy laws through informed consent, etc. But for many, the P.I.A (Privacy Impact Assessment) is a P.I.A. and enough of a barrier that it hindered the use of cloud based services.

For an edtech example, Canvas has had very little uptake in Canada because it is built on AWS.

Of the 25 public post-secondary institutions in BC, there is only a single institution using Canvas, and they are self hosting to work around the data storage issue. With a regional offering of AWS in Canada, I would expect to see a company like Instructure bring Canvas north of the border soon, and it being a serious contender for institutions undertaking LMS reviews.

While not explicitly stated in the release that it will be compatible with all the different provincial and federal privacy laws, it’s hard to imagine Amazon rolling out services in Canada that are not as compliant as possible. Indeed, privacy compliance with federal and provincial laws would be one of the biggest selling points for the service in Canada, as PCWorld notes;

Having a dedicated Canadian region will be important for organizations that need to comply with the patchwork of regional data protection laws Canada has, which requires the storage of some types of data inside Canada, depending on where the storer is located.

Although the question of “does legislation actually make a difference where data is stored in an interconnected world?” hangs in the air, with many seeing these regulations as doing nothing by providing the illusion of data protection for citizens.

And who knows, the TPP may get ratified in Canada and then it is a different data protection game altogether as the TPP clause on free flowing data between member countries would put it at direct odds with provincial & federal privacy laws. And while edtech might win with the TPP in that we get better access to more cloud services,  I have real concerns at what the cost to the rest of our society might be.

Addendum

Shortly after I posted this, Scott Leslie tweeted in response to this post that even if the servers are located in Canada, there is still a question of where the parent company is located.

Photo:Sensitive Data sign, Freegeek, Portland, Oregon, USA by Cory Doctorow CC-BY-SA