Online teaching and learning has been in a boom globally as a result of the Covid-19 pandemic.
On March 20, the Higher Education Ministry gave approval to all institutions of higher education in Malaysia to proceed with e-learning.As part of delivering education services, the higher education sector is a repository of the personal data of both students and staff. According to the Personal Data Protection Act 2010 (PDPA 2010), any person subject to or has links with specific data are known as data subjects while businesses and institutions who collect and process data are known as data users.
Before the pandemic, the risk arising from e-learning under the PDPA 2010 was low due to the face-to-face classes and limitations of sharing non-electronic data.
With e-learning via Learning Management Systems (LMS) applications and social media platforms, the risk of exposing student data is higher. Academic institutions in Malaysia therefore need to observe some levels of precautions in the management and processing of their student’s personal data.
Under Section 4 of the Act, processing data includes collecting, recording, holding, storing or carrying. It also includes organisation, adaptation, retrieval, transmission and making data available to others.
Obtaining the consent of the data subject is mandatory in order to store and process his/her personal data for educational purposes.
The General Data Protection Regulation 2016 (EU-GDPR) also applies to data subjects who are European Union citizens. The regulation provides additional rights for data subjects, including the right to erasure or right to be forgotten. This is particularly important for Malaysian universities with international students from EU countries.
Students and staff are the main data subjects on LMS, hence their developers are continuously taking steps to comply with data protection rules in the learning environment. However, the use of social media tools for teaching and learning raises major protection concerns.
Although there is implied consent given to academic institutions to process their students’ data, this obviously does not extend to sharing them on social media. A survey of 126 students in higher learning institutions in Malaysia reveals that 49.2% agreed that their personal data stored in the university system are secure and safe as opposed to 15% who felt otherwise.
A quick search of selected university websites reveals that several universities have detailed data protection policies and notices. Although there is a presumption that university students and staff are aware of these notices and policies, awareness is actually still low in the education sector.
Online learning and working from home are likely to continue into the future. Therefore, universities are expected to sensitise staff and students to any activity which could make the institution liable to offences under the PDPA 2010, such as sharing of screen-shots of online classes, facial features of attendees/students, disclosure of matriculation number and other personal information.
Similarly, official documents and information that are normally kept in offices should remain confidential. Any unauthorised disclosure of personal data to a third party could trigger offences under the PDPA 2010.
In order to gain the trust of students and staff, higher education institutions are expected to do some housekeeping, which may include the provision of a Data Protection Policy notice, conducting awareness campaigns among students and staff, appointment of a data protection officer and setting up of internal reporting procedures through an ombudsman in the university.
DR SODIQ OMOOLA
Ahmad Ibrahim Kulliyyah of Laws
International Islamic University Malaysia
Did you find this article insightful?
100% readers found this article insightful