Privacy Legislation and Standards

Privacy Legislation

Jurisdictions in countries throughout North America and Europe have realized the need to protect consumer privacy and have enacted privacy legislation for this purpose. In these countries, where there is privacy legislation, individual control is required for the use of personal information, including the collection, use, disclosure, retention, and disposal of personal data by organizations that may handle that information. Privacy principles have been developed to expose the implications of privacy laws or privacy policy adopted by online organizations. In Canada, 10 Privacy Principles (CSA 1) (see Table 2), incorporated in the Personal Information Protection and Electronic Documents Act of Canada (Department of Justice), spell out the requirements for use of personal information. These principles may be implemented in computer systems to varying degrees due to the nature of each principle or the underlying application. For example, Principle 1 is largely manual, but portions of it can still be implemented to facilitate its compliance. As a set of privacy requirements, the

Privacy Principles serve as a reference to determine how well an ADL system meets these requirements.

From Privacy Legislation to Design Guidelines

The privacy legislation mentioned in subsection “Privacy Legislation” acknowledges that an e-learner should practice full control over the collection, use, disclosure, retention, and disposal of his or her personal information. The legislation also lists the principles that any online system that handles personal information, including distance-learning systems, should observe in order to comply with the legislation. These principles form, in fact, guidelines for deriving system designs. In the following sections, we will revisit each of the Privacy Principles and derive the privacy design guidelines for the LTSA-based ADL architecture presented in subsection “LTSA Based Architectural Model for ADL.”

Data Collection

One of the most important principles of the Privacy Principles is the principle Identifying Purposes, also referred to as the principle of Notice (Langheinrich, 2001) or Feedback (Bellotti & Sellen, 1993). Complying with this principle requires that parts of the system that collect personal information announce to the learner their collection practices. This includes the data the learner or the learner’s agent is asked to provide, as well as the data that can be collected without the knowledge of the learner. In the LTSA ADL architecture, both the evaluation agent and coach agent may collect personal information to derive the learning requirements and progress of the learner. Therefore, both agents are required to inform the learner agent about their data collection practices. Depending on the degree of privacy of the requested data, the learner agent may directly release the data if it was not classified as private by the learner, or the agent might warn the learner about the data collection, and solicit the learner’s feedback before releasing any information (Consent principle).

A closely related principle to the principle of Identifying Purposes is the principle of Openness, which requires the system to make readily available information about the policies and practices relating to the management of personal information. A distance-learning system can announce the privacy policies in a widely known URL, easily accessible to agents and learners.

Data Storage and Transmission

The Safeguards principle requires security safeguards be placed on any system component that handles a learner’s private information. Fulfilling this principle requires the deployment of safeguards in every part of the system where private information might be exposed; in the LTSA ADL architecture, this includes the data storage facility for the learner record and the networking infrastructure over which these records are transmitted. With safeguards in place, the Individual Access principle requires the distance-learning system to implement mechanisms to allow learners (or their agents) access to their records.

While the privacy principles refer directly to data that are collected, transmitted, or stored, there might still be other forms of privacy threats that are not directly related to the data collected. The physical location of the learner is an example of information that could be classified as private, and exposed if the learning content was delivered directly between the delivery agent and learner agent. Such location information may be as valuable as the content of the learning material itself, and some learners may require some form of privacy for their location information.

Privacy and Security in Data Storage

A distance-learning system may gather any type of information from learners for a number of purposes ranging from regulating access to the learning content (authentication, authorization), to billing (accounting), to content customization or service adaptation. Systems, in general, that collect and store private information should implement appropriate security measures to protect the privacy and security of this information. Data storage facilities are usually like honeypots for hackers, and most systems make protection of these facilities a top priority. Typical security measures include authentication and authorization mechanisms that guard access to the stored data. These security measures are usually proportional to the sensitivity and value of the information they protect. A system that stores medical records usually has higher security mechanisms in place than a system that stores records of favorite movies.

Privacy and Security During Data Transmission

With the open structure of the Internet and the readily available, easy-to-use tools for monitoring network activity; it is possible for a relative novice to extract vital information simply by analyzing the traffic patterns between the communicating entities. Some may consider that technologies such as secure sockets layers or virtual private networks would provide all of the safeguards one may require for network privacy. While these technologies may protect the data transferred between parties from network snoopers relatively well, a number of passive attack techniques can reveal sensitive information about the participating communicators (Raymond, 2000). Timing and communication pattern attacks, for example, extract information about the timing of communications, the locations of the communicating parties, and the amount of information being shared. By examining the pattern, timing, origin, and destination of communications, a snooper can deduce relationships between parties. For some activities in an organization, it is vital to safeguard this information. For instance, a company may have secretly chosen a new strategic initiative wherein specialized training is required for several key members of a development team. As per a recent trend, the company may have chosen to purchase a course from an online training company. In order to maintain confidentiality concerning the new strategic direction, the company would want to ensure that it would be very difficult for anyone to determine that it has a relationship with the online training company. Indeed, the distance-learning company may wish to distinguish its offerings from the competition by providing customers with the option of allowing students and employers to keep their network interactions confidential.

Limiting Data Collection, Processing, and Retention

A privacy legislation compliant distance-learning system must limit data collection to the minimum necessary information required to complete the purposes identified by the system. Coach and evaluation agents must collect this information from the learner by fair and lawful means. In addition, this information can only be processed or disclosed for the purpose for which it was collected, unless the learner has otherwise consented, or when it is required or permitted by law. Additionally, the system may retain a learner’s information only for the period of time required to fulfill the purpose for which it was collected.

Accountability and Challenging Compliance

Because the distance-learning system deals with private information about learners, the provider of the system should be held responsible for the management and protection of this information. In fulfilling this requirement, the provider is required to designate an individual who is accountable for the system’s compliance with the Privacy Principles. In addition, the provider should clearly outline the procedures that a learner would follow in case of questions or enquiries with respect to the provider’s privacy practices. The provider should also outline the dispute resolution mechanism in case of complaints.

Location Privacy

While some distance-learning systems give learners the freedom to select the time and learning content according to their preferences and convenience, service mobility in distance learning offers learners additional freedom: a learner agent can access the distance-learning service anywhere using any available device. Wireless communication and device mobility complement service mobility, as through this technology, learning content can be delivered to a learner agent running on mobile computing devices, such as Personal Digital Assistants (PDA) and Internet-enabled cellular phones. Using these mobile devices, learners can receive learning content anywhere, at any time, while traveling, commuting, or waiting in line.

Location privacy is of particular importance for mobile distance-learning systems and can be considered as an extension to network privacy. With the convenience of delivering learning content to mobile devices, there is the potential of jeopardizing the location privacy of the learner. Some learners might be reluctant to reveal the location from which they are accessing learning content and consider this information private. Compiling this location information may provide useful information about the mobility pattern of the learner, which could be useful for a third party interested in the mobility aspect of learners.

Privacy and Trust Requirements from Distributed-Learning Standards

Standardization and compatibility are important factors for consideration by distance-learning vendors and users looking to sell or purchase portable content and interchangeable components on the market. Emerging standards for distance learning and education are having major influences on the development of distance-learning systems. Such standards include the IEEE Learning Technology Standards Committee, the IMS Global Learning Consortium, the Aviation Industry CBT Committee, the Alliance of Remote Instructional Authoring and Distribution Networks for Europe, and the Advanced Distributed Learning-Sharable Content Object Reference Model. The privacy and security requirements are also important parts addressed in many of these standards. We consider here the IEEE P1484 and MIS LIP in more detail.

IEEE P1484

The IEEE P1484 is a standard for learning technology proposed by the Learning Technology Standards Committee (LTSC) of the IEEE Computer Society. The specification of Public and Private Information (PAPI) for Learners (P1484.2, 2000) outlines privacy and security requirements that are more specific than privacy legislation. It defines the elements for recording descriptive information related to the learning process, learner relationships, learner preferences, learner performance, and portfolios. It categorizes the security and privacy concerns from the points of view of different stakeholders, such as developer, institution, regulator, and user.

Specifically for the privacy concerns, the P1484.2 requires that the security techniques, including physical security, confidentiality, etc., are to be used to provide privacy protection. Further, the institutional administrators and users may all act as privacy policy makers to mandate privacy-related policies, which are implemented via a variety of security techniques, technologies, processes, and procedures.

Table 3 lists the featured elements of IEEE P1484 relating to security and privacy.

IMS LIP

The IMS Global Learning Consortium (IMS GLC) is an organization working on developing open specifications for distributed learning. It addresses key problems and challenges in distributed-learning environments with a series of reference specifications, including Meta-data Specifications, Enterprise Specification, Content & Packaging Specification, Question & Test Specification, Simple Sequencing Specification, and Learner Information Package Specification. Among these, the IMS Learner Information Package (IMS LIP) Specification addresses the interoperability of learner information systems with other systems that support the Internet learning environment. In this standard, “learner information” is defined as the collection of information about a learner or learning provider. The typical sorts of learner information include education record, training log, professional development record, lifelong learning record, and community service record (e.g., work and training experience). The ways of organizing learner information are specified in this standard so that learning systems can be more responsive to the specific needs of each user.

In order to maintain the privacy and security of the learner information, the IMS LIP specification specifies a learner information server to be responsible for exchanging learner’s data with other information servers or other systems (e.g., a delivery system). The server is required to support an information owner, defining what part of the information is shared with other systems.

The IMS LIP treats data privacy and integrity as essential requirements. Although the standard does not define any details of implementation mechanisms or architectures that could be employed to support learner privacy protection, its final specification V1.0 (IMS GLC, 2001) provides the following structures to support the implementation of “any suitable architecture” for learner privacy protection:

• Privacy and data protection metastructure: Within a learner information tree structure, each tree node and leaf has an associated set of privacy description, which defines the concerns of privacy level, access rights, and data integrity. The granularity of information is the smallest set of data, where there is no further breakdown of independent privacy data.

• “SecurityKey” data structure: The security keys for the learner include password, public key, and digital signatures. In this structure, the password and security codes are used for communication. The structure can allow for public key encryption, data authenticity, and password-based access control on learner information.