Data Privacy and Security for Online Teachers: Who Cares?

By Andrew Theophilou

The shift to remote online working since the outbreak of Covid-19 has once again stirred debate about data privacy and security. For freelance English language teachers in particular the implications are manifold and the dangers real. It’s not just a question of protecting your own data to avoid hacking, fraud, trolling, cyberbullying or surveillance. Teaching online can involve exchanging personal data with students in ways which were not necessary in the physical classroom environment. Depending on the type of teaching you do, this not only carries with it certain obligations under data protection regulation but also places you in a position of liability in case of a breach. 

Although there is more widespread awareness of online data protection issues these days, even privacy-conscious teachers face challenges which may prevent common sense from prevailing. In my experience, being outspoken on the subject, or even just conscientious, is usually met with a certain degree of ridicule or suspicion; you are either a bit paranoid or have something to hide. This makes it difficult to resist the less desirable practices of some language training providers, who may well put profit before the data privacy of their teachers. It is imperative, therefore, that freelance teachers keep themselves informed, because the likelihood is that they will be the ones who pay the price when things go wrong.

The issues at stake vary depending on the type of teaching you do. Many people new to online teaching have probably turned to it now in response to lockdown. In other words, they are likely to be teachers who previously worked with private language schools or academies in a physical classroom and have had to adapt to the virtual environment as a result of the pandemic. Others will be freelancers working exclusively for themselves. In both cases the situation is very different to teaching in the established virtual learning sector, which has been around for well over a decade and is dominated by global online platforms. There is, however an overlap in terms of data protection issues, particularly when it comes to communicating directly with students outside the virtual classroom.

My experience of online training has been mainly with global platforms. I first started in 2014 and the date is relevant because it precedes the watershed moment in Europe when the General Data Protection Regulation (GDPR) came into force. Although a minority of online platforms in Europe might have enjoyed a lax approach prior to the GDPR, the new regulation left no room for complacency. Crucially, however, the well-publicised introduction of the GDPR gave online platforms the time, breathing space and information needed to help them define and articulate their new data protection policies before disseminating them among teachers. This may not have been the case with private language schools and academies caught off guard by the pandemic. Unless a move towards diversification into virtual teaching was already under way, the focus of their attention would inevitably have been to adapt as a matter of urgency in order to survive the temporary closure of physical classrooms. Under these circumstances, it would hardly be surprising if the digital rights and responsibilities of some freelance teachers have been slightly overlooked.

Online language learning platforms based in Europe now ask freelance teachers to sign detailed and lengthy data protection agreements which make clear their obligations to comply with the GDPR. This squarely places much of the liability for data breaches onto the freelance teacher who is in effect operating as a self-employed sole trader and handling student data in the legal capacity of a ‘data processor’. But data protection regulation is a bit of a minefield and even if teachers manage to muddle through the legalese they might not always fully understand what compliance actually means in practice. Any data protection agreement with a language platform is likely to place far more emphasis on offloading liability and responsibility onto the teacher and less on specifying the actual steps they need to take in order to comply. It is often left to the teacher to work out, for example, whether or not their security software or communication apps meet the required standards, and with this comes an extra burden of responsibility. Additionally, there are costs to consider when it comes to the technical set-up of a virtual teaching environment and internet security is a part of that. For those working with platforms that pay an abysmal hourly rate, the temptation to cut corners can be strong.

The approach to data privacy and security inevitably differs from one platform to another. Some are sophisticated enough to allow most data flow between student and teacher, including video and voice, to take place securely through their own proprietary Learning Management System (LMS). In these cases the data protection concerns of the freelance EFL teacher will centre primarily around issues of internet security. As well as having an effective antivirus package and avoiding exposure to vulnerabilities through the use of public wi-fi networks or certain browsers, it’s important to use an encrypted device in case of loss or theft.

If a teacher is working for more than one platform, extra care needs to be taken in order to ensure the student data from each one is kept separate. Some platforms require teachers to install software on their hard-drive which may contain malware. One of the platforms I applied to work for in China asked me to install an application with an .exe file extension – the type often used to install malware and spyware. The installation instructions/ terms and conditions were all in a Chinese language, except for the button asking me to agree. Although the software may have been legitimate, my request for an English language version was refused. As a teacher already working on the same device for another GDPR-compliant platform, this was not a risk I could afford to take.

Teachers may also need to use additional apps for communication with students outside the platform’s LMS. Apps with a reputation for being privacy-invasive usually have access to the contacts stored on your device and may even share them or make them visible to others. This opens up a can of worms in terms of consent for sharing data with third parties, especially if you have the details of students from different companies stored on the same device. Thankfully, there is an increasing number of free, open-source, encrypted tools available these days which have been built with privacy and security in mind, including messaging apps, web-conferencing software and email. However, teachers may not actually be given a choice which communication technology they use outside the LMS. Either way, it is necessary for them to undertake their own thorough audit of the software, apps, operating systems and devices they plan to use before they start teaching, and to keep on top of any changes to their respective privacy policies.

When it comes to protecting their own data, online EFL teachers sometimes have to make concessions on privacy in order to secure work. One Russian platform I was interviewed for informed me that all lessons would be recorded and kept not just for the monitoring of performance but also for their own marketing, training and other (unspecified) purposes. This was not a condition I was inclined to accept, especially as my data would be held and used beyond the jurisdiction of the GDPR.

In some cases, platforms allow you to opt out of certain features, though this can reduce your chances of being assigned classes. One such platform which I worked for had a photo carousel of teacher profiles, allowing students to scroll through and pick the teacher of their choice for certain classes. At the same time, teachers were also encouraged to make their personal contact details visible to their students so they could get in touch more freely. Although this may appear over-cautious to many, I felt the system exposed teachers to certain vulnerabilities and opted out.

My fears were in fact confirmed after an incident with another teacher, which I think is worth describing as an illustration of the possible implications. In this case, a student of mine surprised me at the start of a lesson by sending me a screenshot of one of my female colleagues, which was taken from the profile carousel. I didn’t have access to the carousel myself and I had never previously met or seen the teacher in question. My student had just been making fun of my colleague with his own co-workers and wanted to continue the banter with me. He explained in rather offensive terms that my colleague was too attractive to be intelligent and took issue with the way she dressed, extrapolating theories about her personal life from her attire and demeanour. Needless to say, the conversation I had with my student took a very different turn to the one he had anticipated, as I confronted the issue of his underlying misogyny as well as his blatant lack of professionalism.

It’s easy for some people to take a cavalier attitude and laugh this type of behaviour off as inconsequential. But a lot of damage can be done with the data which people who may never end up being your students are able to access. With name, photo, location and contact details it’s fairly easy to track someone down on social media for a start. In this case, my student was not only making abusive sexist comments about a teacher that he had never had contact with, but also trying to widen the circle of antagonism towards her – first by including his co-workers and then by brazenly trying to draw me in too. This is surely how trolling and cyberbullying begins. In this case, things were nipped in the bud and I am confident that there was no further escalation. Sadly, however, it is often the platforms which encourage teachers to be generous with their personal data that are least likely to step in and help when things go wrong.

Freelance EFL teachers already have enough challenges to contend with before the added stress of adapting to the virtual classroom environment. Let’s face it – irregular working patterns, high social security costs and low pay mean that life’s not always a walk in the park. It’s easy, then, to overlook issues of online data privacy and security, which don’t inspire the same sense of urgency you get from trying to survive from one lesson to the next. It may also be easy to blag it for a while with no apparent consequences, enjoying the false sense of security that grows with time. All the same, it’s worth taking a moment to ask yourself just one simple question before deciding which approach to take. Can you afford to be a victim?

Andrew Theophilou

Andrew Theophilou comes from London and has worked as an online business English trainer in Portugal. Before that he taught EFL at universities, adult education centres, language schools and refugee organisations in the UK, Germany and Spain.

TEFL Blog Index