To reduce the spread of coronavirus (COVID-19) and safeguard students’ health, the Education Bureau of Hong Kong (“EDB”) first extended the Chinese New Year holidays for all schools to 16 February 2020. As the virus continued to spread and developed into a pandemic, the resumption of schools was indefinitely deferred; classes are suspended until further notice. However, the EDB has advocated for “suspending classes without suspending learning” since early February 2020. Most schools have adopted the approach, moving to online learning platforms in addition to video-conferencing between teachers and students. These advanced technological solutions enable children to continue with their education, but concerns have been raised regarding data privacy and protection of students; increased usage of online teaching tools can collect vast amounts of students’ data, rendering them vulnerable to misuse or leakage of personal data if unfortunately placed in the hands of a hacker.
Guidance from the Privacy Commissioner
The Privacy Commissioner for Personal Data (“PCPD”) released a media statement recommending that schools should perform due diligence to ensure that technologies selected (i.e., video conferencing software and online learning platforms that have videotaping functions) protect children’s privacy. This may be achieved by, for example, ascertaining whether the selected platform will collect students’ personal data and share it with third parties such as software developers and platform service providers. The PCPD reminds users to be vigilant at all times in the online world to protect personal data privacy, particularly as published data can be duplicated or permanently stored The PCPD also recommends disabling online tracking and recording functions of software and platforms, and to save such settings as default.
Further guidance was given to answer the concerns that schools and parents may have:
- Can teachers record my child’s voice or take pictures of them to observe their performance in online classes?
It is recommended that schools collecting students’ personal data (including names, images, or voice data) should be on a minimal basis and done in a lawful manner. It should only be done where directly related to the activity, and data collected should be necessary but not excessive. The PCPD also recommends for schools to explicitly inform parents and students in advance (e.g. by way of written notice) if there are such practical needs.
- Do teachers need to obtain parental consent before taking pictures or recording students’ voices?
Yes, according to the requirements of Data Protection Principle (“DPP”) 3 of the PDPO, where the data subject is a minor, “prescribed consent” should be given on behalf of the data subject (under certain circumstances) by a “relevant person.” Students must also be informed of such practices, regardless of whether the data collection is obligatory or voluntary.
- What steps can I take as a parent to ensure my child is protected during online learning?
- Install parental controls to manage a child’s internet usage and filter inappropriate content or language;
- discuss with children the risks of clicking suspicious links or downloading suspicious documents;
- disable tracking functions whenever possible; and
- disable automatic camera and microphone access, adjusting settings so permission must be gained before cameras or microphones can be accessed.
Parents can also access the Children Privacy website created by the PCPD with your children to help them better understand the importance of personal data privacy, and ways which children can protect themselves.
- What steps can we, as schools, take to ensure the students are protected during online learning?
On the other hand, schools should take all practicable steps to protect personal data from unauthorised or accidental access, processing, erasure, loss or use. The PCPD suggests that schools should:
- Ensure that all devices are installed with latest security patches and anti-virus software, and are protected by firewalls;
- ensure that network connections are safe and secure (i.e. teachers should not use public Wi-Fi and use strong encryption for Wi-Fi network);
- set a password for the online learning session which (as well as its link) should only be given to teachers and students participating in the session;
- not record relatively sensitive biometric data, such as voice data, which could reflect children’s emotions or socio-economic background from their accents;
- store all tracking data and records with encryption, and the personal data collected should be destroyed as soon as possible after the data has fulfilled the original purpose of collection;
- beware of whether personal data could be accidentally captured on screen when the screen or video sharing function is activated; and
- formulate policies and guidelines for handling data breaches. Such policies and guidelines should aim to protect students’ privacy rights, and ensure that teaching staff get a clear understanding of the correct and secure way to use such tools, and the approach to dealing with incidents of lost devices or hacked/stolen accounts.
Schools can refer to the publication regarding “Collection and Use of Personal Data through the Internet – Points to Note for Data Users Targeting at Children” published by the PCPD for further information.
TikTok: a fun data privacy risk?
With children and teens across the globe staying at home to reduce the spread of coronavirus, many have turned to social media and mobile apps to entertain themselves and keep in contact with friends. One of the many popular apps is TikTok. While the app is extremely entertaining to children and adults alike, there are ever-increasing concerns regarding the child safety and data privacy, and even national security concerns in the United States.
What is TikTok?
TikTok – owned by ByteDance, a Beijing-based company – allows users to create short 3-15 second lip-syncing videos or 3-60 second looping videos. It has become one of the most popular apps, especially after its merge with musical.ly in August 2018; according to an article published by CNET, TikTok ranked 4th in the 10 most-downloaded apps of 2019, and an article by Forbes stated that TikTok amassed approximately 24 million active daily users, and a New York Times article states that it has been downloaded more than 1.5 billion times.
What are the data privacy concerns with TikTok?
In an article published by TechCrunch, the CEO and co-founder of Reddit – Steve Huffman – has criticised TikTok for being “fundamentally parasitic” in its use of fingerprinting technology. Digital fingerprinting used by TikTok combines audio and browser tracking to determine which users are watching and sharing a video on both the app and on the web.
Cybersecurity firm Check Point published research in early January 2020 exposing a series of vulnerabilities “core to TikTok’s systems.” The research described the vulnerabilities to allow attackers to:
- Get a hold of TikTok accounts and manipulate their content
- Delete users’ videos
- Upload unauthorised videos
- Make private “hidden” videos public
- Reveal personal information saved on the account – such as private email addresses
- SMS link spoofing – sending SMS message to any phone number on behalf of TikTok, as users sign up to the platform by entering their mobile number on the company’s website and receiving a text message with a link to download
- Inject malicious scripts into benign and trusted websites, including TikTok’s subdomain
While TikTok supposedly learned of Check Point’s research on November 20, 2019 and fixed all vulnerabilities by December 15, 2019, there are still data privacy concerns that exist, particularly regarding the parent company, ByteDance, which is based in Beijing. The app faces criticism from U.S. lawmakers that it is sharing data with the Chinese government. According to an article by the New York Post, a 2017 Chinese law requires companies operating in the country (i.e. ByteDance) to cooperate with the government on national intelligence. The company has refuted such claims and stated that U.S. user data is stored in the U.S., and that China does not have jurisdiction over content that is outside of the country. However, the U.S. Government has taken precautions by banning the app from government issued mobile devices (December 2019) including the U.S. military (Navy and Army), and several U.S. politicians have expressed their concern over the data privacy of the app.
Additionally, in February 2019, the U.S. Federal Trade Commission filed a complaint against the app, stating that it illegally collected personal information from minors. TikTok (then Musical.ly) allegedly violated the Children’s Online Privacy Protection Act, which required that “websites and online services directed to children obtain parental consent before collecting personal information from children under the age of 13.” TikTok agreed to pay $5.7 million USD to settle the complaint – the largest civil penalty ever obtained by the Commission in a children’s privacy case – and said it would abide by the Act. According to the New York Times, the British Information Commissioner’s Office was also investigating whether the app violated European privacy laws designed to protect minors and their data. TikTok stated in its blog that a “Transparency Centre” would be opened in the company’s Los Angeles office to offer more details on data privacy and security.
What is TikTok’s Privacy Policy?
TikTok’s Privacy Policy (last updated January 2020) states that it collects the following information for users in Hong Kong:
- Profile information – username, date of birth, email address and/or telephone number, and any information disclosed in the profile (e.g.: photograph).
- How each user engages with the app – e.g., which ads are viewed, what kind of content is preferred and saved to “My Favourites”, problems encountered, etc.
- Information from Third Parties – where a user shares certain data from third parties (such as logging in using social network accounts like Facebook, Twitter, Google, etc.), the username and public profile will be accessible by TikTok.
- Technical information – including IP address, browsing history (on the platform), mobile carrier, time zone settings, model of your divice, screen resolution, etc. – is automatically collected by TikTok.
- Location – through “Region” selected by the user in Settings.
- Cookies are collected – additionally, TikTok’s “business partners, advertising networks, and other advertising vendors and service providers (including analytics vendors and service providers) [are allowed] to collect information about your online activities through Cookies”.
- Users should note that the Privacy Policy states that TikTok is “not responsible for the privacy practices of theser third parties, and information practices of these third parties are not covered by [TikTok’s] Privacy Policy”
The Privacy Policy also states how the personal data is used, shared, stored, and retention period. TikTok has also provided a Privacy Policy for Younger Users (applicable to the U.S.), and states that “TikTok is not directed at children under the age of 13.”
How can I maximise TikTok’s safety features to protect my child?
There are several measures parents can take to ensure your child’s account on TikTok is private. Under the Privacy and Safety settings (under the three dots at the top right of your child’s user profile), you can:
- toggle the two “discoverability” options – this includes setting your child’s account as private, and disabling the account from being suggested to others
- change the safety settings to limit others’ access to your child’s posts, including:
-
- “Allow your videos to be downloaded” – Off.
- “Who can send you direct messages / Duet with your videos / React to your videos / view your liked videos / comment on your videos” – to Friends or No one.
- “Comment filters” – turning this On, and adding filtered keywords.
It is recommended that parents alter the privacy and safety settings on their children’s TikTok accounts, as they are public by default. Posts made by the user can also be set to “private”, so they are only visible to the posting user. Parents can also regularly check the “Security Alerts” feature on TikTok (under Privacy and settings – Manage my account – Security).
The risks associated with TikTok’s privacy policy and the vulnerabilities in the apps data protections may be more [significant] than the entertainment value it imparts to children. You may consider permanently deleting your child’s account (via Settings – Manage My Account – Delete Account) as a last measure to protect your child’s personal data privacy. This will disable the account’s login to TikTok and you will lose access to the posted videos. However, TikTok states in its support page that “shared information, such as chat messages, may still be visible to others”. TikTok’s data retention policy states that data is kept for 5 years; however, even if you have permanently deleted your account, the company will “store your information in an aggregated and anonymised format [and] non-personally identifiable information may be retained indefinitely for analytics.”
Key Takeaways
While the health and safety of our children are of utmost importance during the coronavirus pandemic, we should be cautious that the personal data privacy risks are increasing with the ever-developing technological advances. Schools and parents should take all practicable steps to ensure that the devices, software, and apps used by children are protecting your child’s personal data privacy to the highest possible degree. Children should also be given guidance on the best data privacy protection practices to reduce the vulnerability of their information being misused or leaked to hackers.
For more information on data privacy, please contact us.
This article is for information purposes only. Its contents do not constitute legal advice and readers should not regard this article as a substitute for detailed advice in individual instances.
The article has been republished on LexisNexis Hong Kong Coronavirus Resources Kit website.
