E-learning has revolutionized training and education, but it doesn’t come without issues. Perhaps the most relevant concern, in this method of teaching, is data privacy.

At this age, your personal information is virtually linked to various accounts in e-mail, social media, and other platforms. Almost all these avenues are, in one way or another, also connected to e-learning.

As e-learning users who knowingly share information to third parties, how protected are we as far as information privacy is concerned?

Over the years, there were several attempts made to ensure the integrity and security of users’ personal information. For this topic, we will focus on a very recent one and how it affects e-learning in the corporate and commercial settings.

General Data Protection Regulation

Fresh from its implementation on May 25, 2018, the European Union’s General Data Protection Regulation (GDPR) aims to improve the accountability and transparency of organizations handling personal information.

Part of this new regulation’s goal is to advance a ‘privacy culture’ in the World Wide Web, ultimately to protect the privacy of millions of regular users—or ‘natural users’, as how the regulation puts it.

The GDPR enables EU citizens to take control of their own rights, including the right to:

  • Be informed on who has their data
  • Be forgotten or deleted
  • Be excluded from marketing
  • File a complaint
  • Stop or limit data processing
  • Access their data
  • Acquire data in a structured template (such CSV format)
  • Rectify data

Why is it important?

Along with North America, Europe is the leader in e-learning.

Our lives seem to have blended with our online counterparts and every day, we share bits of data. In this regard, the EU has taken it upon itself to protect the data privacy of its citizens.

The GDPR requires any company that offers their services to EU citizens to comply with the stipulations of such regulation, even if the company is not EU-based.

For any company looking into the European market as their clientele, this is a crucial factor to consider.

Why, though?

Because a non-compliant company may be fined up to $20 million or up to 4% of the annual turnover, whichever is higher. And no company wishes to be subjected to such steep fines.

Examples of personal data

This is the heart of the GDPR, but what constitutes ‘personal data’?

It is any data relating to a person who can be directly or indirectly identified with reference to a specific identifier, like a name, number, or address, or any physiological, mental, social, cultural, or economic factor identified to that person.

The regulation does not enumerate an exhaustive list. Reading the exact provision can be quite confusing and open to broad interpretations.

The following may fall under ‘personal data’:

  • Personal appearance and characteristics: skin color, eye color, hair color, weight, height, identifying marks, body build, traits
  • Socio-biographical information: place and date of birth, social security number, home address, e-mail address, phone number
  • Educational and workplace information: student number, salary, work address, tax identification number
  • Private data and personal opinions: geo-tracking data, religious beliefs, political stand
  • Medical history: pre-existing illnesses, dental records, genetic information, laboratory results, sick leave information, health insurance policies
  • Online identifiers: cookies, IP address, device fingerprints, pixel tags

+Implications in LMS usage

A learning management system (LMS) is a software application used in the delivery of e-learning courses and programs. It is the very backbone of e-learning. Without it, there is no way that training can occur.

With the new GDPR in effect, are you required to use an EU-hosted learning management system?

Not really. The regulation does not intend to hinder cloud services utilized by EU citizens, but rather to increase privacy, strengthen security, and promote accountability.

Hence, EU-based companies may use LMS software hosted in other countries for as long as the platforms hold an EU approval of data protection.

As for personal data transferred outside the EEA or the European Economic Area, the Commission does not require further authorization for other countries, territories, or organizations that offer data protection.

The Privacy Shield framework was specifically built to comply with the criteria set forth by the GDPR. This allows participating companies that offer an adequate level of protection to create programs and facilitate information transfer. For instance, an EU company working with a US company creates a privacy shield to satisfy the GDPR requirement.

Best practices for the company

The company, in this case, is the ‘data controller’. It collects, keeps, or manages the users’ data.

As the controller, you are responsible for processing and controlling data, as well as the people involved including the instructors, administrators, and learners.

If your organization utilizes LMS for e-learning, it is best practice to ensure GDPR compliance. It is not just a necessary action but a responsibility that is shared between the company as the ‘data controller’ and the LMS vendor as the ‘data processor’.

  • Handle personal data in a fair, transparent, confidential, accurate, and lawful manner
  • Preserve data privacy by mapping data sources, system storage, data flows, and access rights
  • Create proper policies on data protection and retention
  • Store data in an accurate manner for possible correction and update
  • Keep personal information strictly confidential and away from people without authorized access to them

Before using an LMS for your e-learning course, you must read and understand its GDPR compliance program, Terms of Use, and Privacy Policy. Along with the LMS provider, you are also required to sign a DPA (Data Processing Addendum) that signifies compliance to GDPR legal responsibilities.

Best practices for the LMS provider

As the ‘data processor’, the LMS provider should assist you, the company or the ‘data controller’, in ensuring the subjects’ privacy rights.

It should be made best practice for the LMS provider to ensure that these rights are upheld.

  • Strengthen security infrastructure
  • Employ a data privacy officer that customers and users can easily contact for issues, questions, and complaints
  • Provide complete information about their services in the Terms of Use, Privacy Policy, and DPA
  • Ensure that all processing operations and information transfers are legally justified
  • Integrate role-based access
  • Enable what information can be shown or hidden in the LMS
  • Conform to GDPR certifications
  • Implement confidentiality policies for LMS personnel accessing users’ personal data
  • Cooperate with the data controllers at all times
  • Enforce a contingency plan in the case of a data breach
  • Offer the export or transfer of LMS data in a standard format, when authorized
  • Revisit and update procedures, controls, and policies