A new report warns the country's protections to stop big tech companies spying on schoolchildren appear far too weak.
Overseas, the multi-billion-dollar spread of online learning has triggered lawsuits, investigations and, in the US, a promised clampdown.
A report by The Privacy Foundation released today said it had found little sign of authorities looking seriously at the risks of "edtech", even though its rapid spread had been encouraged by the government during the pandemic in response to children not being in class.
Schools are using at least 15 types of software, or they can use centralised contracts the Education Ministry has with Microsoft and Google, OIA responses to the foundation show.
Read the document here: The Ministry of Education Official Information Act response to Dr Marcin Betkier
"They are very embedded in the school systems now," Auckland sociologist Dr Caroline Keen said.
She had tried without success for two years to get authorities to do a stocktake of the tech in schools, and to regulate.
But the ministry had done no privacy impact assessment or analysis into it, the OIAs showed.
The Privacy Foundation's report said this risked creating "a surveillance environment that records children's activities and keeps their data for future and unknown use" and an "educational environment in which children are forced to use privacy-invasive software".
Read the report: Privacy Foundation: Privacy in online learning and teaching
Report author Dr Marcin Betkier, of Victoria University, said any child's personal data at school should not be used out of the educational context.
Yet their initial analysis showed there was no guarantee in company terms and conditions, or contracts, that it would not be used commercially.
They had asked the ministry, Privacy Commissioner, Netsafe and School Trustees Association about this, and obtained limited information about the contracts.
"No one really is checking that the software which is used by the New Zealand schools is creating that safe educational environment," Betkier said.
An investigation overseas in May found near-constant data extraction and tracking of students from primary age to university - and often few controls over the data.
The NGO Human Rights Watch (HRW) identified 145 edtech products were making children's personal data available to 196 third parties, mostly advertising technology companies, in 49 countries (not New Zealand).
"These products monitored or had the capacity to monitor children, in most cases secretly and without the consent of children or their parents, in many cases harvesting data."
Australia was covered by HRW, and media group ABC ran its own checks on the methodology.
"The data that's mined, it's analysed by for-profit interests," Keen said.
"Then that's used to steer a child towards certain courses or careers or generate a consumer profile that can then be sold on to data brokers, and ... we don't really know how long that's used for and how."
In New Zealand, calls for equity have propelled distribution of devices, especially to poorer schools, rapidly increasing online access but also eroding the ability to choose not to learn online.
Many companies in the wider market feed personal data to sophisticated algorithms to predict people's behaviour.
Keen said her research showed New Zealanders were blasé about it.
By contrast, the US state of New Mexico sued Google - and lost - in 2020, its lawsuit stating: "Children are being monitored by one of the largest data mining companies in the world, at school."
The US Federal Trade Commission recently said it would crack down on any companies if they illegally surveilled children.
The World Economic Forum said edtech was changing education dramatically, for the good of students, in a global market expected to top $500 billion by 2025.
Unicef is seeking more buy-in from data companies by, for instance, committing not to exploit children economically.
Read the full report: Unicef: Good governance of children's data (PDF)
An early Bill Gates-backed attempt at amassing US student data, InBloom, was shut down in 2014 over fears of over-reach.
Keen's research in 2020 showed parents and students were "largely unaware of data being captured or generated about them" at school.
"Further, they often believe that there are regulations to prevent the collection and misuse of personal data."
The Privacy Foundation, drawing on a series of OIA responses, said children and parents appeared to have little choice to opt out, so their consent to edtech lacked meaning.
"Data practices should not be justified by the questionable consent of individuals, or even institutions that cannot change the way the software works and can only adhere to the proposed terms and conditions."
Schools and kura lacked "power and expertise" to choose privacy-protecting routes, it said.
"It is often unclear and not transparent which laws apply to the contracts between the schools and kura and overseas online platforms, and how their potential commitments on those markets apply in New Zealand."
The Privacy Act applied but had no specifics around online learning, the critics said.
The Privacy Commissioner told RNZ it was "considering issues ... raised by the increasing prevalence of online learning".
The commissioner provided no links to any reports it has and did not say if it knew of any privacy impact assessments done by anyone on this.
RNZ approached Google and Microsoft for comment but they both declined as they had not seen the foundation's report.
What the Ministry of Education said about data security for children
The Ministry of Education said it was working on improving privacy protections for online learning.
In late 2021 it joined Australia's Safer Technologies for Schools programme that assesses products' security and privacy controls.
In a statement it said it was working with them to develop the framework and assessment process to meet New Zealand requirements, and an initial trans-Tasman version should be available later in 2022.
The ministry told RNZ it provided Google and Microsoft products to schools for free, paying the software licence fees itself.
"We have analysed Google and Microsoft against our internal privacy and procurement policies," chief digital officer Stuart Wakefield said in a statement.
He declined an interview.
The firms both hold ISO certifications for privacy and had signed the US Student Privacy Pledge, "a voluntary but legally binding industry pledge to safeguard student privacy regarding the collection, maintenance, and use of student personal information".
"We place reliance upon these independently audited certifications," Wakefield said.
The ministry did not conduct privacy and impact assessments - schools could, he said.
"We do monitor these tools and track potential issues.
"We are aware that products schools choose to use may have no or insufficient privacy policies listed on their websites or may use out-of-date software, eg Flash, or include third-party advertising.
"MOE privacy, data and digital teams continue to monitor, report and create policy where needed."
Vendors also were expected to comply with the Privacy Act 2020, Health Information Privacy Code 2020, and other codes.