Some digital content providers ask learners to sign user agreements stipulating that the provider may share their personally identifiable information. And it begs the question of our role and responsibility in ensuring data privacy.
by David Vance
December 4, 2019
Data privacy is an important policy element for any organization, and one that has been receiving more, but perhaps not enough, attention. Honestly, I did not expect this to be a controversial issue, but it has become one in the United States and probably elsewhere. Organizations that operate outside the boundaries of countries with very strict data privacy standards (such as those in Europe) are going to have to decide whether to share learners’ personal data.
Here is the issue: Some digital content providers ask users to create a personal profile and agree to a user agreement and privacy policy. The user agreement stipulates that the provider may share the learner’s personally identifiable information, including content in their profile, with whomever they want. In other words, they can sell it.
Who would be interested in buying such information? For one, an organization looking to recruit a person with certain skills or interests, which may be gleaned from the number and type of modules in the learner’s profile. This allows the provider to generate a revenue stream by selling information of value to recruiters. The information may also be of interest to sellers of learning content for the insight it could provide on the types of learning taking place in an organization.
This is not necessarily a problem if the user is engaging the content provider on their own time outside of work. We make decisions all the time to freely provide information to sellers and others about ourselves which they can use to tailor their marketing to us or sell to others. The issue for your organization arises when you contract with providers to make their content available to your employees and when the provider insists your employees sign their user agreement which allows them to sell your employee’s personal information. If the providers you are using follow this same policy, I submit that you have a data privacy issue.
Now, some providers do allow an employee to set their profile to “private mode,” but it is a manual process. In other words, they have to opt out rather than opt in. So, back to your data privacy policy. Do you engage with providers who require your employees to sign a user agreement allowing them to sell your learners’ personal data? If so, is such a policy for learning consistent with your organization’s broader data privacy policies? Does your organization currently sell employee data to other organizations? If this is not permitted, why should there be an exception for the learning department? Do your senior leaders even know their employees’ personal data are being sold? Is it sufficient from a data privacy point of view that a learner can opt out or should the provider be asked to change their policy so it is an opt-in process?
Like I said earlier, I had not expected this to be an important issue for us, but I think it is. And it may well be that most employees don’t mind that their personal data are being sold, but does that make it alright? Last, let’s come back to the likely buyer of this information: an organization that is recruiting talent. Do you want to make it easy for them to recruit your employees? Of course, your employees may update their profiles on their own time for the express purpose of finding a new job and there is nothing you can or should do about that. So, the issue is just how easy you want to make it for recruiters to find your employees.
There are no easy answers to these questions, but I believe we need to address them. Some organizations (like libraries) that were using these providers stopped using them when the providers mandated that users sign the user agreement allowing their data to be shared and sold. Unquestionably, these providers make content available that benefits both the organization and employee, but what responsibility does the organization have to ensure data privacy? This is the bottom-line issue.
To comment, email: editor@chieflearningofficer.com.
