Privacy Guidance on the Use of Hypothesis Annotation Software

 

The guidance, consent notice, and collection notice below assume that the Teaching and Learning Commons will be managing a purchasing agreement through Procurement Services by contacting procurement@kpu.ca. Creating a service agreement with support from Procurement Services will ensure that a Privacy Protection Schedule can be negotiated into the terms of the agreement, which will inform the service provider how to comply with British Columbia’s Freedom of Information and Protection of Privacy Act (“FIPPA”). Additionally, any software interacting with existing KPU IT resources must be assessed by the Information Security Office.

 

Overview of Service Request:

The Teaching and Learning Commons is proposing to facilitate providing KPU licenses for Hypothesis annotation tool to the university community to provide a convenient and easy optional tool for collaborative annotation.  All forms of performance assessment about students completed by instructors will remain on Moodle and will not be disclosed to and stored within Hypothesis. 

 

Compliance Requirements:

  • When the University requires, recommends, or encourages collaborative annotation, the processing of the personal information involved is governed by the B.C. Freedom of Information and Protection of Privacy Act (“FIPPA”).  
  • The vendor has introduced upcoming options that would customize the delivery of Hypothesis to KPU allowing Hypothesis to be compliant without managing individual informed consent. The recommendations below will reflect the current reality that personal information will be transmitted outside of Canada.  The recommendations will also reflect future possibilities of managing this service in Canada by utilizing AWS Canada and KPU’s Microsoft OneDrive repositories located in Canada.
  • Under FIPPA, KPU cannot manage personal information outside of Canada except through limited exceptions. The most common exception to this rule is where the students provide their free and informed prior consent.   
    1. KPU cannot compel students to consent to their personal information being stored, accessed or disclosed outside Canada.

 

  1. When the use of technology that stores, accesses or discloses personal information outside Canada is considered required, recommended, or encouraged (rather than purely optional) by instructors or KPU, an alternative must be made available for any students who objects to the storage, access or disclosure of their personal information outside Canada. 
  2. KPU cannot put students in a position where completing mandatory course work will be reasonably compromised by not consenting to use this service.
  • KPU remains accountable for ensuring resulting student or faculty member records are available for access requests, to support processes governed by institutional policies and procedures, and to ensure the institution can draw on any disclosed information for compliance auditing.  
    1. If pursuing a pilot before a purchase agreement have been signed and executed, ensure that a copy of all information that goes into Hypothesis is replicated in a resource accessible to KPU instructors and administrators. 
    2. Contact procurement@kpu.ca for support managing contractual and service commitments. 
    3. At minimum, KPU must be able to reliably receive records from Hypothesis as needed to meet any legal requirements to produce records containing personal information for access requests and court orders.  This process needs to be confirmed with Hypothesis before students and faculty are able to access their Hypothesis account. 
  • Ensuring adequate data security measures are in place is an important part of ensuring that KPU can protect personal information from inappropriate intentional or unintentional disclosure.  This advice is provisional based on the assumption that KPU has completed a review of the data security measurements of the initiative by contacting InfoSec@kpu.ca 

 

Recommended Actions:

The recommendations below address that while upcoming features would enhance compliance with FIPPA, currently some student information will be transmitted outside of Canada.  

  • Until Hypothesis can be resourced and managed entirely within Canadian datacenters, use the consent notice below to collect informed consent from students before they use Hypothesis for course-based learning activities.  Faculty, teaching assistants, and research assistants, using Hypothesis for strictly developing course materials and conducting research activities, are not required to complete consent forms.  Business contact information, course development materials, and research activities are out of the scope of 

 

FIPPA. Even during these out of scope activities, individuals need to avoid inputting identifiable third-party personal information into Hypothesis.

  1. Though Hypothesis uses LTI, current processes within this service extract the name of the student, all annotation data including marked reference points in all texts, and all comments regarding the excerpts referenced, and transmits these types of personal information outside of Canada.  
  2. The instructor needs to ensure each student using Hypothesis understands and agrees to the conditions of the consent notice before starting to use Hypothesis.
  3. Consent can be managed directly in the course shell by building a quiz in Moodle containing the consent notice. Create two possible answers to respond to the text of the consent notice allowing the students to state either “I understand and consent to the terms of this notice” or “I understand and do not consent to the terms of this notice”. This process will create a date and time stamp when consent has been received which needs to be exported from the shell and captured in PDF to retain after the course shell is cleared.   
  4. Records exported from Moodle demonstrating that students have consented to the use of Hypothesis in the course need to be forwarded to the course’s corresponding Dean to be kept for two years after the last day of the semester the course was taken.
  5. Once Hypothesis is managed exclusively in Canada, the informed consent process can be replaced by posting a collection notice in the landing page of any Moodle shell using Hypothesis.
  • If the student objects to the storage, access, or disclosure of their Personal Information outside Canada, the student may create an alias to replace their name in Moodle, which they must provide to the instructor, or the instructor must provide the student with a viable alternate means of being able to complete graded assignments that would require the use of Hypothesis in the course. 
  • As Hypothesis begins to provide options to manage personal information inside Canada, ensure the service agreement or an amendment specifies these Canadian based resources will be available to KPU for ongoing use. 

 


 

 

 

Consent Notice: before Hypothesis manages information exclusively in Canada

Copy and paste the following notice into a quiz module within the Moodle course shell.
 Fill in all [text] below before posting the consent notice.

 

Question text:

The [department] at KPU is collecting my personal information including my full name as it appears in Moodle, and all of my annotation data including marked reference points in all texts that I am annotating, and all comments that I provide in those marked excerpts through Hypothesis as per section 26(c) of British Columbia’s Freedom of Information and Protection of Privacy Act.  My personal information is collected for the purpose of providing a space to conduct collaborative annotation with classmates to build an engaging learning experience.  

My personal information will be stored and accessed by Hypothesis and their service providers located internationally with a head office in San Francisco, California.  International storage and access to my personal information by Hypothesis is required to facilitate the use of my Hypothesis account and provide storage for my annotation work. 

My personal information will be used to process and respond to my questions or requests to KPU regarding my Hypothesis account; to provide and improve services administration; to personalize my experience; to facilitate registration for, and the use of Hypothesis; and to provide technical support.

My personal information may be disclosed throughout KPU as needed to adhere to KPU’s policies and procedures.  A copy of your agreement to this consent form will be kept in the Dean’s Office for a period of two years to support addressing any concerns about the management of my personal information in Hypothesis during this course at KPU. 

My personal information will be disposed of in my KPU license for Hypothesis after one year from the last day of classes for this semester or one year from the time I no longer have access to my KPU Hypothesis account, whichever happens later.

If I have any questions about how my personal information is managed by my instructor or the [department name] at KPU, or I do not understand the contents of this consent notice, I can reach [contact person in department at KPU], by [method of contact email/telephone or both]

 

 

By responding back to my instructor with signed and dated or otherwise written approval, I consent to the above notice.   If I cannot consent to the above notice, I will work with my instructor to try to find a reasonable alternative way to manage my personal information in the course.

Answers available: I understand and consent to the terms of this notice

                               I understand and do not consent to the terms of this notice 

 

Collection Notice: after KPU begins using options provided by Hypothesis to exclusively manage personal information in Canada 

Place the following notice on the landing page of each course shell using Hypothesis. Replace the [text] before posting this notice.

The [department] at KPU is collecting my personal information including my full name as it appears in Moodle, and all of my annotation data including marked reference points in all texts that I am annotating, and all comments that I provide in those marked excerpts through Hypothesis as per section 26(c) of British Columbia’s Freedom of Information and Protection of Privacy Act for the purpose of providing a space to conduct collaborative annotation with classmates to build an engaging learning experience.  

If I have any questions about how my personal information is managed by my instructor or the [department name] at KPU, I can reach [contact person in department at KPU], by [method of contact email/telephone or both]