Spend some time reviewing the Facebook and Instagram pages of enough education agents and you’ll soon spot a common marketing technique. It’s the ‘congratulations’ post, congratulating a student on obtaining a student visa and on enrolling in a course of study overseas.

Typically the posts will include some or all of the following information, along with the name and/or logo of the education agency:

  • student photo
  • student name
  • educational institution (i.e name and/or logo of the institution where the student is enrolled to study)
  • course of study

Sometimes the posts will contain a screenshot of the visa awarded to the student, with the key information blurred or redacted.

It is completely understandable why education agents do it; the posts aim to attract new business by showing that the agent is achieving successful outcomes for students. The issue is that the posts contain personal information- i.e. a student’s name and/or photo.

Privacy risks

The right to privacy is recognised as a fundamental human right under Article 17 of Universal Declaration of Human Rights, the International Covenant on Civil and Political Rights (ICCPR) and other international instruments and treaties.

Under any of the key legislative schemes in operation in the main student destination markets – (i.e. Data Protection Act (GDPR) – UK, Privacy Act – AU, PIPEDA/PIPA – CA, CCPA/CPRA – US) – social media posts by agents of the kind described above would constitute a disclosure of personal information for a secondary purpose. To put it another way, the information was collected by the agent for the primary purpose of assisting the student to secure admission to an overseas educational institution and the required visa but is being used for the secondary purpose of marketing the agent’s business. Under any of the different legal frameworks a student’s name and photo would clearly be personal information. The information related to course and institution may be, depending on the country and regulatory regime concerned.

Now, disclosure of personal information in these circumstances is generally ok if the owner of the personal information has consented to its disclosure in that way. Consent is the key concept here and, importantly, the laws in the UK, US, Canada and Australia state that consent must be ‘informed’ or ‘meaningful’. That means that the owner of the personal information must understand how the information will be used and the implications of consenting to disclosure.

The Office of the Privacy Commissioner of Canada sets out seven guiding principles for meaningful consent:

  1. Emphasize key elements
    • What personal information is being collected?
    • With whom is it being shared?
    • For what purposes is the personal information disclosed? Individuals should be made aware of all purposes for which information is collected, used or disclosed.
    • Risk of harm and other consequences. For consent to be valid, it must be reasonable to expect that individuals understand the consequences of the collection, use or disclosure to which they are consenting. One such consequence, about which individuals should be made clearly aware, is risk of harm. Harm includes financial loss, identity theft, and loss of property.
  2. Allow individuals to control the level of detail they get and when.
    • Information must be provided to individuals in manageable and easily accessible ways, and individuals should be able to control how much more detail they wish to obtain, and when.
    • Beyond the elements above, the level of detail required to make a consent decision will vary by individual, and by situation.
  3. Provide individuals with clear options to say ‘yes’ or ‘no’
  4. Be innovative and creative
    • Organizations should design and/or adopt innovative consent processes that can be implemented just-in-time, are specific to the context, and are appropriate to the type of interface used.
  5. Consider the consumer’s perspective
    • Consent processes must take into account the consumer’s perspective to ensure that they are user-friendly and that the information provided is generally understandable from the point of view of the organization’s target audience.
    • Consent is only valid where the individual can understand what they are consenting to.
  6. Make consent a dynamic and ongoing process
  7. Be accountable: Stand ready to demonstrate compliance
    • Organizations should be in a position to demonstrate compliance, and in particular that the consent process they have implemented is sufficiently understandable from the general perspective of their target audience as to allow for valid and meaningful consent.

The guidance from regulators in the other main English speaking destination markets is less comprehensive, but the broad themes around consent are similar. Given that the primary concern of all international education practitioners on both the institution and agency side should be student welfare, the Canadian principles seem to provide a solid framework for best practice in terms of the considerations and processes around informed consent by an international student to the public disclosure of their personal information.

Implications for institutions

In a case where an institution’s name and/or logo is being used by an agent in conjunction with the disclosure of a student’s personal information, a number of risks, issues and questions arise:

  1. Is the disclosure by the agent attributable to the institution as the principal in the agency relationship? If so, what are the implications with respect to the institution’s obligations under relevant privacy legislation?
    • The risk of legal action against an institution is probably low, but the point of compliance with any regulation is not to avoid sanction but rather to support the policy objective that the regulation aims to achieve.
  2. Is the disclosure consistent with the institution’s own privacy policy?
  3. Is the disclosure, and the use of the institution’s name/logo, consistent with the terms of the agency agreement/contract with the agent?
  4. Is the disclosure supported by meaningful or informed consent by the student?
    • No doubt the agent in each case will claim that consent was provided by the student, but institutions should hold agents to account on what processes and controls are in place to support informed consent by the student. What information does the agent provide to students to inform their decision? How does the agent record consent in each case?
    • A key risk in this context is the serious and widespread issue of scams targeting international students, which takes many different forms. Many educational institutions are now putting considerable effort into educating international students about potential scams. Yet the personal data published by some agents – student photo, name, institution and course – has the potential to be misused by scammers. Are the personal information laden ‘congratulations posts’ by education agents consistent with efforts to address the scam risk? At the very least, are agents explaining those risks to students in order to inform their consent?

Institutions do it too…

Balanced analysis on the issue of disclosure of the personal information of international students for marketing purposes requires an acknowledgement that educational institutions also use the same technique themselves. Plenty of institutions also feature “international student stories” on their websites as a way to engage and attract prospective international students. There are several service providers who are focused on supporting educational institutions to do just that. Often the international student testimonials or stories posted on institution websites also contain the student’s full name and degree.

With that in mind, one could argue that if it’s ok for institutions to do it then what is the problem with agents doing it? The key point of distinction is that when an institution makes a decision to post an international student story which contains personal information about the student (name and course etc) it can do so in a way that considers and addresses the privacy issues and risks set out above. Conversely, when an agent posts personal information about a student on its website or social media channel, and uses an institution’s name and logo, the institution may have no or limited visibility of the disclosure, which removes or reduces its ability to consider and address the issues, questions and risks discussed above.

Working with education education agents?

AgentBee’s education agent due diligence solution supports educational institutions to implement best practice education agent due diligence processes.

Educational institutions can use it to:

  • protect students – conduct initial and ongoing due diligence checks on education agents.
  • protect your brand – detect cases of unauthorised agents using your institution’s name, logo or other IP without permission.

Our clients include…

Get new posts…

Follow AgentBee on Linkedin to get our latest posts on education agents as they drop – (click the icon below)