News / National Pupil Database surveillance

What should Educators do about Facebook?

If you use Facebook for educational or school admin purposes, do you need to change anything in light of recent news?
Mark Zuckerberg’s Facebook ad message says, “We have a responsibility to protect your data, and if we can’t then we don’t deserve to serve you.” School staff should consider their own obligations to protect student and school data very carefully.
We set out below, three groups of questions for starters, and SIX steps for school staff in What Should My Next Steps Be?
Below that you will find instructional steps, How to get an overview of what Facebook has stored from your history of use, How to delete your Facebook search history, How to Review your Facebook App Permissions, more information on How Facebook works with data providers and How to delete your account. We created this simple 3-page summary to download or print [Facebook tools.pdf 188kB ].
We would strongly advise not requiring young people to use personal, individual accounts on Facebook for school work.
However, if you do, and in the UK at least, you must know on what legal basis you require processing their personal data through the social media platform.
And if a school chooses to promote itself through a Facebook page or group, make sure that the school governors and senior leadership team understand how the tool works. Balance benefits and risks, in a data protection risk assessment. Whoever is responsible and accountable for appropriate use of personal data that the school chooses to share, includes how you use social media.
Facebook’s business model is built on the exploitation of personal data for selling marketing space and users’ attention. It targets users on a micro level based on tracking the user’s Internet use on and off Facebook. The company has very publicly failed to safeguard personal data. Facebook researchers on its own site in December 2017, acknowledged that social media use can be bad for users’ mental health, and concerns about the platform’s effect on society.
Guides like this Facebook for Educators promoted by the Education Foundation may appear to explain the available user privacy settings. But often, even if well-intentioned, how-to-use guides, fail to tell you how a tool works behind the scenes. It doesn’t tell you how Facebook makes its money using you, from their company perspective. You may not have understood the personal data harvesting that goes on, or what deals it makes with third-party apps and companies behind the scenes. These business models using your data should be much more transparent.
You may have understood what content you post and how it is viewed, but not see how information about your activity on and off the platform has been collected, traded, and passed on to others. Are pupils aware of how much personal data is collected? Even e-safety advisors commonly fail to advise on privacy other than from a consumer point-of-view. The front end only.
Using Facebook as a group tool is popular. Whether or not your school uses it and how, are choices under your control. If you use it, make sure you do not infringe on children’s rights, put them at risk, or cause harm.
If you require under 18s or students to create Facebook accounts, or to use their own pre-existing personal Facebook accounts to use in any educational context, such as groups or pages, you should take action. You may want to reconsider the implications of your own use, and that of the pupils for their own privacy, and protection of personal and family life

What can you do?

You should be able to answer these groups of questions:

  1. For under 18s. Did you require younger students to create Facebook accounts? If they went on to use the account in a personal context as well, can they now separate the two? Do you require students to use their own pre-existing personal Facebook accounts to use in any educational context, such as groups or pages? If so, on what legal basis? Do you balance risks and offer an alternative?
  2. For over 18s did you give them a real consent choice not to use this tool — this means having an alternative method of communication or sharing information. Consent is rarely a valid processing basis which can apply to public authorities due to the imbalance of power between the user and provider even for adults; but certainly for children.
  3. Can you assure pupils and parents who has their and their friends and contacts’ personal data collected on Facebook, how it is used by whom, and that it is secure? If not, you should consider ending use of the platform, at very least until you can.

What should my next steps be?

Get your Senior Leadership team, and Data Protection Officer together and agree a plan of action. Decide together what your future approach will be.
We suggest you should:

  1. Offer the right-to-object and no longer use Facebook using a personal account for school work if you have not already done so.
  2. Suggest students get an overview of what Facebook has stored from their history of use, in a personal and private place and time to download and view the content archive.
  3. Recommend students delete their Facebook stored-search-history.
  4. Recommend students remove any app permissions which they no longer use or want to share their personal data with through Facebook.
  5. If you do find using Facebook meets the tests of ‘necessity’ or couldn’t bear working without it, then consider only user accounts assigned by the school separated from personal accounts,  pages disassociated from personal content, and ensure strict enforcement for school-only. Maintain good, regular, data hygiene processes, such as the steps in the download.
  6. If you cannot assure pupils, parents and staff who has their personal data collected on Facebook for school activities, and how it is used by whom, you should consider stopping use of the platform, at very least until a time when you can deliver those assurances.

Before you make any changes, make sure you think through some of the ethical and practical implications.

  • Did the user already have a Facebook profile which you have encouraged them to use with school apps or systems? Or did you tell them — or require them — to create a personal Facebook user name and account for their school work?
  • If you require them to use the platform, do you know how else they may have used the site since, or understand the implications of any social log ins now in use?
  • Will their profile data now contain both personal content from their private life, and school life? Will young people be surprised what Facebook has collected? How will you deal with those questions? See the surprise from a well known author below, to see that apps recorded who she had called, when, and for how long from her phone, not Facebook.
  • If your pupils download their Facebook archive to review some of the data captured by the company, will they be upset to find comments, call details or chats from friends or family — some may be from the past, and may no longer be around, or be in contact.
  • Where and when will you support children and young people to do this? If it is on your school system, will the content include personal content and be appropriate to do in a school environment, and store on your servers?
  • What will you do next, if they want shared content removed from Facebook or from apps?

Educators must understand how the platform, pupils’ data, and behaviours interact on and off Facebook as a result of third-party apps. Do you trust that you are giving children and young people’s data to a company who deserves their trust?
Or are you as an educator in fact serving them up to the supplier to become the product traded between the companies behind the scenes?


Facebook’s public message is that they allow users to stay in control of their own privacy. “You have control over who sees what you share on Facebook.” But it only talks about, ‘what you share’. That is, user generated content. It is presented as a user responsibility to have an awareness of how you look onscreen to the audiences you actively choose to share content with.
Common understanding is that your privacy settings control where your information is visible and who can access it, every time you add a post, photo or link or shared an interaction with another user.
Younger users in particular are encouraged by the function “view as” to “choose how you would like to preview what your profile looks like to other people – from friends to colleagues or pupils and members of the public.”
What it does not show you, is how you look to other computers and companies.
More personal information than you see is collected from Facebook users, about the user’s activity  rather than their  content.
Huge amounts of personal data about children and young people may have been collected by Facebook and by their Facebook partners, and shared with other third parties, or added to and linked up with other personal data about the individual from data brokers (see the section “Data Providers” below) over which you have little visibility or control.
These companies go on to infer your preferences, and predict behaviours, so they can better target their adverts at micro-levels to capture users attention for longer, or even clicks, both worth money. This happens while the user is logged into Facebook, but also through pixel tracking and cookies, off Facebook, and across the Internet on other web pages. Facebook ‘follows you about’.
Other people may have tagged you in photos without you wanting them to. By their use of an app they may have unknowingly shared your contact details with their apps. Facebook in effect tries to downgrade these privacy failures, as something you can “fix” retrospectively, but have no right to prevent to start with. “You can always untag yourself” is trying to put the toothpaste back in the tube. The site and their partners’ computer systems now know you from the interaction.
These less obvious interferences with your privacy, are less transparent than the “view as” privacy setting demonstrations may have led users to believe.

What was Missing?

Contact importers have become the Facebook norm.
Facebook enables apps, which are third-parties software, to interact with your personal data and store and track actions and behaviours. Not all of these will be anything you do in Facebook itself, but you might be using Facebook as a log-in tool, or across other websites, even when you do not see it. That information about how you use the site and interactions with ads, your preferences indicated by likes, and who you interact with, are all valuable marketing data to the app companies.
It’s also valuable to Facebook. Facebook receives information about you and your activities on and off Facebook from third-party partners, such as information from a partner when they jointly offer services or from an advertiser about the user experiences or interactions with them. This can help target what ads you see on and off Facebook, what content you are allowed or not allowed to see in your timeline, changing and personalising their offerings according to your computer generated profile; on products, pricing, party political ads and more. Some people may want this. Everyone should be able to understand how it works easily.
Facebook keeps a record of everything you search for on Facebook. This is not obvious unless you look for it.
How Facebook collects your personal data from every interaction is complex to find and not clearly explained unless you know what you are looking for.
How Facebook and apps interact, harvest and transfer data between the platform and app, or your friend’s use of the app. can be complex and not transparent to users.
‘Like’ buttons and cookies may talk to one another.
Cookies and other storage technologies can be opaque. You may have clicked ‘agree’ but do you know what you agreed to?
Permissions may not mean what you think it means unless you study the small print of the multiple trade offs.
Which is why this week, your social media timeline may be full of surprise.
People have been unaware not only of how broadly invasive Facebook’s permanent record and storage is, but the level of content and meta-data (the who, when, timestamps, call length) that apps have had access to about you and your contacts.
And while Facebook may claim your data, and that of your friends interact with apps, with permission, let’s be honest. This excessive harvesting, indefinite retention, lack of transparency and security are not consent based, given how hard it is to understand.

The Facebook Companies

We may share information about you within our family of companies to facilitate, support and integrate their activities and improve our services, says Facebook.
Do you know who these Facebook partner companies are, and how they use your staff, children’s, parents’ or school data?

To take just one, Onavo’s policy says, “When you use the Apps, you choose to route all of your mobile data traffic through, or to, Onavo’s servers. As a result, we receive information regarding you, your online activities, and your device or browser when you use the Services.”
The use of cookies or similar technologies that track information about people accessing a website or other electronic service needs to be transparent. See the Cookies and similar technologies section of this ICO guide for more information.

What is Facebook doing in response to recent news?

Facebook’s recent newspaper ad says it “is investigating every single app that has harvested personal data” the way that recent news has revealed, showing how apps have collected telephone contact details, call length, and more. They promise that in future,  Facebook will remind you which apps have permissions and that it will be clearer to a user how to shut off the apps you don’t want any more.
But look what it does not say.
It does not say how to unshare. It does not say how to get that personal data back from the app companies, or the data brokers or ad networks they passed or sold it on to. Or how to delete that data down the chain of re-use and re-selling. It does not say, we will stop processing your behaviours and interactions or our trade in these information about how you use the site and so on.
This is how Facebook works and is not a surprise to the company. They control your data once collected, and the company — not users — control the knowledge they glean about user behaviours.
You or your pupils may be concerned that you have lost control of their personal data, and that of other people, and how it is used. What do you do if you use Facebook in the classroom?

What is my Legal basis?

It is highly unlikely that processing data via Facebook could pass the test of necessary required to meet processing as part of a public task.
With a view to the future, GDPR Article 6(1)(e) gives you a lawful basis for processing as part of a public task where the processing is necessary. If you could reasonably perform your tasks or exercise your powers in a less intrusive way, this lawful basis does not apply.
And as a public authority, you will find using consent difficult as a legal basis. For children it’s not a possible processing basis, given the power imbalance between the child and the staff / school.
Individuals have a right to object. And we believe there can be no reasonable legal basis to force a child to set up a Facebook account in their own name, for school purposes.
Consent even if it were valid in these circumstances, under current and future data protection law requires a clear, affirmative action. The GDPR is also explicit that you’ve got to make it easy for people to exercise their right to withdraw consent from use of their data. The requirement for clear and and plain language when explaining consent is now strongly emphasised, and a requirement for children. And you’ve got to make sure the consent you’ve already got, if processing on that basis, meets the standards of the GDPR.
How Facebook will continue its own policy and be GDPR compliant beyond May 25, 2018? We’re not sure. For example, today’s policy says a user cannot object to or revoke consent for all personal data processing about themself where others have submitted it. Their policy at the time of writing states,
“You can delete your account any time. When you delete your account, we delete things that you have posted, such as your photos and status updates. If you do not want to delete your account, but want to temporarily stop using Facebook, you may deactivate your account instead. To learn more about deactivating or deleting your account, click hereBear in mind that information that others have shared about you is not part of your account and will not be deleted when you delete your account.
If you do decide to delete any accounts, remember to first go through any steps to save or remove content and permissions. Deleting the account without doing so, can leave your personal data with third parties in ways you might not expect. It’s quite tricky to find the Facebook account deletion page. Click here, and type in your login information if required.

Below we set out how you can carry out some of these checks and make settings changes as described above.

How to get an overview of what Facebook has stored from your history of use

This includes content you posted to your Timeline, posts you have shared, messages, photos, videos and conversations, as well as data you did not create yourself such as the ads you have clicked on, logged IP addresses — where the interaction happened, and timestamps of use. It may also include content fromyour friends and contacts, and when you ineteracted with them.
Remember: The archive contains private and personal information, so it should be kept private and secure and not stored on a shared drive or where others can access it. Once downloaded it is not password protected. Take precautions when viewing, storing or sharing it.
How to download a .zip containing the content and overview of what Facebook has stored from your history of use.
Step 1: Logged into the account, and access Account Settings: click at the top right of any Facebook page and select Settings.
Step 2: Click General at the very top of the left-hand column.
Step 3: Click Download a copy of your Facebook data at the very bottom of the General Account Settings page, in text.
Step 4: A new screen will pop up to confirm that you really want to download your Facebook stored content.

Click the green button to continue.
Step 5: A message will appear, “It may take a little while for us to gather your photos, wall posts, messages and other information”.
Step 6: You will need to provide your Facebook password.
Step 7: A confirmation message pops up, to say the system will gather your information and will send a message to the email address on file as soon as the archive is ready to download. Click OK to dismiss the message.
Step 8: A message from Facebook confirming that you requested a copy of your account data should arrive by email in the same as your Facebook account. Another message arrives containing a download link once it’s ready. This can take some time.
Step 9: When you receive another message containing a download link, click it to retrieve an archive of your Facebook data or the download archive page link it redirects you to.
Step 10: The content will be in a .zip format, in your downloads folder, and needs clicked to unzip and deliver a regular folder with the naming convention facebook- [user name] -zip.
Your Facebook archive will contains copies of your Timeline information, messages exchanged in chats, posts, photos and videos you have shared, anything from the Info section of your profile and more.
It also includes other information available to you in your Facebook account and activity log, including data you did not create yourself such as the ads you have clicked on, logged IP addresses and more.

How to delete your Facebook search history

You can clean up the list of activities, search, or limit what information Facebook stores about you.
Step 1: Log in to Facebook and click on the Settings drop down arrow in the top-right corner.
Step 2: Choose Activity Log from the menu.
Step 3: All of your recent Facebook activity appears in a list. Go to the left hand menu bar, and under Photos, Likes, and Comments, click More.
Step 4: From the expanded menu items, low down, choose Search

Step 5: All of your search history, provided you haven’t deleted it before, will appear. Individual searches can be removed by clicking the block icon and then Remove. If you want to clear all of it, click on the Clear Searches link at the top.

How to Review your Facebook App Permissions

To check which apps and which permissions connect with your Facebook account, log into Facebook. Click on the drop-down next to your name and select “Privacy Settings.” Scroll down to “Apps and Websites” and click “Edit Settings.
Checking app permission on Facebook is easy once you know how:

  1. Log in to Facebook. Click on the drop-down next to your name and then on “Privacy Settings.”
  2. Scroll down to “Apps and Websites” and click “Edit Settings.”
  3. In “Apps You Use,” you need to click “Edit Settings” to get to your application settings.
  4. Click “edit” to more closely examine that app’s permissions to your Facebook account, what the app can do, what data it collects, and more. Then decide if you want to keep the app associated with your account. Click the X next to each application that you no longer use or want.

Once you’ve finished removing or updating the apps associated with your account, you can go back and double-check “How People Bring Your Info to Apps They Use” section. This shows how the apps your friends sign up for and use don’t have access to more information about you than you’d like.
We recommend unchecking everything in that section.
People on Facebook who can see your info can take it with them and hand it over to third parties when they use apps. Facebook says, “This makes their experience better and more social.” We say, this is a hugely invasive and hidden misuse of your personal information.

Facebook works with third-party data providers “to help businesses connect with people who might be interested in their products or services.” Facebook brings more data to a user profile than you put in. It works with third-party companies to identify and match profiles “with information that helps Facebook connect those customers with the offers.” You may not have known it, but Facebook’s data providers also have privacy notices and explain opt-out from their services on their web sites, some of which are listed below. (as listed on Facebook on March 27, 2018)

We created this simple 3-page summary to download or print [Facebook tools.pdf 188kB ].

Have you seen our #LabelsLastaLifetime campaign? Please pledge support if you can.