There is a lot of talk about ChatGPT, its implication for education and the workforce, and whether it is safe to use in terms of data privacy. Recently, Italy banned the chatbot due to privacy concerns, and some consumer groups have also voiced their concerns.
The rubric was developed by 1EdTech members representing different stakeholder groups, including higher education, K-12, and edtech suppliers. By working together, members struck a balance between the realities edtech suppliers face and the information educators need to make informed decisions regarding security.
We do not judge whether a tool is safe or unsafe to use; instead, 1EdTech members designed the rubric to ensure transparency in privacy policies and help educators navigate the complicated and time-consuming process of vetting applications. The rubric provides suppliers a clear understanding of how data will be collected and used. Still, it is up to individual governments, institutions, and districts whether individual policies meet their specific privacy needs.
The rubric analyzes privacy policies in the following categories: what data is collected, security measures for the collected data, third-party sharing policies, and advertising. In most areas, ChatGPT meets requirements in spelling out exactly what information it collects and how that data is handled, with a few notable exceptions.
When it comes to protecting the information, ChatGPT makes a broad statement that it takes steps to protect personal information, but it does not give specifics. In other areas of the policy, however, it states that data is encrypted, it enforces strong password creation, and information is protected through single-sign-on capabilities on Microsoft and Google accounts.
ChatGPT also states it will share information with third parties only for app functionality and legal or business necessities. There does not seem to be an option to opt out of 3rd party data-sharing agreements; however, laws in the EEA and UK require that users be allowed to delete personal information. It is unclear whether users outside those regions may do the same.
What needs some clarification is what other information ChatGPT collects and stores. In one section, the policy states ChatGPT may collect and use all content provided. However, the policy also says the user owns any “input” content.
Regarding the area of advertising, ChatGPT will not display any ads.
1EdTech’s complete vetting of ChatGPT, and more than 9,000 other products, may be found in our TrustEd Apps Directory.
We're hosting several roundtable discussions on the security of ChatGPT and the implications of Generative AI at this year's Learning Impact Conference in Anaheim, California, June 5-8. To see a complete list of sessions and register, click here.
About the Authors
Tim Clark, Ed.D.
As 1EdTech's Vice President of K-12 Programs, Dr. Tim Clark assists schools and districts in adopting 1EdTech standards and practices to enable interoperable and secure digital learning ecosystems. He also provides strategic leadership for K-12 in 1EdTech in collaboration with K-12 institutional and state departments of education members of the consortium.
Kevin Lewis directs and governs 1EdTech's app vetting processes and procedures. As 1EdTech’s data privacy officer, he strategizes the building of app vetting processes using the 1EdTech rubric that comprehensively and consistently mitigates privacy risk and confidentiality breaches of protected information, and he dictates the effectiveness of privacy-related risk mitigation measures. Kevin also coordinates with suppliers to ensure privacy policies are communicated adequately.