The National Center for E-Learning revealed a draft national policy for privacy and protection of learners' data in the e-learning environment, as a step targeting the enhancement of digital governance and protecting personal data against any irregular processing or unauthorized use, amidst the rapid expansion of digital learning platforms.
Explicit ban on any commercial exploitation
The deputy director-general for Excellence at the center, Mohammed Al-Shuwaier stated that the draft sets clear regulatory controls that explicitly prohibit the use of learners' data for commercial or marketing purposes beyond the educational or official approved objective. These controls include obliging educational entities and service providers to define the purposes of data processing in advance, linking the use to the declared purpose only, incorporating these obligations in contracts and agreements, and the policy prescribes regulatory sanctions that may extend to suspension or cancellation of licenses upon any violation, alongside implementing accountability and governance principles enabling monitoring and oversight by competent entities.
"The minimum" data collection
Al-Shuwaier explained that the draft is based on the principle of "minimum data collection" as a fundamental rule, such that only necessary data to achieve the educational goal or legal compliance are collected. The role of the center focuses on creating a reference framework based on the national frameworks for data protection, and enabling educational entities to align their internal policies according to this principle, with emphasis on "privacy by design" and "default privacy" concepts, to limit the collection of excessive or irrelevant data.
Response to digital expansion
He pointed out that the creation of this policy responds to the accelerated growth in e-learning and the accompanying increase in the volume and type of data, including sensitive data. The draft aims to align digital education practices with relevant national systems for data protection, enhancing trust in educational platforms, and addressing risks of misuse or unlawful tracking through a unified framework that supports compliance and governance.
Preventative and regulatory nature
Al-Shuwaier affirmed that the policy is primarily preventative, aimed at establishing a proactive framework to minimize risks before they occur and enhance regulatory compliance within the e-learning system, and that any observations or reports - if found - are addressed through official channels and coordinated with competent authorities, without generalization or reference to specific cases.
Controls on storage, transfer, and safe disposal
The draft includes clear controls for managing the data lifecycle, without imposing uniform retention periods but obliges educational entities to determine suitable durations for each type of data according to its purpose and within the limits set by related regulations. It also emphasizes securely deleting or anonymizing data at the end of its purpose and applying strict security requirements during data transfer, such as encryption and access control, ensuring safe disposal to prevent misuse or recovery.
Comprehensive regulatory framework
Al-Shuwaier concluded by affirming that the draft outlines a comprehensive regulatory framework that encompasses collecting, using, storing, transferring, sharing, and deleting learners' data, ensuring that processing practices are fair, transparent, and proportionate to educational purposes, and preventing any unauthorized commercial or marketing use, thereby enhancing privacy protection and building trust in the national e-learning system.
