Introducing VR training comes with many benefits over traditional training and e-learning - reducing costs through eliminating travel and business disruption, enabling participants to safely learn-through-doing and rapidly reducing training times to fill skill gaps.

While VR is an exciting medium delivered through rapidly evolving technology, it is essential to build on a proven pedagogical foundation that focuses on the quality of learning.

In this series, we will examine the components of the Gleechi pedagogical framework. We use the framework to both build VR training experiences and develop the Gleechi VR training platform. Through adopting a pedagogical approach, the quality of the training comes first while the technology is an enabler.

A fundamental and underlying component of VR training is ensuring privacy - using best practices and processes to manage data and keep it safe. While VR training promises safe virtual environments in which to learn, participants should also be confident in the knowledge that their data is also safe. 

We have adopted and support the XRSI Privacy Framework - an important industry initiative to encourage and support data privacy through providing a rulebook on which to implement own processes and procedures.

Introducing XRSI Framework

Xtended Reality (XR) technologies is a broad term that encompasses the different types of technology that extend or complement our reality - from augmented reality that overlays information to mixed reality that blends real-life with interactive virtual objects and virtual reality that immerses participants in virtual environments.

XR is fundamentally changing how we work and adoption is set to accelerate rapidly as we move to remote working and depend increasingly more on technology to keep us connected.

XR hardware and most notably the popularity of the Oculus 2 VR headset, provide increasingly powerful computing platforms and come with a range of sensors that capture our movements and interaction with the world around us. The nature of the technology requires that we allow our biometric data to be captured and used to provide the immersive experiences we expect. 

VR headsets have followed a remarkable evolution curve, borrowing innovations from mobile to transform from being tethered to a powerful PC to become standalone, always connected and readily affordable in just a few years. 

The rapid adoption and innovation of VR headsets is especially relevant to organisations who need to balance confidentiality and privacy concerns with the need to innovate and take advantage of the VR technology as a valuable business tool and skills-enabler.

Both for companies and individuals, there is a clear need to define a set of standards or guidelines that govern how biometric and supplemental data is collected and used when we mix our realities. 

In order to address this need, the XR Safety Initiative, a worldwide not-for-profit organization that promotes privacy, security, and ethics in XR, has a developed the first revision of XRSI Privacy Framework.

The XRSI Privacy Framework defines a baseline set of standards, guidelines, and best practices. While not a law in itself, the XRSI Privacy Framework incorporates various privacy laws such as GDPR, FERPA, COPPA, and other evolving laws, to form a comprehensive and clearly defined set of expectations that can be used by app developers, platform developers and other relevant interest groups to promote safe and responsible XR development.

There are no steadfast requirements on how the framework should be applied, rather it can be used to develop best practices and build awareness of privacy considerations - such as developing release checklists, applied as part of the development process or integrated into an automated build process to verify data handling.

The XRSI Privacy Framework is essentially composed of four focus areas - assess, inform, manage and prevent.


Assessment refers to carefully considering what data needs to be collected and avoiding collecting data that is not strictly necessary to the functionality of the application. 

For example, when building VR training experience, data may need to be collected to understand how users are experiencing the training - are there common areas of confusion or where improvements can be made to guide users? 

This data should be first requested and then anonymised before it leaves the VR headset to be potentially stored and used to evaluate the training. This ensures that a users privacy chain is maintained and follows GDPR in protecting data by default.

A risk analysis is part of the assessment process and asks important questions on how the required data is handled, stored and distributed. This could include what third-party applications could use the data, what standards of encryption are applied or which region is data stored in a cloud infrastructure. This aims to eliminate blind-spots and build a good understanding of the complete data journey.


Informing users about what and how their data is being used is vital both to satisfy laws such as the GDPR but also to alleviate concerns and establish trust. The XRSI Privacy Framework proposes a minimum, desired and ideal set of graded approaches.

Adhering to laws and regulations and clearly expressing what and how data is being used through a privacy policy is a minimum expectation. 

The desired expectation helps the user by using contextual visual cues and other tools to control their data. This could be through in-app prompts that inform that user what is being requested and provide the opportunity to gain insights into the data.

The ideal expectation extends this further through additional notifications which could include bystanders or observes. For example, to notify that audio is being recorded and shared in their presence.

Essential parts of informing users are consent, context, choice and control. Consent and context are established through informing users in a clear and concise manner what data will be collected and asking in the context to the data to be collected. Wherever possible, the choice should allow the user to decline or be given other options - perhaps choosing to disable features or decline sharing data.

Control provides and builds trust through ensuring collected data is well-managed and that what is collected reflects the users desired outcome in sharing data. 

For example, when sharing audio during a multi-user live VR experience, rather than burden the user with lengthy terms of service upon launching the app, the user can be asked when enabling a microphone and decide if they are comfortable with that data being transmitted to other participants (desired). A well-designed user experience can present the request in a clearly understood and consistent manner. Finally, the collected audio is only used in the way the user would expect - shared only with other participants and not stored.


Safely managing user data through having well-established procedures and processes aims to foster a privacy by default mindset - keeping privacy top-of-mind.

Implementing a privacy awareness education programme, perhaps as part of an employee onboarding process, is a good practical way to create a unified understanding of privacy. This can be supported by a review process, a repeatable and evolving process that can examine how data is being managed, what third-parties may be involved and the standards being applied.

In the event of a data breach, the XRSI framework proposes a responsible disclosure process - at a minimum meeting relevant legal obligations and ideally proactively informing users of potential breaches and the remediation steps being taken. In essence, planning ahead rather than reactively developing a disclosure process when a breach occurs.

The assessment step plays an important hand-in-hand role - by ensuring data is anonymised at the earliest opportunity and only using data that is essential, the impact of breaches can be mitigated.


Developing a company-specific set of security and privacy policies sets a clear and shared understanding of expectations and helps foster a safe-data mindset. When introducing new vendors or using third-party components, having a policy that can be shared can help safely speed the process and remove the ambiguity of expectations around data.

Policies can be implemented at a granular level through identity management which provides access on a  "as needed" basis - making data accessible depending on the rights of the viewer, as opposed to allowing open access within a company. This plays an important role in both enforcement of privacy policies and reduces the risk of exposing data through compromised login credentials or other security issues.

Prevention can encompass the entire journey of data from the VR headset itself. MDM (Mobile Device Management) solutions that are typically used on laptops and mobile phones can also be used to secure and remotely manage VR headsets, allowing data to be erased and ensuring a trusted environment is maintained.

What next?

Design and user experience plays an important role in privacy and poses some unique challenges in an immersive virtual environment. Providing intuitive and clearly understandable privacy choices that align with the XRSI Privacy Framework is part of developing and maintaining trust.

In our next post in this series, we will explore the user experience and the pedagogical and privacy-driven design considerations in developing VR training.

Learn more about the XRSI Privacy Framework

Thomas Bailey
August 12, 2021