Considering Student Privacy

  Reading time 8 minutes

Your password will expire in 10 days. Your connection is not secure. Would you like to enable two-factor authentication? Do you want to trust this site?

We are frequently reminded that security breaches are not impossible and no captcha is foolproof. Each day our actions impact our digital footprint and as educators, we are doubly tasked with accounting for what we require of students. While all modalities of teaching can take advantage of incredible opportunities provided by exciting and creative digital tools, in the words of the late Stan Lee: “with great power, there must also come great responsibility.”

Back when I did professional development for K-12 teachers, I would devote part of the talk on Copyright and Fair Use on being good custodians of student data and work. It may be exciting to have students experiment with a new tool, fostering them as digital creators, but we must be actively aware of our impact and potential long-term consequences (both positive and negative).

There is no listicle that can ensure you are managing your and your students’ privacy perfectly in today’s complex landscape, so doing your homework is critical. Here are a few considerations to get you started:

Consider ownership:

If you use a password manager (which is strongly recommended), you may have a general idea of how many accounts you have created over the years. Too many, no? It seems that every demo, every trial requires a new login.  Thankfully, your institutional login grants you access to all university supported tech (either through in-house support or license agreements) in one credential. Institutionally supported tools will also have the backing of your organization’s IT or information security groups.

Each account you ask students to create beyond their institutional credentials increases the chance of data loss, even if it is not FERPA-protected information. Additionally, you should consult with your instructional designer before embarking on a new project to see if there are institutionally-supported tools that already fulfill the physical and/or pedagogical requirements of your idea. 

If you decide that a new tool is merited, do a bit of homework on the tech itself. Does a search bring up headlines of chronic security breaches? Does the creating/owning company work with hundreds of other universities? By looking at the landscape surrounding the tool and carefully considering why you want to use it, you are better positioned to make a sound decision and prevent a loss or leak of data.

Now, extend your analysis of control to the content generated. Are there redundancies and backups in place? Can you easily export data? Did you agree to the sale of created content via the Terms of Service you actually didn’t read?

Not every service or app is the villain, but if you or your institution are not the owner of the platform, set a quarterly or annual tech-audit for yourself to check for changes in policies, updates to platforms, and possible maintenances that may need to be implemented before the next course offering (you can tie this to your personal data audit).

Consider permissions management:

While we often focus on making sure there is a strong barrier between the “outside world” and our student data, we must also manage that security within class spaces.  A faculty member may want students to record themselves conducting counseling sessions for a project, but then those sessions should not be accessible to other students. Choosing a tool that enables varying levels of permissions and managing access will help avoid data involuntary sharing. While some might think a generic, shared login for the class may be easier, it is certainly not the right solution and ripe for abuse.

Another example is a faculty member wanting students to blog for a course. Who will have access to the blog? Is it public facing or only open to those in the course? Even though this level of management might add a bit more work up front for you as the instructor, it pays dividends later on through more secure spaces and better organization.

Additionally, some might think controlling permissions is as easy as setting a Google Doc to “invite only,” but will students need to share their personal emails to access it? Or will it be mandated that they also sign up for a Google account? Each of these scenarios need to be thought through carefully before asking or requiring things from students.

 

Consider the noise:

Today’s students increasingly view technology as an extension of themselves with respect to how they communicate, manage friendships, and consume information[1], but they are also skeptical about whether technology improves learning.[2] Ask them to join another service and you may get a heavy eye-roll, with good reason.

Each time you add a step or click between your student and their task completion (software and hardware), you add noise. Noise distracts, taxes patience, and impacts overall quality of experience. Noise also increases chances of data leakage.

Does the service have a confusing user interface? Does it only work on certain platforms? Will students have to install an app on their personal devices? Not only are these important considerations for cognitive load, they also impact to what extent students become aware of privacy and security settings (and may be signs that there are higher risks for data loss).

Furthermore, to what extent will you require students to use a tool? Can the assignment be created using other institutionally supported-tech? Is this just an experiment and optional pathway for students to explore? Not only will self-assessment help monitor equity in accessibility, but it can help you prepare for where student data will live. Consider how “opt-in” your classroom is and to what extent students have to juggle their personal and academic profiles/data.

No matter what tool you incorporate, be sure to post a link to the tool’s privacy statements on the course site. This best practice of instructional design helps increase transparency and can help assess the security of tools (including whether they are GDPR (General Data Protection Regulation) compliant)

Consider Logouts:

Remember that people unfortunately forget to log out. Does the tool you have in mind include auto-logouts or timed inactivity sessions? Are you asking students to use a public device accessed by others? Minimize the chances that when the next user hops on the device or a student forgets to sign out of their session, you are not helping leave an open door.

[1] “The New Generation of Students: How Colleges Can Recruit, Teach, and Serve Gen Z,” The Chronicle of Higher Education. September 2018, 4.

[2] Ibid., 30.

About John Gieger

John Gieger leads the Center for Educational Technology in DePaul’s College of Education. After several years in digital archiving, John came to DePaul in 2013 to work in Teaching with Primary Sources, a program sponsored by the Library of Congress. Since 2016, he has been working to effectively integrate tech into classrooms and curricula. His professional interests include Interdisciplinary education, pedagogica/andragogical strategies, and drinking gratuitous amounts of coffee.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.