In November 2021, the first higher education cohort of the Future of Privacy Forum Train-the-Trainer Program concluded. The Train-the-Trainer program for higher education seeks to multiply people on the ground who can provide basic student privacy support. The author prepared this guest blog as part of her final course project.
Guest blogs and comments represent the diversity of opinion within higher education about data privacy issues. The views and opinions expressed in this blog are the author’s and do not necessarily reflect those of the Future of Privacy Forum.
Merriam-Webster defines privacy as “the quality or state of being apart from company or observation, freedom from unauthorized intrusion.” Some people believe privacy equals secrecy, which is a person’s desire to keep information related (and sometimes unrelated) to them unavailable to others. No matter how we define privacy, we all want the right to control the use of information related to us.
This control includes determining when and how information is shared and when the benefits of sharing outweigh privacy interests. For example, none of us would wear a smart watch or other wearable devices if we were told that we might have to pay a higher insurance fee because of our personal data being shared with our insurance company.
Control over data should apply to students’ information as well. While the Family Educational Rights and Privacy Act (FERPA) was enacted to protect the privacy of students’ education records, students often share and higher education institutions collect more information than necessary; therefore, institutions should consider whether all the data it collects should be treated as education records.
Often, however, students do not realize how much data their institutions collect, and they seldom ask questions about how the data is processed or used.
Usually, students are concerned about their education and health records and believe the institution safeguards that information. Often, however, students do not realize how much data their institutions collect, and they seldom ask questions about how the data is processed or used. For example, most institutions encourage students to use a single identification card that can be used anywhere on campus. In some instances, students can add funds to the card to use as a form of payment both on and off campus.
While students like the convenience of using only one card to access anything, they might not realize the amount of information they provide to the institution each time they use the card. Every time a student swipes their card to enter a facility or room, pay for a snack, use the bus, check out a book or movie, or take a course or test online, the student unknowingly shares personal information, including their personal habits and purchases, with the institution.
In fact, students share this information not only with the institution but also with third-party providers involved in the educational process, such as the learning management systems (LMS) the institution uses. For example, instructors may ask students to introduce themselves or share something about themselves on the LMS, as an ice breaker. Student pictures are also often part of the LMS, which means the third-party provider has access to the students’ images and their ice-breaker information.
Working with the data every day, we can easily forget what is at stake.
As the recipients of significant amounts of non-education-related information, we have a responsibility to protect this data. Anyone who receives any information from students must have the proper training to ensure the information is protected and secured. Working with the data every day, we can easily forget what is at stake.
Additionally, we should notify students of any information we collect about them, and we should allow them to correct or request the removal of unnecessary information from the institutional database. While data regarding attendance or class participation is essential for educational purposes, data related to how students get to campus, what they consider a good ice breaker, or what restaurant or coffee shop they prefer is not. An institution might want to collect such data to enhance students’ experience on campus. But that goal could be achieved by using aggregated data, which means that non-education data should be combined for all students, rather than keeping and processing non-education data about each student separately.
Furthermore, the use of tools and software such as online proctoring, in which software collects large amounts of student information (e.g., video and audio recordings through students’ webcams and microphones), and exam environments should be analyzed extensively prior to implementing or requiring their use. Before contracting with a company that offers an invasive proctoring practice, an institution must ensure the protection of students’ privacy and that any secondary use of students’ information is limited.
There is no one-size-fits-all regulation to protect students’ privacy.
There is no one-size-fits-all regulation to protect students’ privacy. While FERPA is still the prominent regulation that institutions rely on, it was last updated in 2011. Therefore, it has not kept up with technology use and third-party companies that provide technology services to institutions. Especially during the past year-and-a-half, when institutions had to enact distance education swiftly, many students were forced to accept third-party providers’ terms, to finish their education. If a student disagreed with these terms, there was no room to push back when using the applications was required.
While distance education was an excellent solution for the problem at the time and may continue, institutions should recognize their heightened responsibilities resulting from that adjustment. Higher education institutions should consider a broad approach to the term “education records.”
FERPA defines “education records” as follows:
(a) The term means those records that are:
(1) Directly related to a student; and
(2) Maintained by an educational agency or institution or by a party acting for the agency or institution.
This definition should also apply to any information collected by third-party providers during the course of a program. Institutions are responsible for ensuring that third-party providers meet Fair Information Privacy Principles, including
- Transparency regarding how the data is used;
- Limiting use of the data to its intended purpose;
- Giving students the opportunity to correct errors;
- Enabling students to opt out of any data mining unrelated to educational purposes;
- Keeping collected information secure.
These are only a few requirements that both institutions and third-party providers should consider.
In 2014, the Director of the Electronic Privacy Information Center’s Student Privacy Project proposed a Student Privacy Bill of Rights, which proposed several rights allowing students to have control over their data. Now, seven years later, there are still no meaningful regulations that give students control of their data. However, institutions continue to collect student data more aggressively to create more targeted advertisements.
While students’ privacy mattered before, the significance of protecting it become more prevalent during the past year-and-a-half since the students had to share more information with institutions than usual. Therefore, now more than ever, institutions should consider reviewing their data collection policies and permitting the students to control the extent to which an institution uses their data.