© 2010 Merri Beth Lavagnino. The text of this article is licensed under the Creative Commons Attribution NonCommercial-ShareAlike License (http://creativecommons.org/licenses/by-nc-sa/3.0/).
EDUCAUSE Review, vol. 45, no. 5 (September/October 2010): 104–105
Today's educators are faced with a multitude of tools (e.g., collaborative workspaces, chat rooms, blogs, wikis, and podcast/video sites) that offer new potential for engaging students in learning. When such tools are institutionally provided, instructors can be confident that relevant policy issues have been addressed. But many instructors also want to use third-party hosted tools that are not yet offered by their institution or that are impractical or impossible for the institution to implement or purchase. Institutions struggle with how to appropriately manage the review of these tools for compliance with policy and applicable law concerning data privacy, security, and protection of intellectual property rights, especially given the exploding use of these tools and the typically limited number of knowledgeable staff to conduct reviews.
So if an institution can't keep up with all of these tools, what can it do? Some higher education institutions provide guidance for their instructors to perform reviews themselves. For example, the Indiana University Teaching Handbook includes a section titled "Use of Social Networks, Blogs, Wikis, and Other Third-Party Hosted Tools in Instruction,"1 which builds on an excellent and more succinct model created by the University of Wisconsin–Madison,2 to assist its faculty. Such detailed guidance is necessary for complicated or inventive uses of technology in instruction. But will the majority of instructors dabbling in the use of such tools spend the time needed to carefully consider all the issues outlined? Or will they glance at the length of these laundry lists and decide against dabbling at all, thus missing an opportunity to increase student engagement?
In fact, some Indiana University faculty have responded to the university's comprehensive self-service guidance by requesting that administrative staff conduct the reviews rather than asking instructors to do so. Certainly this would be ideal, reducing duplicative efforts and better ensuring that all risks are accounted for and addressed. But this may not be feasible, especially when staffing is lean, and the time delay required for a third party to review the instructor's plans may also introduce a barrier to faculty innovation.
Institutions may want to consider another strategy. In most cases, risks associated with the use of these tools can be minimized through the instructor's proactive review of just the most critical risks, ensuring that student engagement can be enhanced without endangering the institution.
Just How Risky Is the Technology Tool?
IT and legal professionals tend to exhaustively identify the policy, security, privacy, and legal issues associated with a new and innovative technology, treating each issue with the same level of importance. It is true that all issues need to be identified, but not all of the issues need to be considered equally. Moreover, issues may pose different levels of risk when the technology is used for different purposes; for example, an increasing number of institutions have outsourced student e-mail but not employee e-mail.
The most common uses of such technologies in instruction today do not pose the same level of risk as would be the case if the tools were used in, for example, e-commerce, donor relations, or patient care. Keeping this in mind, and as a measured response to the faculty request regarding reviews, a team at Indiana University3 evaluated the issues associated with uses of "cloud" technologies,4 consulted instructors about how they used third-party technologies in instruction, and strived to whittle the guidance down to the minimum necessary for the majority of instructional situations. Only three directives to instructors emerged.
#1: Don't put any information classified as highly sensitive into a third-party service without entering into a contract with the vendor.
Institutions should have a data-classification scheme, which identifies the information requiring the very highest level of protection.5 If the pedagogical objectives of the course require the instructor or students to enter this type of information into the third-party system, the instructor should not use the system without working with the appropriate institutional office to contractually require the service to comply with necessary security and privacy policy, law, and regulation. Fortunately, very few instructional activities will require the use of highly sensitive data, so the vast majority of instructors can move on to the second directive.
#2: Don't put any data covered by FERPA into a third-party service without entering into a contract with the vendor.
The Family Educational Rights and Privacy Act (FERPA) does not prohibit instructors from allowing students to use third-party tools as part of course activities. Content created by students when using such tools to fulfill course requirements (e.g., creating blogs on WordPress, posting videos to YouTube) should not be considered "student education records" under FERPA. However, copies of such records that are maintained by instructors in their own files do constitute FERPA-protected "student education records." If an instructor needs to disclose FERPA-protected student education records to the third-party service in order to meet pedagogical objectives, the instructor should not use the system without working with the appropriate institutional office to contractually require the service to comply with FERPA.
In most instructional situations, the third-party tool will be used only by students; for example, students will post to Twitter or Blogger, or create a survey in SurveyMonkey, or work on collaborative projects with their classmates using Google Docs. It may take a few moments of planning, but the instructor can usually figure out a way to maintain his/her FERPA-covered files using institutionally provided tools. This allows most instructors to move on to the third directive.
#3: Don't give away intellectual property owned by others.
This third directive is likely the only one that requires an investment of time by most instructors. First, as in all instructional situations, the instructor should be sure that use of copyrighted materials incorporated into content uploaded to third-party tools complies with copyright law. Additionally, institutions should have an intellectual property policy that outlines who owns the rights to various materials created or used in support of the institutional mission (e.g., traditional works of scholarship; works submitted by students to meet course requirements). The instructor should review the terms of service of the third-party tool; typically, the provider claims a license to copy, adapt, and share the content as needed to enable the user to access and use the service. If the license exceeds this limited scope, the instructor should ensure that the owner of the rights (typically the institution, the instructor, or the student) agrees with these terms.
If the rights are owned by the institution, instructors and students usually may upload that content to third-party tools only if one of the following conditions exists:
- The terms of service for the site do not grant the third-party host or other parties rights to the content, other than a limited license to use it for the purpose of enabling the user's access to and use of the third-party service; or
- the user has otherwise obtained permission from the institution.
A standard institutional copyright notice typically must be included when the content is uploaded.
If the rights are owned by the instructors or students, they should review the terms of service to ensure that they understand and are comfortable with those terms, and they should consider placing copyright notices on their content.6
Summary
In nearly all cases of using technologies to increase student engagement in learning, instructors can focus on three key risks: highly sensitive information, FERPA-protected information, and intellectual property. This leaves a small number of complex and inventive projects that will require additional scrutiny and full administrative review of the additional risks.
The policy, security, privacy, and legal issues related to using tools not hosted by an institution can be great, but providing lists of issues without a consideration of the corresponding risks associated with particular uses will cause policy to become a barrier to—rather than an enabler of—student engagement.
1. "Use of Social Networks, Blogs, Wikis, and Other Third-Party Hosted Tools in Instruction," Indiana University Teaching Handbook, <http://www.teaching.iub.edu/thirdparty_apps.php>.
2. University of Wisconsin-Madison, "Guidelines for Use of Non-UW-Madison Applications and Services for Instruction," <http://www.cio.wisc.edu/policies/Non-UWAppsServicesInstruction.doc>.
3. Many thanks to my colleagues Beth Cate, Associate General Counsel, and Kate Ellis, Instructional Technology Consultant.
4. See, for example, Karla Hignite, Richard N. Katz, and Ronald Yanosky, "Shaping the Higher Education Cloud," an EDUCAUSE and NACUBO White Paper, May 2010, <http://www.educause.edu/Resources/ShapingtheHigherEducationCloud/205427>; Steve McDonald, "Legal and Quasi-Legal Issues in Cloud Computing Contracts," <http://www.educause.edu/section_params/conf/CCW10/issues.pdf>; Office of the Vice President for Information Technology, University Information Policy Office, Indiana University, "Use of Cloud Computing," August 26, 2009, <http://informationpolicy.iu.edu/resources/articles/cloud_computing>; and EDUCAUSE Learning Initiative, "7 Things You Should Know about Privacy in Web 2.0 Learning Environments," September 2010, <http://www.educause.edu/ir/library/pdf/ELI7064.pdf>.
5. The following list addresses most, if not all, sources of serious risks: Social Security numbers, credit card numbers, debit card numbers, bank account/financial account numbers, driver's license numbers, state ID card numbers, student loan information, foundation donor data, protected health information, individually identifiable health information, and passphrases/passwords, PINs, and security/access codes. Often, one of these elements needs to be accompanied by an individual's name in order to result in harm, but not always.
6. The Creative Commons license generator can help instructors and students create simple copyright notices that allow others to copy and distribute their works but that still require certain conditions, such as proper attribution. See "License Your Work," Creative Commons, <http://creativecommons.org/choose/>.