Consenting Adults? Privacy in an Age of Liberated Learning Data

"Why isn't your generation concerned with data privacy?" asked the professor.

"Because we've never had it," replied the student.

An expanding number of commercial and free instructional tools and services are being marketed by third-party suppliers directly to higher education faculty and students. Until recently, learning data enjoyed at least three levels of protections: First, learning tools and services were developed on campus or introduced through traditional administrative processes, which ensured compliance with policies and provided safeguards. Second, indirect protections existed when tools or services proved too costly or technically demanding to be launched by individuals. Finally, protections existed because the kinds of learning data we are addressing here rarely left campus: learning materials, faculty and student discussions, assessments and evaluations, etc. were constrained by human proximity and the physical classroom.

Today, however, acquiring and using online tools and services is simple. Suppliers make it easy for users to sign up and use a tool, and when the tool is offered for free, users bypass the negotiation and purchasing processes between universities and their suppliers. Unconstrained by campus agreements, these suppliers gain new access to data and intellectual property —  access that primarily benefits those who have commercial interests for tapping into and accumulating university, faculty, and student data. It is expected that businesses will seek to maximize the value of content under their control, and companies like Google and Facebook have built empires by deriving revenue from undervalued data and content. A common commercial approach is to entice the customers with one high-value service, then build out additional services to create a suite of experiences that keep customers engaged. This type of service expansion can have huge value for all parties involved, but in some cases the added-on services create value exclusively for the business while progressively dismantling protections that university stakeholders expect from third-party instructional service providers.

Thus, the introduction of these new tools and services may directly or indirectly impact campus positions on data privacy, accessibility, intellectual property rights, procurement processes, user-targeted free services, business practices, and more, resulting in an increasingly complicated set of data relationships between institutions, faculty, and students; between policies and practices; and between campus and commercial cultures.

In this article we highlight some of the questions and issues confronting educational technology leaders at the University of California (UC) seeking to align system or campus policies, cultures, and practices with increasing access to and use of free online learning tools and services. It was within this context that the system-wide UC Educational Technology Leadership Committee (ETLC) conceived a set of baseline aspirations to address privacy concerns about the use of learning data, culminating in the draft University of California Learning Data Privacy Principles and Recommended Practices.¹

The core questions and issues are not new, nor is the UC alone in considering the consequences surrounding learning data. Twenty years ago, David Noble raised concerns about the impact of technology and privacy on higher education; in his 1997 article, “The Automation of Higher Education,” Noble asked:

What third parties (besides students and faculty in the course) will have access to the student’s communications? Who will own student online contributions? What rights, if any, do students have to privacy and proprietary control of their work? Are they given prior notification as to the ultimate status of their online activities, so that they might be in a position to give, or withhold, their informed consent?

More recently, many groups and individuals have begun to think about these issues from multiple perspectives. Thus, the UC Principles draw inspiration from associated undertakings, such as the Asilomar Convention for Student Data Use, which considers the ethical and privacy rights of students in learning environments; the Privacy Technical Assistance Center (PTAC) of the U.S. Department of Education, a resource to learn about student data privacy, confidentiality, and security practices; and, although not directly related, the Leiden Manifesto for Research Ethics [http://www.nature.com/polopoly_fs/1.17351!/menu/main/topColumns/topLeftColumn/pdf/520429a.pdf], which calls for responsible use and evaluation of data when applied to research and researchers.

New Learning Tools

When we speak of a new breed of tools and services, we refer to online platforms designed to enhance teaching and learning, including discussion forums, grading tools, polling apps, and more. Use of the tools varies according to functionality, but may include students interacting with faculty course materials uploaded to the company's site. Many participants welcome the use of tools like these because they offer benefits to faculty and students alike by easing some of the administrative burden of teaching, such as grading. People choose to use tools like these for a variety of reasons, including:

• New or advanced functionality difficult to replicate using campus resources
• A focused solution to a specific instructional task
• Easy-to-use interfaces
• “Free” use

The new entrants in the educational sector who develop free learning tools and services might not be aware of the myriad data policies, concerns, or cultures, or prepared for the full implications of offering these tools and services to universities. When faculty and students use their wares for free, they may unwittingly bypass conventional campus procurement or review processes and introduce new levels of risk to the university, such as not meeting accessible technology standards. Furthermore, the click-through agreement terms of use — which are often based on typical "boilerplate" language — might have significant and far-reaching implications for faculty and students, such as surrendering their intellectual property rights and subsequently having their data (mis)appropriated for unintended purposes.

Defining Learning Data

In context of the Principles, we define "learning data" as encompassing the broad scope of data uploaded to and generated by these tools. For example, learning data may be:

• Learning content, including course materials and other learning artifacts created and uploaded by faculty, such as slides, videos, exams, or discussion prompts.
• Automated or human assessment and evaluation, including faculty exam questions and answers. This is often objective content, such as the correct responses for multiple-choice questions, but also extends to in-depth commentary.
• Human added-value content, which may be built around that data. Student and faculty contribute additional value to the course materials by commenting on papers, annotating readings, participating in discussions, and more. This subjective content amounts to "crowdsourced" data supplementing the original objective materials.
• Platform tracking content, including tracking usage and providing functionality like up-voting a discussion thread. This allows suppliers to know, for example, which specific material users appear to find valuable based on the content they clicked on or responded to most.

Sources of these data can span the entire university and social media landscape, including student information systems, learning management systems, connected cloud services, and even clickers or mobile apps.

Suppliers harvest all these data and potentially transform them into proprietary assets, often without agreement or obligation to a university, its faculty, or its students. Thus, the variety of data from these sources can be very specific and — depending on your perspective — perhaps intrusive.

Introducing the Draft UC Learning Data Privacy Principles

Considering the growing influence of data in our world, a fundamental belief underpinning the University of California Learning Data Privacy Principles and Recommended Practices is that the University of California should have a say in how third-party suppliers collect, use, and manage our data. The UC believes retaining ownership, intellectual property use rights, and control of these data and activities remains an important principle for the integrity of academic freedom and to ensure compliance and consistency with existing campus policies and practices.

The Principles emerged from existing UC work, such as the Privacy and Information Security Initiative Steering Committee Report to the President endorsed by former University of California President Mark Yudof and by the UC Academic Council in 2013. Our Principles are intended to provide a specific use case around learning data, and align with the earlier Yudof report.

The list of Principles includes six ideas, summarized here:

1. Ownership: The UC, faculty, and students retain ownership of the data and say over how their content is used. This has implications for Terms of Use.
2. Ethical use: Learning data is governed by pedagogical and instructional concerns.
3. Transparency: Data owners have a right to understand the particulars of how their data is collected and used, including transformative outputs (such as visualizations).
4. Freedom of expression: Faculty and students retain the right to communicate with each other without the concern that their data will be mined for unintended or unknown purposes.
5. Protection: Stewards will ensure that learning data is protected in alignment with regulations regarding secure disposition.
6. Access and control: Data owners have the right to access their data in usable, transferable formats.

In addition to developing these principles, the ETLC is also recommending a set of practices, including:

1. Ownership: Service providers will recognize learning data ownership and access as a right of the faculty and students.
2. Usage rights: Through a user’s profile settings, the service providers will enable users to control the use of their intellectual property. Thus, it will be the user’s choice to grant royalty-free, perpetual, irrevocable, worldwide license to their content.
3. Interoperable data: Service providers will provide learning data to the institution in recognized standard interoperability format(s).
4. Data without fees: Service providers will not charge the faculty, students, or other university learning data stewards for accessing our data.
5. Transparency: Service providers will inform the UC about the learning data they collect and how these data will be used.
6. Opt-in: Students will have a choice about the learning data collected.
7. Service provider security: All service provider platforms on which student learning data are stored will conform with UC- and state-mandated security procedures.
8. Campus security: UC learning data stewards will ensure that all faculty and student data are stored securely in conformance with university data security policy.

What are the next steps for the Principles? We recognize these principles are aspirational: not policy, or guidelines. Our writing team will continue to seek and obtain comments and suggestions to revise the draft. We are socializing the issue across the UC and will continue outreach to partners such as EDUCAUSE, IMS Global, and commercial entities.

Meanwhile, various other approaches to addressing concerns about learning data privacy are taking shape. Consortia are stepping up to negotiate in a coordinated way across multiple institutions. For example, the University of North Carolina developed a Learning Technology Commons [http://unc.learntrials.com/faqs/] portal with LearnTrials to help faculty discover new technologies and share feedback about products. The portal also assists suppliers by streamlining the procurement process and presenting Terms and Conditions that meet both university policies and state and federal laws.

Another example is the UC Irvine Tools and Services Directory [http://sites.uci.edu/cloud/] containing high-level summaries of tools that have either been reviewed or are in process of review. The directory provides guidance on typical uses for the tool or service; how functional a tool is; whether it meets their campus privacy, security, and legal standards; and whether university use is covered by a supplier contract.

To return to the student’s response at the beginning of this article, we hope that by bringing these Principles to the community we can raise awareness of learning data privacy issues. Recent events have illustrated that higher education can come together and influence the marketplace in a meaningful way so that suppliers will do the right thing by their higher education partners. Continuing the conversation benefits everyone: institutions, faculty, students, and the companies that provide these useful tools and services.²

Notes

1. The ETLC writing team includes Mary-Ellen Kreher, UC Office of the President; Jenn Stringer, UC Berkeley; Jim Phillips, UC Santa Cruz; and Jim Williamson, UC Los Angeles. Many thanks also to other ETLC members who provided input on the various versions of this draft. The Principles remain in draft form because they have not yet been formally endorsed by the University of California nor reviewed by university counsel.
2. See for example, Phil Hill, "University Responses to Piazza: Some good, some bad, some web site changes," eLiterate, November 21, 2016.

---

Jim Williamson is director of Educational Technology Systems and Administration, Office of Information Technology, University of California, Los Angeles.

Jim Phillips is director of Learning Technologies, Information Technology Services, University of California, Santa Cruz.