As part of our edtech coverage, Eduventures is seeking out incubators, community forums, and seminars dedicated to emerging technology companies and individual entrepreneurs. We recently attended the Educelerate conference on “Personalization and Student Success” in Chicago, IL along with education technology professionals from both well-established businesses and startups. Whatever their company’s status, all the attendees were committed to figuring out how to develop tools and services that teachers and students will use.

A common thread of discussion emerged about data access and use—a topic that appears quite often in our research on personalized learning technology for higher education. To achieve personalized learning, we must leverage traditionally untapped sources of data. This challenges traditional policies and procedures governing the appropriate use of student data. Issues around data acquisition, its use, and its impact on the adoption of new technology have been consuming a significant amount of institutions’ instructional development time and participating edtech companies’ research and development budgets. While challenges around the access, security, and privacy of the data used in adaptive learning certainly exist, institutional buyers of this technology need to get on the same page with their vendors in order to clear these policy hurdles.

It’s (Not) My Data, and I’ll Use it if I Want To

Emerging technology is creating or using new data types with inherent privacy and sensitivity implications that must be incorporated into policies, as well as data literacy and training programs for educators. One type that educators are struggling with is data gleaned from students’ social media accounts. I asked the Educelerate panel on “Personalized Persistence” whether the use of social media data to identify at-risk students was creepy or justified, and the executives on the panel offered both progressive and prohibitive responses. One responded, “The notion that there are things going on in our life that Google or Twitter doesn’t know about is false… If a student says something concerning and posts it publicly, you have the right to use it.” Another panelist immediately rebutted with a simple, “That is definitely creepy, and we shouldn’t do it.” These differences of opinion are representative of what Eduventures hears time and again from our clients and the general edtech community. There is a wealth of data available to institutions to personalize learning, retention strategies, and interventions, but it is unclear whether policy, regulation, or legislation would allow its use.

Take, for example, a recent report from the Data Quality Campaign on student data privacy legislation enacted in 2015. Of the 182 bills that 46 states introduced to address student data privacy, only one bill, in Illinois, applies to vendors serving higher education. Of the attention being paid to issues of data security, privacy, vendor terms of use, and data sale and retention policies, the overwhelming majority is on P-12 service providers and those that serve students under the age of 18. This is because the guiding regulation (i.e., FERPA) only applies to service providers under contract with institutions of higher education and only for a discrete set of data elements that qualifies as an educational record. The American Association of Collegiate Registrars and Admissions Officers (AACRAO) has provided a recommended policy template for the retention of student records. However, it can be hard to enforce these policies with vendors when students subscribe for services directly. Vendors should implement standards-based retention policies to help institutions comply with their internal controls, while striking a balance with keeping anonymized longitudinal data for analytics purposes. Without a legal contract or financial incentive to do so, vendors are more likely to implement data retention policies that give them flexibility to use data assets as they see fit.

Don’t Worry, It Won’t Go on Your Permanent Record

Emerging data types, such as biometrics for identity verification and social media posts, are not typically considered part of the educational record. In some cases, the contractual relationship (if it exists at all) is with the individual student or faculty member—not with the institution. Increasingly, faculty are seeking out innovative technologies for their individual classes and trying to hedge against perceived weaknesses in institutional IT support. This was the case at Rutgers University, where a faculty member set up an alternative LMS to circumvent ongoing cyber attacks.

In these instances, the only regulations that concern edtech providers are those implemented by the FTC—not those introduced by the Department of Education. The FTC’s interpretation of vendors’ terms of use and privacy policies will be the only source of accountability. This is particularly concerning, since student and faculty users of learning technology rarely ever read the fine print. Since 2009, there has been an effort to introduce a framework of “privacy nutrition labels,” intended to present these agreements in a more visual, interactive way, but it has yet to be implemented in any edtech products. Even Mozilla’s attempt at a similar set of privacy icons has seen little to no adoption. Higher education edtech vendors are simply not yet motivated by external pressure or institutional incentives to make their privacy policies more readable and understandable.

Given the lack of service provider regulation, particularly in higher education, it’s not surprising that some institutions have delayed implementing data collection from nontraditional sources. One Educelerate attendee, Jamie Candee of Questar Assessment, summed it up perfectly: “Policy has a direct impact. It can either empower or constrain innovation in education.” Eduventures expects that it will be quite some time before the regulatory environment changes significantly. In light of this prediction, we encourage institutions to take concrete actions to determine whether an edtech vendor will fit their interpretations of existing policy and to take advantage of the products and services that can impact student outcomes today:

  • Review service providers’ terms of use and privacy policies for compliance with institutional policies on data security and student privacy. Highlight discrepancies with vendors during contract negotiations and ensure that services can be aligned prior to implementation.
  • Perform an audit of the free, freemium, or paid services your faculty and students are using that do not have a formal contract with the institution. You may be quite surprised by where your student records are being shipped without the IT staff’s involvement or registrar’s approval.
  • Poll your students to determine whether they would be comfortable with their publicly shared social media posts being used for academic purposes. Students are typically willing to share data with their school if they know it will be protected and used to provide them or their peers with support services.
  • Ask vendors how faculty can download a copy of their own course or section data directly from the vendor without requiring IT staff assistance. The Office of Educational Technology within the Department of Education provides a technical specification, called MyData, that vendors can use to ensure any type of educational record’s portability between systems and vendors.

At the Eduventures Summit this November, I will interview Kathleen Styles, Chief Privacy Officer at the Department of Education. Our conversation will focus on the role the federal government can and should play in establishing privacy regulations that apply to vendors serving higher education. We will also discuss how proposed changes to FERPA will or will not apply to those same vendors and the impact that student data privacy is having on technology adoption in higher education.