When Learning Analytics Violate Student Privacy
With education technologies increasingly using analytics to measure and assess student learning, there is a lot of data flying around on higher education campuses. How are institutions establishing principles and polices around the responsible use of that data? So far, few have published clear definitions of learning data or guidelines for how students' data can be used or shared.
One exception is the University of California system, which has created a team to develop UC learning data privacy principles and recommended best practices for its campuses. The issues being addressed involve both student consent as well as university contractual relationships with third-party vendors.
"Higher education institutions are beginning to realize that students' learning data is everywhere — it is in vendors' platforms, and we don't necessarily own it," said Mary-Ellen Kreher, director of course design and development for the Innovative Learning Technology Initiative at the UC Office of the President. "At UC, we began to recognize a few years ago that this was becoming a problem."
Kreher is one of a small group of executives from across the UC system who has worked to elucidate a set of principles. She said some campuses, such as UC-Berkeley, have directly sought students' input into how their data should be used.
"We started to recognize that vendors were starting to upsell their own products and services to students because they know who the students are and how to get in touch with them.” — Mary-Ellen Kreher, University of California
"Students have a right to know how their data is being used and who uses it," she asserted. There is general acceptance that faculty will use learning data in their teaching and that the campus holds that data. But when universities start doing interventions as part of student success initiatives, students begin to question what types of data about them are being combined.
"We also found was that some vendors were using student data to commercialize or sell them products," Kreher said. "That really struck a sour note across UC, when we started to recognize that vendors were starting to upsell their own products and services to students because they know who the students are and how to get in touch with them."
One complicating factor in addressing those concerns is that faculty members sometimes use apps or low-cost software in classes, and those vendors employ click-through agreements — not contracts negotiated at the university level.
Questions of Consent
Chris Gilliard, an English professor at Macomb Community College in Michigan, studies privacy, institutional technology policy and a concept called "digital redlining," which he defines as the re-invention of discriminatory practices through data mining and algorithmic decision-making. In a Future Trends Forum discussion hosted by futurist Bryan Alexander, Gilliard expressed skepticism about learning analytics in general and concern about the consent aspect.
"I think the most important thing we can think about when we talk about these issues is consent. So much of student analytics never asks the students what they want," he said. "The web as we know it is a faulty model. By the nature of you being on this website or using this service, I take the right to follow you everywhere and extract anything I want from you. There are a lot of things wrong with that. I am very critical of importing that model and using it on students. At least say to people, 'Here is what we want to do, and here is how we think it would help you.' If we just did that, which we don't in most cases, we could have different discussions."
Yet disclosure and consent is not that simple, pointed out Alan Rubel, a professor at the University of Wisconsin and co-author of the paper "Student Privacy in Learning Analytics: An Information Ethics Perspective" in the journal The Information Society. Determining what students' rights should be — in terms of consenting to how their data is used — could open up a huge can of worms for universities, he said.
"It is not clear what counts as a student record under FERPA [The Family Educational Rights and Privacy Act]," Rubel noted. "Do individual data points count as records or not? That is a big issue. Creating opt-out procedures would be really onerous and likely impossible," he added. "I don't know that there should be an individual consent procedure, but I talk with my undergraduates and they are surprised about how much information is collected about them. I would like to see students made aware, so they can protest, object or decide for themselves what they think about it."
Working with IT Leadership at UC
The UC team has been meeting once a month for a few years to research both what other universities had done to address privacy issues as well as existing data privacy and security policies across UC itself. "We crafted a set of principles and recommended practices," Kreher said. "The principles guide the practices. If the principle is that the student should have a say over how his or her data is being used, then the practice is that when you are negotiating with the vendor, you write into that agreement that the student has to opt in, not opt out. That was one of the key things we came up with."
The group is now working with the IT leadership council, a university-wide group of CIOs, to formalize the best practices. "We are still in discussion about how these can be made more formal," Kreher said, "but each campus is already using the recommended practices in negotiations with vendors."
Kreher also said she applies the data privacy recommendations to her own work every day. The UC's Innovative Learning Technology Initiative runs a central learning management system and it has a number of learning applications integrated with it. "We also run a cross-campus enrollment system, so students at any campus can enroll in online courses offered at other campuses," she explained. "So in our negotiations with vendors, we have data security addendums or exhibits, and we negotiate using these privacy principles. We look for opt-ins instead of opt-outs. We are about to go through another round of reviews of various legal agreements. My goal is by this fall to have them all updated with these principles."
The MOOC Puzzle
When massive open online courses were developed, they raised new questions about the types of data they were generating, said Mitchell Stevens, director of the Center for Advanced Research through Online Learning (CAROL) at Stanford University (CA), who has convened several groups across higher education to look at the ethical issues surrounding student data.
Among those questions: Should participants taking Stanford MOOCs be considered Stanford students? If the answer is yes, then FERPA might apply. Are MOOC learners customers? If the answer is yes, then consumer protection laws apply. Are MOOC learners research subjects? If the answer is yes, then human subject protocols might apply.
"It was a new puzzle that was creating a lot of anxiety at Harvard, Stanford, MIT and other schools doing something like this for the first time," Stevens said. With funding from the National Science Foundation, he helped convene a meeting in 2014. "We came out of that affirming the notion of MOOC learners as learners, not students, on the grounds that universities have fiduciary responsibilities to students of a certain type, and a student relationship is a certain type of contractual relationship, which is reflected in the use of the term learners as a larger category. But it turned out that MOOC learners are easy compared to the data describing students."
In 2016, CAROL worked with the nonprofit education research group Ithaka S+R to convene a group of about 70 higher education scholars and leaders from a diverse set of schools and other education organizations, to think through what ethical responsibility regarding student data might look like.
"Our inherent conceptions of student privacy and data security were built in a period of paper records, in which different strands of information describing students were not so easily integrated," Stevens said. "Now we can combine any data an organization has about students in a digital platform, so that raises very large questions about what is part of the student record and what is not. Are card swipes in the cafeteria part of the student record — or completely extraneous? There isn't an obvious technical answer to a question like that."
Today, educators often share the task of instruction with multiple parties, many of which are for-profit firms, Stevens noted. For instance, Stanford uses Instructure's Canvas learning management system. Canvas has a great deal of information describing basic educational processes at Stanford. Whose data are those?
"We tried to frame conversations and make a mark in the landscape so that as these questions continue to be discussed, we won't have to reinvent the wheel every time," Stevens said. Referring to the effort at the University of California, he thought it understandable that large public systems would be further along because they have greater obligations to be transparent than private institutions, "but we all face these questions," he said. "We can think about them in technical or compliance terms, but I prefer to think of them as a large ethical opportunity — what is the right thing for an educational institution to do?"
Learning from the EU
The European Union's General Data Protection Regulation (GDPR) goes into effect later this month. That means universities in Europe and the UK have to reconsider how they inform students and staff of the personal information being collected about them, as well as the purposes for which it may be used, including any results of learning analytics.
Stevens noted that these conversations are much further along in the EU countries just by virtue of a different data tradition. The presumed responsibilities that governments have relative to citizen protection are different in Europe.
"One of the open questions is: Will the EU conversation become the default standard for responsible use of student data in the United States? I would prefer that the answer is no," he said. "The EU conversation should inform what we do here, but the default strategy for institutions in dealing with data policy issues is compliance. What I worry about is that we will just move that default compliance to an EU standard, thereby obviating the discussion once again, instead of working through the responsibilities of educators. That is a more interesting and ethically consequential conversation."
Is there an obvious place on a university campus for these data policy efforts to reside? "These questions typically fall to IT offices or institutional research offices, which tend to be organized around compliance, and are not set up to have these normative conversations that must be had," Stevens said. "Neither institutional leadership nor philanthropists are giving these larger ethical questions about data use the attention they deserve. We are having conversations about compliance and regulation rather than first principles and goals, which is what we should be talking about."