Copyright 1998 CAUSE. From CAUSE/EFFECT Volume 21, Number 1, 1998, pp. 5-11. Permission to copy or disseminate all or part of this material is granted provided that the copies are not made or distributed for commercial advantage, the CAUSE copyright and its date appear, and notice is given that copying is by permission of CAUSE, the association for managing and using information resources in higher education. To disseminate otherwise, or to republish, requires written permission. For further information, contact Jim Roche at CAUSE, 4840 Pearl East Circle, Suite 302E, Boulder, CO 80301 USA; 303-939-0308; e-mail: email@example.com
Privacy Issues in a Virtual Learning Environment
by Susan K. Ferencz and C.W. Goldsmith
Privacy issues for students in a virtual learning environment are an order of magnitude greater than those for students in a more traditional campus learning environment. The legal foundation for student privacy has been the federal Family Educational Rights and Privacy Act (FERPA) of 1974. This landmark legislation has served the academic community well, and the privacy protections afforded today's students are a direct result of the vision of the drafters of FERPA. Given the changes in higher education since 1974, especially the changes introduced by the infusion of technology into admissions, registrar, bursar, financial aid, and student advising functions, higher education leaders are beginning to question whether FERPA can remain unamended. Does FERPA sufficiently reflect the 1990s higher education environment to allow staff at all levels in organizations to make the day-to-day decisions in a technology environment that are consistent with the basic principles of FERPA? Or should FERPA be reexamined and amended to clarify privacy issues that were unheard of twenty-five years ago?
As was true in 1974, privacy is important to students. Students expect the right to control and inspect personal information, and students expect that their personal information maintained by colleges and universities will be accurate. But today students expect their privacy to be protected beyond physical campus boundaries -- beyond the file cabinets located in the student services buildings and beyond the databases stored on systems in the central computer center. Today, students expect colleges and universities to protect these rights throughout the campus intranet and the Internet, that is, throughout the virtual learning environment.
There is another difference between student expectations for privacy in 1974 and today, a difference in the type of information to be protected. When FERPA was established, students expected colleges and universities to protect the privacy of grades and transcripts. Today's students also expect information about their personal activities to be kept private -- information that is captured automatically as they use card keys to gain access to campus buildings, purchase meals or books, access online library resources, or log onto the campus network (whether on campus or from another location). Students expect all of this information to be protected. At the same time, students generally don't object to the recording of such activities. Having grown up in a cultural environment where security equipment routinely records activity in many public and commercial buildings -- convenience stores, ATM locations, parking garages, banks -- students generally recognize that such transactional recording and monitoring is a component of institutional security measures.
In an effort to maintain the highest level of security for student information collected and maintained by student services offices, which is increasingly accessed through network-based systems, technologists have used a variety of methodologies -- firewalls, encryption, middleware, token cards, smart cards, one-time passwords, and, in a few instances, biometrics. Each of these methods has strengths and weaknesses, and they are often employed in combination to compensate for any deficiencies. Of course, the responsibility for maintaining the security of the virtual learning network is compounded by the fact that the technology to defeat such security measures is changing (and improving) as rapidly as the technology itself.
The bottom line, however, is that institutions of higher education cannot depend solely on even the best technological solutions for maintaining security and privacy of student information. Ultimately, a secure environment will be the outcome of a faculty and staff who are highly sensitized to privacy issues and who have access in their daily operations to policy in this area that is fully supported by the rest of the virtual learning community.
How should colleges and universities respond to the additional privacy issues of students in the 1990s? To deal adequately with privacy issues in the virtual learning environment, institutions should consider charging a comprehensive task force to develop policy suitable for such an environment, perhaps even making the task force a standing committee for the long term.
The composition of a privacy task force requires considerable thought. Primary stakeholders must be represented, and yet the task force cannot be so large as to defeat efforts to make timely decisions.
At a minimum, there should be one representative from each of such areas as the registrar's office, financial aid, admissions, bursar's office, student advising, computer center, library, student judicial affairs, legal counsel, and student government. In addition, selected faculty members and other students should also serve. Members should be chosen to represent both local and remote issues, and they should be officially appointed to the task force. It should be understood from the beginning that multiple tiers of review will be necessary for any policy development and, ideally, these tiers and their constituents will be identified at the beginning of the process.
Beginning the policy discussions
The process of developing policy is as important as the outcome. The process, if done effectively, will result in discussion and debate of issues before policy implementation, providing the necessary buy-in that, if not present, will defeat any effort to introduce new policy. A number of critical issues must be decided as groundwork to the policy discussions.
Right vs. Privilege. Are network resources a right or a privilege for virtual learning students? This distinction has ramifications for how privacy violations will be handled by the campus judicial board, the role of the campus police, and the legal right of the institution to withdraw network privileges as a sanction for privacy violations.
Privacy/Confidentiality Guarantee. What level of privacy is the institution prepared to offer virtual learning students and faculty? If on-campus faculty and staff use network resources for both academic and non-academic purposes (for example, chat rooms), is the computer center prepared to offer the same levels of use to virtual learning participants, and can the computer center guarantee their privacy at all levels?
Chargeback Security Services. If heightened privacy measures are required for virtual learning students and faculty, should chargeback security services be implemented, and what campus unit should receive the revenue stream? For example, will there be a charge for smart cards or a charge when students forget their password?
Security Help Desk. When problems arise, whom does the virtual learning student contact? An online help desk staffed by the registrar, financial aid, bursar, and admissions offices? The system administrator on the home campus? A departmental LAN administrator? A local Internet service provider? All of the above?
Policy on Monitoring of Network Use. With privacy guarantees comes some level of activity monitoring to ensure privacy. What level of monitoring will be required for virtual learning students and faculty? What if some virtual learning students are located in areas where monitoring is at a higher level than at the home campus?
Privacy Expectations. Many students will have expectations about the privacy of their student services transactions (financial aid, admissions, bursar, registrar, advising, etc.) that are derived from experiences as residential students. How will these expectations be managed? How will colleges and universities communicate any differences in privacy levels?
Principles of fair information practice
Policies on privacy and the handling of student information in the virtual learning environment should rest on a firm foundation of principles of fair information practice. Last year, a task force commissioned by CAUSE developed a white paper in cooperation with the American Association of Collegiate Registrars and Admissions Officers (AACRAO) called Privacy and the Handling of Student Information in the Electronic Networked Environments of Colleges and Universities. The paper, which is available at no charge through the EDUCAUSE Web site at http://www.educause.edu/asp/doclib/abstract.asp?ID=pub3012, outlines eight relevant principles of fair information practice to provide a framework for evaluating campus values and creating policy with respect to privacy and access to information in a networked environment:
- Secondary Use
- Nondisclosure and Consent
- Need to Know
- Data Accuracy, Inspection, and Review
- Information Security, Integrity, and Accountability
The notification principle provides that students be informed of what information is being collected; who is collecting the information and from whom it is being collected; why the information is being collected (i.e., the intended use); what steps are being taken to protect the confidentiality, integrity, and quality of the information; the consequences of withholding information or of providing false or incomplete information; and the right to inspect information and obtain appropriate remedy. These elements of the notification principle provide the basis for knowledgeable actions when individuals are asked to give consent for others to have access to their information. Without solid knowledge, consent can be hollow instead of informed. This is what is meant by informed consent.
Within the virtual learning environment, the process of notifying and informing students may become increasingly problematic. In such environments, information is being stored and transported between many different offices at different institutions and organizations, on a continual basis. Questions concerning notification frequency, intensity, and granularity and scope will need to be addressed in building policy about handling student information in this complex environment.
How frequently should students be notified, in a dynamic electronic environment, of information that is being collected about them? Should students be required to positively acknowledge -- by signature or other means -- receipt of this notification? In the distributed computing environment, to what extent should students be notified of each record's distinct usage, security, and other characteristics? How much detail is it reasonable to provide before the volume itself becomes an impediment to true understanding?
The principle of minimization relates to what kind and how much information is collected from students, with an emphasis on gathering the minimum amount of relevant personal student information needed to accomplish a legitimate, identified purpose. Associated with this principle is the responsibility to delete information when it is no longer needed. The challenge is to identify those elements that are truly the "minimum" needed, avoiding collection for collection's sake or for "potential future use."
One driving force for increased collection of information in higher education is the requirement by state and federal agencies for the reporting of increasing amounts of student data. In some states, laws have recently been passed which require institutions to collect and use more, rather than less, personal student information.
Policy issues related to minimization include the automatic collection of data by computer systems, appropriate sources of information about students, collection of sensitive data, collection of data for emergencies, and how long data should be kept. Should information be collected and retained merely because the hardware or software permits it? What kinds of data are appropriate to collect as part of the admissions process? How long should data be kept and under what conditions? When are the purposes for which the information was collected deemed to no longer exist?
The premise of this principle is that when personal information is gathered from a student, it should be used only for the purpose for which it was collected (even within the same institution or office) or for a use compatible with that purpose, unless the individual has given additional consent. Thus the principle of secondary use goes hand in hand with the principles of notification, minimization, and nondisclosure and consent (discussed below). Application of this principle means that an institution must articulate, when gathering personal data, precisely the purpose for which it is being gathered.
The principle of secondary use is one of the most critical to be examined and understood as colleges and universities participate in virtual learning. Once information is gathered and stored in a medium that facilitates its fast access, sorting, sharing, transport, and reuse, this information becomes much more accessible to the exercise of new options and opportunities. Data mining and sharing information in new ways to answer new questions or to form new hypotheses is not only possible, but may seem essential to better serve students or more aggressively market to new students. Matching one database with another enables looking at information in new ways, perhaps gleaning new information from these combinations. Care needs to be taken that any such manipulation of data does not disclose or make accessible individual, personally identifiable data.
FERPA allows for, and most reasonable individuals would agree to, routine secondary uses that are compatible with the purposes for which the information was collected. But if the use of personally identifiable student data is for non-routine purposes, the secondary use principle requires that the student be so informed and that consent be obtained.
Nondisclosure and consent
The term "nondisclosure" means not distributing personally identifiable information about students to parties external to the academic institution. (Note that the release of information about students to parties internal to the academic institution is addressed under the secondary use principle above and the need-to-know principle below.) Policy issues related to the principle of nondisclosure and consent revolve around consent strategies and data sensitivity, the nondisclosure of information created by use of information resources (such as library circulation records), and flexibility of inter-institutional information systems.
In the virtual learning environment, do the scope and concept of the principle of disclosure and consent change? For example, though a student may not object to the public release of his or her directory information when it is to appear in a campus print directory, will the student feel differently if such information is to be incorporated into a directory accessible on the Internet?
Given that there are likely broad individual differences in what types of personal information students feel are sensitive in a networked environment, how flexible do institutional policies, procedures, and systems need to be in enabling students to change categories in which the institution has placed a particular kind of information? For example, if disclosure of street or e-mail address on the Internet is unacceptable to an individual, should a means exist for him or her to place those elements in a more restricted disclosure category?
To what extent should systems be able to accommodate individual privacy preferences? An application of technology or systems design can hinder an individual's desire to exercise more control over release of information, but technology may also offer solutions that could facilitate a student's ability to choose.
Need to know
This principle is based on the premise that an individual within the virtual learning environment seeking access to personally identifiable student information is granted such access if and only if s/he has a need to know the information as part of an official and legitimate educational interest and in conformity with disclosure agreements. Under this principle, access to student information is based on normal job duties and the purpose and scope of the proposed use of the information.
How an institution defines the boundaries of legitimate educational interest will depend on many factors, but it will be increasingly important to articulate such policy very carefully and in conjunction with other institutions in the virtual learning environment.
Implementations of technology -- for example, a network-based information system -- must guarantee the ability to control information dissemination in accordance with the institution's defined need-to-know criteria. For example, personally identifiable student information may be accessible to someone classified as a "school official" without the student's prior consent. However, the definition of a school official may be vague, ambiguous, or not universally understood.
Some institutions integrate student information in other information databases or displays. This commingling or merging of information presents challenges with regard to the principle of need to know in that certain personal information will require a higher level of access privilege. For example, a faculty advisor may have a legitimate need to access a student's grade information, but if the information is displayed with other information about the student to which the faculty member is not entitled access, this could violate the student's privacy.
Data accuracy, inspection, and review
The premise of this principle is that information about students collected and maintained by a college or university must be accurate, and that students have the right to examine information about themselves and to request changes they feel should be made to their education records. The institution's responsibility with respect to this fair information principle is to define an effective request process and to make known to students the types of data that are being collected and maintained and the various offices responsible for the records to facilitate their request for review of their data. Methods for properly authenticating the identity of the student making the request to inspect data should be in place prior to information release.
Two issues associated with this principle in a virtual learning environment relate to responsibility for ensuring accuracy of student data in distributed databases, and the extent to which the right of inspection and review applies to data captured through transactions and automatic logging, including the feasibility and cost implications of such review.
Technology has enabled student information to be replicated in a number of different databases, under the control of different organizations and institutions. It is unreasonable to expect the student to be cognizant of every office that may have replicated his or her information and to contact each one when a change is necessary. Network technologies and network-based student systems can actually facilitate a student's access to his or her own data, and thus make it much easier for a student to inspect and review that data to be sure of its accuracy.
There are items of information now being collected about students that are not a part of the structured databases under the jurisdiction of student services and academic discipline officers -- primarily data captured as a function of electronic transactions generated by student activity such as accessing electronic library holdings or signing on to computer systems. This type of data collection will only increase in a virtual learning environment. To what extent is it possible to make such data available for student inspection and review? May a student request a modification to an event log, and how should such a request be handled? There may be costs associated with complying with student requests to inspect and review such records that the institution will need to address. Policies and procedures will be needed concerning these types of records, to define the records that can be made available and the related request and change process.
Information security, integrity, and accountability
The principle of information security, integrity, and accountability is composed of three related elements. Security, in terms of information technology, is the protection of user files and system resources from loss, damage, inappropriate access, and unauthorized disclosure or use of sensitive or private information. Integrity is reasonable assurance that data, once entered, will not be subject to unauthorized modification by intentional or unintentional means, and that data will remain unaltered during transmission between sending and receiving systems. Accountability in this context is the ability to explain security-related events and to link them to the originator.
Policy issues related to this principle arise in several areas, including appropriate levels of security for information of varying sensitivity, institutional policy for information access and acceptable use of electronic resources, and limitations and capabilities of the technologies employed.
Before adequate and reasonable security can be defined for the virtual learning environment, there must be a shared understanding of which information is, in fact, sensitive and the degree of sensitivity. The expansion of access to information generated by student activity or data in system logs introduces issues that may not yet have been considered in traditional learning environments. For example, how sensitive is student electronic mail? Is its protection to be a high priority, or is it to be assumed and made known to students that unencrypted electronic mail is not private? How sensitive is a file about a student that is kept online by a faculty advisor? What security measures are appropriate for information required in an online application form (for example, family and background information, credit card number)? Is an individual's picture more sensitive when stored or disseminated electronically?
Within the virtual learning environment, institutions must consider whether and how to define what is considered acceptable use of its information resources and how potential breaches in security or information privacy will be handled. Without a formal policy to define security rules, roles, and responsibilities, it may prove difficult to hold users accountable. Rules that are unwritten may also prove unenforceable.
In a nutshell, the primary security issue surrounding electronic transmission of private student information is: can information be ensured of privacy protection if the network itself is not at least reasonably secure? Are there areas where limitations in existing security technology make a particular implementation unwise? Who will decide whether the value of access is more important than the risk of a privacy violation?
Fundamental technical issues for heterogeneous networks of the type likely to be found in most virtual learning environments include authentication and authorization, communications security, and logging.
Authentication and authorization. What technical means can and should be employed to reliably validate the identity of network users (authentication) and to determine their access (authorization) levels? How can network access be controlled such that unauthenticated (and thus untraceable) access is eliminated, or services that can be obtained anonymously are limited to only those that can do little harm? How can individuals ensure that the electronic correspondence they receive is actually from the purported sender? How can an application determine it is connecting to the correct server and not to a system that has assumed its network identity? There are emerging cryptographic solutions in these areas, but who will be responsible for planning their widespread introduction and use, and in what timeframe?
Communications security. How can institutions safeguard private information being transmitted to or through traditionally less-controlled academic networks where students work? How can the institution ensure that applications used in the virtual learning environment take into account such communications security? How and where can technologies such as encryption be employed effectively, and how will standards in this area be determined?
Logging. A final technical network security issue is how much information about network transactions will actually be maintained. Because network intrusion detection is in its infancy, security events are seldom reported in real time. Thus, there is an increasing need for logs sufficient to reconstruct events weeks or even months after the fact. However, many of the systems that students commonly use may not yet employ an adequate level of logging to permit detailed reconstruction. Moreover, the logs themselves, if not properly managed, used, and secured may become a target or a potential privacy concern. How will accesses be logged and how much is appropriate and necessary to log (in keeping with the principle of minimization)?
The premise of this principle is that colleges and universities have a basic responsibility to educate not only their students but faculty, staff, and administrators about the privacy rights of students and potential implications of use and misuse of personal information, especially in a virtual learning environment. This definition of "education" extends beyond simple notification and informed consent.
Administrators who handle arbitration of computer abuse incidents on college campuses have long recognized that more harm is done through ignorance than intention. Central to developing an educational program is assessing the current state of awareness regarding privacy issues in a virtual learning environment. To what degree does the college or university wish to be responsible for helping its students become informed consumers of information technology and its implications for privacy, fully cognizant of both risks and benefits as well as existing discipline and enforcement procedures?
When and how to reach students is an important issue in the formulation of an educational program, and the answers are probably unique to each campus. How much information do students need immediately, and what information can be disseminated later? Students may sign a statement that they agree to abide by the campus policy for ethical use of electronic resources, and receipt of a computing account may be contingent on this signing.
Beyond education of the students, there remains an institution-wide process of raising the community's sensitivity to privacy, and to the individual responsibilities of its members referred to by FERPA in these matters. Some unit or individual on campus should take responsibility for periodically providing professional development opportunities about these matters, especially for data handlers and technologists.
The virtual learning environment has become an attractive mechanism for individuals to receive education as well as for institutions to deliver education. It may also be the most complex and challenging new tool individuals and institutions have ever had to deal with in education. As we endeavor to use this technology for the good of students, faculty, and staff, we must be cognizant of the legal and ethical responsibilities of all the participants. The most effective mechanism for dealing with the privacy issues raised in the virtual learning environment will be a task force or committee made up of those who are closely involved. The results of the task force efforts must be widely disseminated and ultimately absorbed into the institutional culture so that the privacy issues of everyone -- on the physical campus or virtual campus -- are met equally.
For additional resources on privacy, see http://www.educause.edu/issues/issue.asp?issue=privacy.
This article is based, in part, on discussion that took place at a CAUSE-sponsored session at the AACRAO Virtual Learning Environment Conference in Denver in August of 1997. Virtual Learning Environments: Implications for the 21st Century, selected papers from that conference, is available at $20 (AACRAO members), $28 (nonmembers) from AACRAO Distribution Center, PO Box 231, Annapolis Junction, MD 20701; 301-490-7651; fax 301-206-9789. Indicate item #3010.
Susan K. Ferencz (firstname.lastname@example.org) is director of Policy and Planning for Information Technology at Indiana University, Bloomington, and a member of the CAUSE board of directors.
Clair W. Goldsmith (email@example.com) is deputy director of Academic Computing Services at the University of Texas at Austin and chair of the EDUCOM '98 conference committee. Both Ferencz and Goldsmith were members of the task force that developed the CAUSE white paper, Privacy and the Handling of Student Information in the Electronic Networked Environments of Colleges and Universities.
...to the table of contents