Student Privacy in an Ever-Changing Digital World Scott D. Schafer University Privacy Officer March 9, 2017

Overview Changing landscape of education technology Privacy and student data used in online educational services Best practices for protecting student privacy

Goals Provide faculty, staff and students with cutting-edge learning tools Protect privacy when using the tools Strive to accomplish both goals 3 Goals Equip faculty, staff and students with cutting-edge technologies and solutions Protect Privacy when using these technologies Ideal – we accomplish both of these goals at same time

Online Educational Services at Penn How are Online Educational Services Being Used?? Student information systems Educational applications Productivity applications Online Educational Services at Penn Student Information Systems – Access to records, career services Educational Applications – facilitate educational discussions or sharing of ideas Productivity Applications Fundamental University Services – Fundamental University services

What Are Online Educational Services? Computer software, apps, or web-based tools Provided by a third-party to Penn Accessed via Internet by students, faculty, and/or staff Used as part of a University activity NOT online services or social media used in a personal capacity They are web-based apps, tools, or platforms Provided by 3rd party Accessed by Internet Part of the educational experience at Penn NOT – Online services (social media) used in a personal capactiy

Challenge of Online Educational Services 3rd Parties perform University functions New types of data and more of it! Many online services do not utilize the traditional 2-party written contractual business model Concerns about monetization of personal information and behavioral marketing Use data effectively and appropriately but still protect privacy Challenges – Third parties are providing these services – less control They collect or record new types of data – not just data provided, but data on how the services is used, clicks, where they go – who owns that data??? Offer just click-through agreement people just accept – not based on a two-party negotiated contract model - restrictions use of data is not negotiated Data is truly the New Gold!! - It’s a valuable commodity – and lots of entrepeneurs in the online educational space recognize this. Want to use it for their own purposes (behavioral marketing, maybe even sell it) Significant Implications on student privacy – Penn’s obligations to protect student privacy So they are offering Higher Ed new, innovate services

FERPA Family Educational Rights and Privacy Act Federal law that: Protects the privacy of students’ education records Provides students the right to inspect their education records Law protection student privacy is FERPA Love acronyms – Protects privacy of student records Also gives students to inspect their educational records

FERPA And Your Role As members of the Penn Community, we have a responsibility to protect education records in our possession.   Members of Penn community have an obligation to protect student education records in our possession EVEN if services offered to us are attractive, really convenient, or offered to us for FREE

Sharing “Education Records” – Student Consent General Rule: Education records may not be shared without student written consent -- though important exceptions exist. General rule under FERPA – Cannot disclose student records WITHOUT PRIOR WRITTEN CONSENT BUT there are some really important exceptions

Sharing “Education Records” – Student Consent What is an “Education Record”? Any information or data directly related to a student maintained by Penn What Is NOT an “Education Record”? Records of a law enforcement unit of the University Medical & mental health treatment records Alumni data not connected to student status Employment records not connected to student status BEFORE I talk about those exceptions – let’s talk about what is an EDUCATION RECORD Any information directly relating to a student maintained by Penn BUT NOT: Law enforcement records (Penn Police) Health or mental health records Alumni records Employement records

Key Exceptions to Consent Requirement Two exceptions to the consent requirement are most relevant when using education technology: Directory Information Exception School Official Exception FERPA has many exceptions to the consent requirement BUT the two most relevant to online education services: Directory Information Exception School Official Exception

Directory Information Exception Directory information may be shared provided the student has not “opted out” of allowing such sharing. Directory information includes: Student’s name Address (local, home, email) Telephone number DOB Penn ID Major, dates of attendance, degrees awarded field of study Directory Information is not considered FERPA data requiring consent – as long as student has not opted out of sharing info. This type of data may be shared with an online educational service provider WITHOUT STUDENT CONSENT – As long as student has not opted out.

School Official Exception School Officials Faculty Staff 3rd party service provider performing work under University supervision With Legitimate Educational Interests Information is needed for school official to perform duties Other Exception – School Official Can share student data WITHOUT CONSENT if the party is a SCHOOL OFFICIAL with a LEGITIMATE EDUCATIONAL INTEREST in receiving the information.

School Official Exception Third-party service provider is a school official if: Performs a service for which Penn would otherwise use its own employees Is under the direct control of Penn regarding use education records Does not re-disclose or use education records for its own or unauthorized purposes 3rd Party Service Provider can be a “School Official” if performing services for University Doing a Service that University would otherwise use its own employees Must be acting under direction of University regarding use of student data Does not use student data for its own purposes

Question 1: Is student information used in online educational services protected by FERPA?

Answer: It depends! Some data may be protected by FERPA: Enrollment Information Grade Information Evaluation of coursework Other data may not be: Directory Information (unless student has opted out) Need to evaluate on a case by case basis to determine if FERPA-protected information is implicated.

Question 2: What does FERPA require if a student’s education record is disclosed to a third-party service provider?

Answer: Consent for the disclosure; OR Disclosure under “School Official” exception Direct control Use for authorized purposes only Limitation on re-disclosure

Question 3: What about metadata? Are there restrictions on what providers can do with metadata about students’ interactions with their services?

What is Metadata? Metadata are pieces of information that provide context to other data being collected: Activity date and time Number of attempts How long the mouse hovered before clicking an answer Before I give you the answer – how many people know what META DATA IS? Pieces of information the provide context to other data being collected – what pages were visited, click information, how many times logged in – remember when we talked about the challenges and we talked about new types of data – well this is one – it focuses on behavior

Answer: Properly de-identified metadata may be used by providers for other purposes Stripped of all direct and indirect identifiers School name and other geographic information can be indirect identifiers YES – But only if stripped of all identifiers – direct or indirect Can include school name or geographic location

Privacy Challenges Online educational services: Offer free or low-cost services to gain access to student data No contract necessary – or just a click-through agreement So what are the privacy challenges we are seeing with ONLINE EDUCATIONAL SERVICES Attractive – offer free or low cost services Gives them the entry to the student data They often don’t require a contract -- just a click through agreement

Privacy Challenges Online educational services: Seek to monetize or use student data for their own purposes by having the students agree to Terms of Service or a Privacy Policy Part of the click through – they have students or the users – agreeing to TERMS OF SERVICE OR PRIVACY POLICIES that allow them to use the data for their OWN PURPOSES

Privacy Challenges Problem: University educational services are conditioned upon students agreeing to allow a third-party to use their data for its own purposes What if the student does not wish to consent? Is an alternative offered?  If no alternative, is the student providing “voluntary” consent to third-party’s use of its data?  Problem: When UNIVERSITY SERVICES are CONDITIONED upon AGREEING TO A THIRD-PARTY TERMS OF SERVICE What is student doesn’t agree – what do we do? Will there be an alternative? If no alternative, is that really consent from student perspective? PUTS US IN A CONUNDRUM

Best Practices When possible, use a written contract or legal agreement with provisions addressing: Security Data collection Data use, disclosure, and destruction Remember FERPA “school official” requirements: Direct control Authorized use Limits on redisclosure BEST PRACTICES Get a contract in place with third-party provider of online educational service – NO CLICKTHROUGHS Designate as a school official Set parameters on data use and limits redisclosure

Best Practices Be aware of how online educational services intend to use student data Provide University Services - OK Market to Students - NO Sell Student Data - NO Understand how student data will be used – Provide University Services – OK Sell Data or Market to Students – Not OK

Best Practices If online educational services want consent from students to use data for other purposes: Must be fully transparent with students Obtain meaningful, informed consent Provide students a choice to say “NO” and still receive the education service Ensure Terms of Service regarding data use cannot be changed without notice to student Online Educational Services might really push to want to use data for their own purposes – Service needs to be upfront and transparent with student on how data will be used Need to obtain explicit, informed prior consent with students Students NEED TO HAVE A REAL CHOICE - -Ability to say NO. No Change in Terms of Use without NOTICE

Resources www.upenn.edu/privacy Penn Privacy Website Email Penn’s FERPA Policy FERPA FAQs Protect Yourself Policies and Guidance Privacy Topics A to Z Email privacy@upenn.edu