Why You Should Audit Your EdTech Now

What you (and your vendors) must know about the latest student privacy and data security rules.

No matter what your role is at your university, you are responsible for maintaining safe data practices and protecting students’ privacy.

Not only do you need to know what the Department of Education laws state around your responsibilities in protecting students’ personal information, but you can also be liable for how your third party technology partners are using student data, and who they could be sharing that data with.

Want a stark reminder of just how important keeping tabs on your data is? Just search “Facebook and Cambridge Analytica.” Yikes.

Lots of instructors like to use social media sites like Facebook, Twitter and other free tools for their classrooms. But how do you know if the third party edtech tools you’re integrating into your online classroom environments are practicing safe data security standards?

There are a lot of changes to keep up with. Luckily, many higher education institutions have rock star compliance teams keeping up with all of the changes. That said, how can you be sure that the education technology you’re using is compliant? Are you up to speed on the latest rules?

Here’s what you need to keep in mind.

FERPA

Most of you are very familiar with the Family Educational Rights and Privacy Act (FERPA), so we won’t spend a ton of time explaining the ins and outs of this long-standing federal law. At a high-level, FERPA is a law that protects the privacy of student education records and applies to any school that receives funds from the Department of Education. Keep in mind the difference between “directory” information and what’s considered to be part of student education records and more restricted data. You absolutely MUST be sure your partners are FERPA compliant. More on this later, so keep reading.

GDPR

Folks are still getting up to speed on the new E.U. General Data Protection Regulation (GDPR) rules. (Yes, you still need to understand it even if you’re not an international university). These rules involve how data relating to people in Europe is handled. Some universities are still figuring out how to handle this from a tech infrastructure standpoint.

It’s a bit complicated. But, it’s critical to understand how the tech you’re using, and how you’re handling student data, is in compliance with this new law.

Inside Higher Ed recently wrote an article explaining what to know about GDPR and why many colleges are not prepared and are at risk for facing heavy fines. The article states, “if a college can’t demonstrate that it is taking data protection as seriously as its competitors, it may start to lose out on prospective students.”

“The [GDPR] requirements would also apply to American students or faculty members who communicate with campuses while they are in Europe. In addition to understanding what data they hold, where data is stored and how they are used, institutions will need to be able to accommodate requests to retrieve, correct or erase the data. They must also promptly report any data breaches.”

McKenzie, L., “European Rules (and Big Fines) for American Colleges”, Inside Higher Ed (March 2018).

What You Can Do to Remain Compliant

First, you need to ensure your student data is in a safe and secure environment. A great resource to consult for more information is the U.S. Department of Education’s Privacy Technical Assistance Center (PTAC). Here, you can learn more about student data uses, data privacy, confidentiality and security practices. There’s even a checklist you can download that shares more on topics like authentication, network mapping, access controls, and more.

Second, at minimum, you should only be working with technology partners who are FERPA compliant. Do not put student data on platforms that are not FERPA certified. Bottom line. Verify your education technology partners are certified.

Third, beware of 100% free tools. Look, we get it. Free stuff is great. But sometimes you get what you pay for. Many free tools are offered in a public environment and are lacking the appropriate safety standards required by the DOE.

You need to have a clear understanding of how sensitive student data is being processed, stored and transmitted. It’s not clear how many of these free platforms are using student data behind the scenes.

You can find tools that can accomplish your classroom goals with social media features, but within a safe and secure environment. Choose tools that encompass the appropriate legal certifications and privacy standards set forth by the DOE.

For example, Notebowl is FERPA Certified and keeps its university clients in full control of the student data that’s on the Notebowl platform. A big advantage with using Notebowl is you can get the social learning environment without the downsides of the potential privacy issues related to public social networks like Facebook, Twitter and LinkedIn.

We are living in a time when data breaches are becoming more prevalent. From the stores we shop at, our email accounts, social media, and even one of the credit agencies that knows just about EVERY bit of personal information about us.

Make sure you’re doing periodic audits of your technology partners’ data management practices. Not only is it the right thing to do from an ethical standpoint, it’s what you need to do by law or risk facing serious fines.

Ok, now go become best friends with your compliance team.