What online instruction means for student data privacy

As teaching increasingly relies on Canvas and Zoom, the University of Minnesota is looking to secure student data.

by Helen Sabrowsky

As educational institutions across the country shift to online instruction in light of the coronavirus pandemic, increased attention has focused on student data privacy and what it looks like in digital learning. 

Across the University of Minnesota, digital platforms like Zoom and Canvas have seen an uptick in use since the transition to online learning. But both platforms have faced criticism in recent months for their handling of student data privacy. 

Student data means identifiable information — like names, student IDs and login information — and is regulated by the Family Educational Rights and Privacy Act as well as University policy. 

Throughout the shift to online learning, the University has worked to support students, staff and faculty with any issues that may arise, Chief Information Security Officer Brian Dahlin said, noting that the Office of Information Technology has been fielding more questions.

“As the University has been transitioning, we’ve been working to provide people with good advice,” he said. 

Why data privacy matters

As educational institutions across the country move to online teaching, student data privacy experts stress the importance of transparency and risk management. 

Sheryl Abshire, an educational technology specialist and consultant, said the conversation around student data privacy first emerged as schools began to collect and store more information about students using cloud-based systems. While initially there was little transparency over what was done with student data, now there is more conversation about its use. 

“We have come light-years since we first started thinking about this because we understand that so much personal data is important to every person, whether you’re a student or a business person,” Abshire said.

Though Abshire said there have been improvements in how educational institutions handle the issue of student data privacy, she said it is crucial schools understand what data is being collected and how it is used — internally and by third-party companies like Canvas and Zoom.

“[Schools] have a deep responsibility when collecting this data to know exactly how it’s being used and to have control over it,” Abshire said.

Larry Magid, CEO and founder of ConnectSafely, a nonprofit that teaches about online safety, privacy and security, said when it comes to how companies and educational institutions handle student data privacy, risk management is key. 

“Privacy is less about locking up every piece of information about you and more over having control over what you share,” he said. 

Concerns about privacy nationwide

Zoom went from hosting about 4,000 University meetings in a month prior to COVID-19 to now hosting nearly 8,000 meetings a day. The platform has seen some issues with security which have made the service vulnerable to video hijacking, or Zoombombing. This prompted a warning from the Federal Bureau of Investigation’s Boston office and attention from lawmakers.  

Earlier this month, the New York City school system stopped using Zoom in light of concerns over privacy. Companies and government agencies, like Google and NASA, have banned the use of Zoom. 

Canvas, which has been used by the University since 2014, has also seen an increase in use since the switch to online instruction. Like Zoom, Canvas has faced criticism for its policies on student data collection and retention. 

Earlier this year, Canvas was sold by its parent company Instructure to Thoma Bravo, an equity firm that specializes in software and technology-enabled service sectors, which prompted concerns regarding the transfer of student data in the sale.

Prior to the sale, educators nationwide organized a public letter to Instructure leadership calling for increased transparency over the handling of student data and the option for students to opt out of data collection and retention.

While the University has received some reports of Zoombombing, said Dahlin, neither Canvas nor Zoom have notified the school of any security breaches but have policies in place to do so. 

Magid said that some of the security problems Zoom faced were due to its original focus on business applications with organizations large enough to have their own IT departments. There have always been a lot of privacy controls on Zoom, but its policies are not easy to understand, and it did not have default settings, Magid said. 

This meant that during the period of rapid growth Zoom saw in light of the COVID-19 pandemic, users who did not understand how to configure their privacy settings were vulnerable to video hijacking, he said. In response, Zoom adjusted its privacy settings.

For companies like Zoom, handling student data is all about risk management or implementing the best policies possible without compromising usability or function, Magid said. Right now, Zoom is as secure as it can be while still being on the internet, he said. 

What students and faculty can do

The University’s large dataset of student information has a series of security classifications, with most student data considered private restricted, said Stacey Tidball, director of the University’s Continuity and Compliance office, which regulates student data. 

Student data is stored in different systems across the University, and some, such as grades and degrees earned, is retained forever, she said. When it comes to accessing that data, an individual or entity must meet two requirements: They must be a school official and have a legitimate educational interest, Tidball said. 

While Canvas is designated as a school official in its contract with the University, it still must show it has a legitimate business purpose before being able to access student data, Tidball said. Designating educational vendors as school officials is a standard practice at the University and is not unique to the school, she said.  

The University has online resources for students and faculty interested in additional guidance on how to better secure their data. 

Magid said that individuals can take steps like avoiding public WiFi and using strong passwords to mitigate privacy risks, while institutions can work to educate users and only contract with reputable vendors to protect data on their end. 

“At the end of the day, you can’t just shut it down. It’s sort of like how many locks you put on your front door,” said Magid. 

“You want to put a lock out that makes it really hard for bad guys to get in, but if you’re going to lock your door so that it makes it impossible for anyone to get in … you’re not going to be able to get in your own front door. You have to make it accessible but also secure.”