Abstract:

Big data systems have raised concerns related to privacy management such as transparency regarding the accessibility, collection, use, and sharing of data, as well as informed user consent. While a number of regulations have emerged to protect personal data privacy, learning management systems (LMS) in higher education present a complex situation in which students are required to become users, but have very limited knowledge of if/how their data is being viewed or shared by instructors, administrators, or external vendors of software providers. Furthermore, students are not given the ability to manage their data privacy settings within LMS and are unable to opt out of data collection. To find out what students, faculty, and administrators believe about the privacy of student data in LMS, we fielded a survey in three campuses of a large university system in the Rocky Mountain region of the United States. The sample included 283 students, 265 faculty members, and 38 administrators. We found that these three stakeholder groups had diverse perceptions regarding the who had access to student data; how student data were protected by instructors, the university, and the LMS vendor; and the frequency with which instructors and administrators accessed and/or used LMS data for different purposes. Overall, participants' survey responses suggested that the vast majority were unaware of larger discussions surrounding LMS data privacy concerns, and in open-ended comments, a substantial number expressed apprehension about the privacy of their data in these systems. We discuss these findings in light of regulations and theory. In the U.S., the primary federal law overseeing the use and protection of student information, the 1974 Family Educational Rights and Privacy Act (FERPA), offers only minimal and somewhat flawed privacy protection for student data in contemporary learning settings. Regulatory data privacy frameworks such as the European Union's General Data Protection Regulation (GDPR) and California's Consumer Privacy Act (CCPA) both contribute to a pragmatic foundation by which to develop adequate privacy protections and inform the discussion of potential solutions offered in this paper. In addition to the examination of current data regulations, we discuss privacy risks and harms in LMS using Nissenbaum’s theory of contextual integrity. We conclude with a discussion of implications for the design of systems with inherent power imbalances, under which LMS users are left with few choices regarding their data. Particularly, we consider the benefits and challenges associated with the integration of privacy by design into LMS, and the use of ‘soft law’ in the absence of effective regulation.

Keywords:

Learning management systems, data privacy, data protection, higher education.