Gaps, guesswork, and ghosts lurking in technology integration: Laws and policies applicable to student privacy

IF 8.1 1区教育学 Q1 EDUCATION & EDUCATIONAL RESEARCH

British Journal of Educational Technology Pub Date : 2023-08-25 DOI:10.1111/bjet.13379

Jeffrey C. Sun

{"title":"Gaps, guesswork, and ghosts lurking in technology integration: Laws and policies applicable to student privacy","authors":"Jeffrey C. Sun","doi":"10.1111/bjet.13379","DOIUrl":null,"url":null,"abstract":"<div>\n \n <section>\n \n <p>Technology integration and learning analytics offer insights to improve educational experiences and outcomes. In advancing these efforts, laws and policies govern these environments placing protections, standards, and developmental opportunities for higher education, students, faculty, and even the nation-state. Nonetheless, evidence of educational restrictions, encumbered actions, and archaic approaches pervades the legal literature and case law demonstrating that these laws and policies do not always function well in evolving and emerging technology spaces. To examine these laws and policies of student privacy, the author employs the combination of a critical policy analysis, which derives from critical social research as a means to explore discourse and policy through drawing out the policy contexts, texts, and consequences, and Flood's liberating systems theory, which directs the analysis to a problem-solving approach by examining the policy discourse from a systems-thinking lens. Based on a review of 184 court cases, 74 policies from a diversified representation of US states/territories, and seven developed nations or multi-nation consortia, this examination illuminates how context and text such as the type and setting of the privacy matter (eg, various freedom of information acts, educational records under the Family Educational Rights and Privacy Act, and <i>General Data Protection Regulation in the European Union</i>) presents opportunities for protections and standardization efforts; however, they also illustrate significant protection gaps, guesswork and insufficiency around the type and degree of data subject consent, and ghosting effects of data subjects' protections. While the extant literature already supports aspects of these findings, it does not account for this holistic view of these three privacy vulnerabilities—especially in light of the principles to which these laws purport to achieve. Moreover, the three identified privacy vulnerabilities suggest overlooked inclusion of two overarching privacy concepts—transparency and equity. This study recommends that key actors in the policy construction realm (ie, university leaders, policymakers, and judges) should engage in analyses, dialogue, and consideration about transparency and equity by considering contemporary privacy problems in the contexts of artificial intelligence, quantum computing, and cybersecurity as a way to improve transparent and equitable policies in these areas rather than exacerbating the privacy dilemmas already in place.</p>\n </section>\n \n <section>\n \n <div>\n \n <div>\n \n <h3>Practitioner notes</h3>\n <p>What is already known about this topic\n\n </p><ul>\n \n <li>In the United States, the Family Educational Rights and Privacy Act of 1974 (FERPA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) are well documented evidence of privacy protections for education and health records, but they fail to offer sufficient protections for students as data subjects with emerging technologies.</li>\n \n <li>Existing federal-level laws in the United States do not offer a systematic or uniform approach in the manner that data users obtain consent, so data subjects are largely unaware of what is being consented.</li>\n \n <li>Other than matters of consent, policy strategies based on student privacy laws (ie, <i>voluntary consensus standards, basic practices to maintain privacy, an ethics review board, data/record retention and destruction, and data sanitation of equipment) are significant and informative</i> largely from the university-perspective, not the students as data subjects.</li>\n </ul>\n <p>What this paper adds\n\n </p><ul>\n \n <li>A new comprehensive examination of US laws including statutes, regulations, and cases as well as seven key nation-state or national consortia laws—especially the EU's <i>General Data Protection Regulation and selected state laws in the United States, which offer consistent and greater student privacy protections</i>.</li>\n \n <li>Insights about the principles designed among the laws, which centre around their application, essentiality, consent, and security.</li>\n \n <li>Attention to areas in which student privacy laws still present privacy concerns, but specifically identifying issues of significant gaps, guesswork and insufficiency around levels and types of consent, and ghosting effects of data subjects' protections.</li>\n </ul>\n <p>Implications for practice and/or policy\n\n </p><ul>\n \n <li>Data subject consent should be established and consistent– whether an opt-out provision, opt-in provision, or some extensive engagement.</li>\n \n <li>Student privacy policies should incorporate principles of transparency and equity for data subjects and data treatment.</li>\n \n <li>Policymakers should consider now how the intersections of data subject privacy matters shall be addressed in the context of artificial intelligence, quantum computing, and cybersecurity.</li>\n </ul>\n </div>\n </div>\n </section>\n </div>","PeriodicalId":48315,"journal":{"name":"British Journal of Educational Technology","volume":"54 6","pages":"1604-1618"},"PeriodicalIF":8.1000,"publicationDate":"2023-08-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"British Journal of Educational Technology","FirstCategoryId":"95","ListUrlMain":"https://onlinelibrary.wiley.com/doi/10.1111/bjet.13379","RegionNum":1,"RegionCategory":"教育学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"EDUCATION & EDUCATIONAL RESEARCH","Score":null,"Total":0}

引用次数: 0

Abstract

Technology integration and learning analytics offer insights to improve educational experiences and outcomes. In advancing these efforts, laws and policies govern these environments placing protections, standards, and developmental opportunities for higher education, students, faculty, and even the nation-state. Nonetheless, evidence of educational restrictions, encumbered actions, and archaic approaches pervades the legal literature and case law demonstrating that these laws and policies do not always function well in evolving and emerging technology spaces. To examine these laws and policies of student privacy, the author employs the combination of a critical policy analysis, which derives from critical social research as a means to explore discourse and policy through drawing out the policy contexts, texts, and consequences, and Flood's liberating systems theory, which directs the analysis to a problem-solving approach by examining the policy discourse from a systems-thinking lens. Based on a review of 184 court cases, 74 policies from a diversified representation of US states/territories, and seven developed nations or multi-nation consortia, this examination illuminates how context and text such as the type and setting of the privacy matter (eg, various freedom of information acts, educational records under the Family Educational Rights and Privacy Act, and General Data Protection Regulation in the European Union) presents opportunities for protections and standardization efforts; however, they also illustrate significant protection gaps, guesswork and insufficiency around the type and degree of data subject consent, and ghosting effects of data subjects' protections. While the extant literature already supports aspects of these findings, it does not account for this holistic view of these three privacy vulnerabilities—especially in light of the principles to which these laws purport to achieve. Moreover, the three identified privacy vulnerabilities suggest overlooked inclusion of two overarching privacy concepts—transparency and equity. This study recommends that key actors in the policy construction realm (ie, university leaders, policymakers, and judges) should engage in analyses, dialogue, and consideration about transparency and equity by considering contemporary privacy problems in the contexts of artificial intelligence, quantum computing, and cybersecurity as a way to improve transparent and equitable policies in these areas rather than exacerbating the privacy dilemmas already in place.

Practitioner notes

What is already known about this topic

In the United States, the Family Educational Rights and Privacy Act of 1974 (FERPA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) are well documented evidence of privacy protections for education and health records, but they fail to offer sufficient protections for students as data subjects with emerging technologies.
Existing federal-level laws in the United States do not offer a systematic or uniform approach in the manner that data users obtain consent, so data subjects are largely unaware of what is being consented.
Other than matters of consent, policy strategies based on student privacy laws (ie, voluntary consensus standards, basic practices to maintain privacy, an ethics review board, data/record retention and destruction, and data sanitation of equipment) are significant and informative largely from the university-perspective, not the students as data subjects.

What this paper adds

A new comprehensive examination of US laws including statutes, regulations, and cases as well as seven key nation-state or national consortia laws—especially the EU's General Data Protection Regulation and selected state laws in the United States, which offer consistent and greater student privacy protections.
Insights about the principles designed among the laws, which centre around their application, essentiality, consent, and security.
Attention to areas in which student privacy laws still present privacy concerns, but specifically identifying issues of significant gaps, guesswork and insufficiency around levels and types of consent, and ghosting effects of data subjects' protections.

Implications for practice and/or policy

Data subject consent should be established and consistent– whether an opt-out provision, opt-in provision, or some extensive engagement.
Student privacy policies should incorporate principles of transparency and equity for data subjects and data treatment.
Policymakers should consider now how the intersections of data subject privacy matters shall be addressed in the context of artificial intelligence, quantum computing, and cybersecurity.

查看原文本刊更多论文

技术整合中的漏洞、猜测和幽灵：适用于学生隐私的法律和政策

技术整合和学习分析提供了改善教育体验和成果的见解。在推进这些努力的过程中，法律和政策管理着这些环境，为高等教育、学生、教师甚至国家提供了保护、标准和发展机会。尽管如此，法律文献和判例法中充斥着教育限制、担保行为和过时方法的证据，表明这些法律和政策在不断发展和新兴的技术领域并不总是能很好地发挥作用。为了研究这些关于学生隐私的法律和政策，作者结合了批判性政策分析和Flood的解放系统理论。批判性政策分析源于批判性社会研究，是通过绘制政策背景、文本和后果来探索话语和政策的一种手段，它通过从系统思维的角度审视政策话语，将分析引向解决问题的方法。基于对184起法院案件、74项政策的审查，这些政策来自美国各州/地区的多元化代表，以及七个发达国家或多国财团，本研究阐明了隐私事项的类型和设置（例如，各种信息自由法案、《家庭教育权利和隐私法》下的教育记录以及欧盟的《通用数据保护条例》）等背景和文本如何为保护和标准化工作提供机会；然而，它们也说明了数据主体同意的类型和程度方面的重大保护差距、猜测和不足，以及数据主体保护的幽灵效应。虽然现存的文献已经支持了这些发现的各个方面，但它并没有解释这三个隐私漏洞的整体观点——特别是考虑到这些法律旨在实现的原则。此外，三个已确定的隐私漏洞表明，两个首要的隐私概念——透明度和公平——被忽视了。这项研究建议，政策构建领域的关键参与者（即大学领导、政策制定者和法官）应通过考虑人工智能、量子计算、，网络安全是改善这些领域透明和公平政策的一种方式，而不是加剧已经存在的隐私困境。关于这个话题，在美国，1974年的《家庭教育权利和隐私法》（FERPA）和1996年的《健康保险便携性和责任法》（HIPAA）都是对教育和健康记录隐私保护的有力证据，但它们未能为学生作为新兴技术的数据主体提供足够的保护。美国现有的联邦法律没有为数据用户获得同意提供系统或统一的方法，因此数据主体在很大程度上不知道同意了什么。除同意事项外，基于学生隐私法的政策策略（即自愿共识标准、维护隐私的基本做法、道德审查委员会、数据/记录的保留和销毁以及设备的数据卫生）在很大程度上是从大学的角度出发的，而不是从作为数据主体的学生的角度出发，具有重要意义和信息性。本文补充了对美国法律的新的全面审查，包括法令、法规和案例，以及七项关键的国家或国家联盟法律，特别是欧盟的《通用数据保护条例》和美国选定的州法律，它们提供了一致和更大的学生隐私保护。对法律中设计的原则的见解，这些原则围绕着它们的应用、重要性、同意和安全性。关注学生隐私法仍然存在隐私问题的领域，但要特别指出关于同意级别和类型的重大差距、猜测和不足问题，以及数据主体保护的幽灵效应。对实践和/或政策的影响数据主体同意应建立并保持一致——无论是选择退出条款、选择加入条款还是某种广泛的参与。学生隐私政策应纳入数据主体和数据处理的透明和公平原则。政策制定者现在应该考虑如何在人工智能、量子计算和网络安全的背景下解决数据主体隐私问题的交叉点。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

British Journal of Educational Technology EDUCATION & EDUCATIONAL RESEARCH-

CiteScore

15.60

自引率

4.50%

发文量

111

期刊介绍： BJET is a primary source for academics and professionals in the fields of digital educational and training technology throughout the world. The Journal is published by Wiley on behalf of The British Educational Research Association (BERA). It publishes theoretical perspectives, methodological developments and high quality empirical research that demonstrate whether and how applications of instructional/educational technology systems, networks, tools and resources lead to improvements in formal and non-formal education at all levels, from early years through to higher, technical and vocational education, professional development and corporate training.