If an instructor wishes to use social media, third party and/or cloud-based technologies to enhance a course, what steps can be taken to reduce risk and ensure the security of student data?
Full reliance on a third-party service that is not supported by the institution or division, nor through a contract relationship will involve a high level of risk and is not recommended as a primary learning environment. Applications and services that are not owned and operated by University of Toronto might not meet University of Toronto guidelines or requirements for privacy, intellectual property, security, accessibility and records retention. However, if instructors wish to take advantage of the benefits of a platforms outside of the U of T Academic Toolbox as an adjunct activity to enhance a course, the strategies outlined below will reduce the risk in use of third-party systems.
You may also use the Teaching Tools Criteria Checklist to review important questions and factors for consideration during the decision-making process
If, as part of the course curriculum design, the instructor wishes to use an externally hosted social media platform, third-party or cloud-based tool that cannot be replicated within the institutional framework, instructors should provide students with the choice to “opt out.” Students cannot be compelled to create accounts on non-university systems or with non-university services. Environments external to U of T that are to be used by students as part of course activities must be explicitly listed in the course syllabus. If a student does not consent to participation in an external environment, a viable alternative assignment or activity must be available to them.
To inform consent and to ensure transparency regarding use of their personal information the following steps are recommended:
- Review the terms of use or end-user license agreement (EULA) particularly with regard to the following questions:
- Is the app allowed to share personal information and with whom?
- What is the privacy policy?
- Where is data stored?
- Include in syllabus course usage of an external, third party application and whether it will require students to register or create an account.
- Provide students with the context for what they are expected to do using the external tool. For example, describe in general terms such as ungraded quiz exercises, content creation or discussion activities.
- Provide links to vendor/product statements regarding privacy and use of information in syllabus or course materials.
- If the student needs to create an account on the external system, let students know they should not use the same password as the one they use to access UTORid-enabled services.
Avoid inclusion of data that would be classified by the University of Toronto as “personal” or “confidential distribution” in third party systems. See Information Security Guidelines for details. If the pedagogical objectives of the course require the instructor or students to enter this type of information into the third-party system, the instructor should not use the system without working with the their divisional/departmental IT department and ITS Information Security to contractually require the service to comply with necessary security and privacy requirements. Instructional activities will avoid the need to transmit any highly sensitive data and mitigate risk. Ensure an authorized administrator signs off on any legal contract on behalf of the university.
Restrict access to any sensitive information, so that only those with a “need to know” can access it:
- Do not include any personally identifiable information if avoidable
- Remove data when it is no longer needed.
As in all instructional situations, the instructor should be sure that use of copyrighted materials incorporated into content uploaded to third-party tools complies with copyright law. Additionally, the instructor should review the terms of service of the third-party tool; typically, the provider claims a license to copy, adapt, and share the content as needed to enable the user to access and use the service. If the license exceeds this limited scope, the instructor should ensure that the owner of the rights (potentially the institution, the instructor, or the student) agrees with these terms
If the rights are owned by the instructor(s) or students, they should be advised to review the terms of service to ensure that they understand and are comfortable with those terms, and they should be advised to consider placing copyright notices on their content.
For more information and guidance, contact:
Additional References:
(Merri Beth Lavagnino, 2010) Policy as an Enabler of Student Engagement Educause Review https://er.educause.edu/articles/2010/10/policy-as-an-enabler-of-student-engagement
(Ryerson University, 2021) Using External Third-party Tools
https://www.ryerson.ca/centre-for-excellence-in-learning-and-teaching/remote-teaching/virtual-proctoring/third-party-tools/