Gaps, guesswork, and ghosts lurking in technology integration: Laws and policies applicable to student privacy

Abstract

Technology integration and learning analytics offer insights to improve educational experiences and outcomes. In advancing these efforts, laws and policies govern these environments placing protections, standards, and developmental opportunities for higher education, students, faculty, and even the nation‐state. Nonetheless, evidence of educational restrictions, encumbered actions, and archaic approaches pervades the legal literature and case law demonstrating that these laws and policies do not always function well in evolving and emerging technology spaces. To examine these laws and policies of student privacy, the author employs the combination of a critical policy analysis, which derives from critical social research as a means to explore discourse and policy through drawing out the policy contexts, texts, and consequences, and Flood's liberating systems theory, which directs the analysis to a problem‐solving approach by examining the policy discourse from a systems‐thinking lens. Based on a review of 184 court cases, 74 policies from a diversified representation of US states/territories, and seven developed nations or multi‐nation consortia, this examination illuminates how context and text such as the type and setting of the privacy matter (eg, various freedom of information acts, educational records under the Family Educational Rights and Privacy Act, and General Data Protection Regulation in the European Union) presents opportunities for protections and standardization efforts; however, they also illustrate significant protection gaps, guesswork and insufficiency around the type and degree of data subject consent, and ghosting effects of data subjects' protections. While the extant literature already supports aspects of these findings, it does not account for this holistic view of these three privacy vulnerabilities—especially in light of the principles to which these laws purport to achieve. Moreover, the three identified privacy vulnerabilities suggest overlooked inclusion of two overarching privacy concepts—transparency and equity. This study recommends that key actors in the policy construction realm (ie, university leaders, policymakers, and judges) should engage in analyses, dialogue, and consideration about transparency and equity by considering contemporary privacy problems in the contexts of artificial intelligence, quantum computing, and cybersecurity as a way to improve transparent and equitable policies in these areas rather than exacerbating the privacy dilemmas already in place. Practitioner notesWhat is already known about this topic In the United States, the Family Educational Rights and Privacy Act of 1974 (FERPA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) are well documented evidence of privacy protections for education and health records, but they fail to offer sufficient protections for students as data subjects with emerging technologies. Existing federal‐level laws in the United States do not offer a systematic or uniform approach in the manner that data users obtain consent, so data subjects are largely unaware of what is being consented. Other than matters of consent, policy strategies based on student privacy laws (ie, voluntary consensus standards, basic practices to maintain privacy, an ethics review board, data/record retention and destruction, and data sanitation of equipment) are significant and informative largely from the university‐perspective, not the students as data subjects. What this paper adds A new comprehensive examination of US laws including statutes, regulations, and cases as well as seven key nation‐state or national consortia laws—especially the EU's General Data Protection Regulation and selected state laws in the United States, which offer consistent and greater student privacy protections. Insights about the principles designed among the laws, which centre around their application, essentiality, consent, and security. Attention to areas in which student privacy laws still present privacy concerns, but specifically identifying issues of significant gaps, guesswork and insufficiency around levels and types of consent, and ghosting effects of data subjects' protections. Implications for practice and/or policy Data subject consent should be established and consistent– whether an opt‐out provision, opt‐in provision, or some extensive engagement. Student privacy policies should incorporate principles of transparency and equity for data subjects and data treatment. Policymakers should consider now how the intersections of data subject privacy matters shall be addressed in the context of artificial intelligence, quantum computing, and cybersecurity.