F3 Law’s partner Mark Williams, who specializes in tech procurement and student data privacy, was quoted by The Chronicle of Higher Education in its article “The ‘Textbook’ That Reads You.” The article examines the amount of personal data collected when a student uses an educational institution’s courseware, how the data is being used, and for how long.
Mark said, “’You’re basically compelling students as part of the curriculum to establish a data relationship with a third-party vendor’” in which they have no leverage to negotiate better privacy protections.”
The article dives into the relationship between a company’s privacy notice and the Family Educational Rights and Privacy Act — the decades-old federal law known as FERPA — which governs third-party use of student data. It noted that one provider of courseware believes it can never delete data without a student’s or college’s explicit request. And that when it comes to students’ data, “the institution is the controller.”
Mark fundamentally disagrees. “If the question is whether a vendor is required to delete data after its use is no longer required … my answer is yes,” he said. “You don’t get to keep the data forever until someone tells you to get rid of it.” He went on to note that it “doesn’t mean some vendors are flagrantly skirting federal law,” rather clarity is needed around these issues. “Students in those scenarios ‘have the least amount of protections,’ he said. College administrations need to get their head more into the game. … They need to be a more robust presence in arranging contracts with these vendors that protect students, and don’t leave them to the murky provisions of FERPA.”
You can read the full article on The Chronicle of Higher Education’s site.