Last updated July 2017

More and more digital tools for education are emerging. Some are run by the University, but many are run by third-party entities and services. The latter include Dropbox, Google Apps, WordPress, and scores of others available in the digital space that has become known as “the cloud.” These educational tools can enhance course content and activities, but instructors and students need to proceed with some caution because Waterloo does not control the servers on which these cloud-based tools run. Using a cloud-based tool means giving your data -- personal or otherwise -- to an entity that (usually) has no formal relationship with the University. Some implications are illustrated through a few examples.

  1. An instructor asks the 200 students in his political science class to use Poll Everywhere to submit and vote on questions that occur to them during a lecture. The instructor plans to review the questions and respond to the ones that receive the most votes. However, a dozen students in the class refuse to use the tool because the data is housed on servers based in the United States, and they are wary of what they’ve heard about the U.S. Patriot Act.
  2. An instructor asks her students to use a cloud-based social bookmarking tool to jointly collect and annotate web resources pertaining to the English playwright Christopher Marlowe. A student appeals her grade on the basis that his contribution to the collaborative project was not marked fairly. The instructor attempts to access the social bookmarking tool to review the student’s contributions, but it has closed down.
  3. An instructor asks her Biology students to create a short video about mitosis, and upload them to Vimeo. Students in one group produced a video that included a short snippet from the movie Inception. They have been contacted by lawyers from MGM about copyright infringement. The students argue that the University is jointly liable because the course required them to accept Vimeo’s Terms of Use in order to complete the assignment.
  4. An instructor shows his German-language class a three-minute YouTube video made by an amateur soccer team in Berlin. However, upon reading YouTube’s Terms of Use, he found this clause: “You may access Content for your information and personal use solely as intended through the provided functionality of the Service and as permitted under these Terms of Service.” Does “personal use” encompass “educational use”?

These examples illustrate some of the considerations that you should have in mind when deciding to adopt a cloud-based educational tool. Information privacy can prevent the University from providing some information about students to these tools, which may limit their use. Students themselves may object to use of some tools based on actual or perceived concerns; for example, some may object to Facebook using data for commercial purposes, or providing to others. Grades associated with the use of the tool may become the object of a grade appeal, so you need to plan how you would go back to the student content for up to a year after the course ends. (Also, grades, if assigned in the tool, should not be viewable by anyone but the student.) Students might be advised to use pseudonymous accounts (i.e., not a “real” identity) to participate. For common social networking tools like Facebook or Instagram, you might advise them to create a second professional account, so as not to mix it with their social context and content. This list is not exhaustive, but is meant to point out things to consider.

General principles

  1. Ensure that all aspects of your course, including learning technologies such as cloud-based tools, respect the privacy and security of any person or entity connected with the course (students, guest speakers, the University itself, etc.).
  2. It’s best to act with the assumption that any information that goes to or through the service provider might eventually or inadvertently become public. This includes records of who used the service, what they used it for, when, and so on.
  3. Most cloud-based tools require users to accept their Terms of Use (usually by clicking a box). If a student is not comfortable accepting these, the instructor should provide an alternative assignment that does not require using the cloud-based tool.
  4. Students with disabilities might not be able to access some cloud-based tools (for example, tools that use Java to display text will not be readable by screen readers). The instructor must accommodate the student, perhaps devising an alternative assignment.

Policies and legislation relevant to cloud-based apps

Provincial legislation

  1. The Freedom of Information and Protection of Privacy Act (FIPPA). This Ontario legislation allows members of the public to access certain kinds of information held by publicly funded institutions such as universities, while at the same time creating a privacy protection framework to which institutions must adhere. Members of institutions, such as instructors, must ensure that students’ personal information is protected. Personal information includes addresses, phone numbers, social insurance numbers, and also students’ essays, assignment, tests, grades, and so forth.
    1. More information: http://bit.ly/cloud-fippa and https://uwaterloo.ca/privacy/
  2. The Accessibility for Ontarians with Disabilities Act (AODA). This Ontario legislation is intended to remove barriers facing individuals with disabilities. The legislation does not prohibit the use of any given learning tool, but requires accommodations for students whose disability may prevent access to the tool.
    1. More information: https://www.ontario.ca/page/accessibility-laws

Federal legislation

  1. The Canadian Copyright Act. The Canadian Copyright Act is federal legislation that establishes the rights of creators to control the publication or reproduction of their works. The Act attempts to balance the rights of copyright holders and the needs of users. Recent changes to the Act have expanded the scope of the “fair dealing” exception: that is, there are now more contexts in which an educator can use a copyright-protected work without seeking permission of the copyright owner or paying royalties. Because the Act is complicated, Waterloo has created a suite of documents that aims to provide guidance for instructors and students.
    1. Fair Dealing Advisory
    2. Copyright FAQ
    3. Fair Dealing flowchart

Other legislation

  1. The American Patriot Act. The Patriot Act is a U.S. law that has implications for citizens of other nations, including Canada. Essentially, the law allows the U.S. government to access information -- personal or otherwise -- on any computer server that is owned by an American company. Hence, information originating from Canadian students could be accessed without their permission if the cloud-based app is located on an American server. Instructors can still use cloud-based tools that reside on U.S. servers, but these protocols should be followed: First, determine whether a comparable Canadian alternative exists. If one does not exist, or if it exists but is inferior to the U.S. counterpart, the tool on the U.S.-based server can be used. Instructors should be prepared to offer an alternative assignment or submission mechanism for those students who object to storing their personal information on an American server.
    1. More information: http://bit.ly/Patriot-Act-implications

University of Waterloo policies and guidelines

  1. Guidelines Pertaining to Learning Resources and Field Trips. The Ministry of Advanced Education and Skill Development (MAESD) regulates fees that universities charge to students, including “ancillary fees,” that is, fees charged in addition to tuition. Ancillary fees can pertain to learning resources, including physical devices such as “clickers” as well as digital learning resources such as apps that are installed on smartphones, laptops, or other mobile devices. Regarding such learning resources, MAESD has delegated the responsibility of developing appropriate policies to universities. Waterloo’s policy in this regard is that instructors can require students to purchase such digital learning resources under certain conditions.
    1. More information: https://uwaterloo.ca/secretariat-general-counsel/guidelines-pertaining-learning-resources-and-field-trips
  2. Policy 46: Information Management. This UWaterloo policy addresses a number of principles and practices related to the following aspects of Information Management: Accountability and Accessibility, Privacy and Confidentiality, Compliance, Information Quality, Information Security, and Information Lifecycle Management. In the context of cloud-based educational technologies, the following points are worth highlighting.

    This Waterloo policy states “Student Information” is defined as: The University records relating to a student’s admission to the University, their academic progress and achievements at the University and the University Colleges, and any other personal information pertaining to the student – including student identification photographs – which is collected and used by the University for administrative purposes.
     
    When considering cloud-based tools, Appendix A further outlines details related to Access and Release of Student information. Release of such information to members of the public (including the student’s parents or landlord, external associations, and agencies) is prohibited under most circumstances. In other words, without appropriate permission, instructors are not authorized to release student information to anyone except the student to whom it pertains.

    Records Management. Policy 46 provides guidance to individuals affiliated with the University in meeting the responsibilities of the roles associated with information management, and outlines specific roles and responsibilities with respect to ownership of university records. These roles are: Information Stewards, Information Custodians, Information Users, and Information Service Providers.

    Information Security. The definition section outlines the University’s Information Privacy and Confidentiality Classification scheme (Highly Restricted, Restricted, Confidential, and Public), and outlines what kind of information belongs to each classification. For example, confidential information includes personal information (such as Social Insurance Number, date of birth, marital status, grades, and more as defined by the FIPPA) and personal health information (as defined by PHIPA), as well as information that is contained in examinations, correspondence, research proposals, records of closed meetings, and more. Confidential information is not to be disclosed to anyone except individuals requiring it for legitimate university purposes.
    1. More information: https://uwaterloo.ca/secretariat/policies-procedures-guidelines/policy-46-information-management
  3. Records Classification and Retention Schedule. This Waterloo initiative classifies examinations and coursework that are used to assess student performance as records that must be retained for “one year after last use (i.e., after the end of the term in which the work was submitted or after the resolution of any grade revision request or appeal).”
    1. More information: https://uwaterloo.ca/records-management/sites/ca.records-management/files/uploads/files/TL55_0.pdf
  4. Guidelines on Use of Waterloo Computing and Network Resources. These Waterloo guidelines affirm (among other things) that users of the University’s computing and network resources can expect reasonable privacy when using the resources that have been allocated to them. The guidelines also affirm the responsibilities of users, and include examples of irresponsible and inappropriate use such as using the computing and network resources to distribute material without copyright clearance.
    1. More information: https://uwaterloo.ca/ist/guidelines-computing-and-network-resources
  5. Statement on Security of Waterloo Computing Network and Resources. This Waterloo statement cautions (among other things) that certain actions -- such as the unauthorized disclosure of confidential information, including student records -- hinder the legitimate activities of the university community. The statement also affirms that every user of the university’s computing and network resources is expected to honour all applicable policies, procedures, guidelines, and directives.
    1. More information: https://uwaterloo.ca/ist/statement-security-computing-network-and-resources

Created by David Bean (Centre for Extending Learning), Mark Morton (Centre for Teaching Excellence), and Andrea Chappell (Information Systems and Technology), July 2017; reviewed by Secretariat, IST Information Security, AVP- Academic, University Committee on Information Systems and Technology. Provided as information for all faculty members and instructors, and online learning support areas.