Some random thoughts and notes from the recent InfoSummit I attended. The Summit was put on by the non-profit BC Freedom and Information Privacy Association.
Among the presenters were KPU faculty Mike Larson and UBC legal counsel Paul Hancock. Both spoke on a number of issues, but the one that was most relevant to my work was the discussion on the BC-specific data sovereignty requirement which says that, unless you get consent, personal information collected by BC public bodies must reside on data servers stored in Canada. In the BC higher education edtech space, this has made using cloud based services problematic for faculty who often have to get signed consent forms from students to use cloud services outside of Canada.
On this point, Mike and Paul were on opposite sides of the debate. Mike supported the requirement, and made the point that the requirement to get informed consent has a strong pedagogical function. When he asks his students to sign a consent form to use cloud-based services, it often kickstarts a conversation with them about privacy, data, security and user rights. Now, Mike does teach Criminology and law, so it feels like a natural fit to have this convo with his students, and I wonder if a, say, English prof or someone teaching trades would be prepared to have this conversation with their students. Or wether their students would even care to have this conversation, as important as it is to have. But still, it was refreshing to hear a faculty member speak about using BC’s informed consent requirement as a pedagogical device to start conversations about privacy in a digital age.
On the other hand (and probably closer to the reality of most faculty), the data sovereignty requirement and informed consent forms are real barriers for faculty who wish to incorporate other technologies into their teaching and learning. UBC’s Paul Hancock believes that the data sovereignty requirement is much too broad, and he spoke about feeling handcuffed by the legislation when he speaks to instructors who want to use a teaching tool that fits their exact pedagogical goals, but is hosted in another country. For this instructor, Hancock has to advise them that they cannot use the technology unless they get the consent of the students. Getting consent may sound easy, but if you do have students who do not consent, then the instructor has to have an alternative activity or exercise ready for them that is FIPPA compliant. Now you have to start designing additional activities for these special exceptions, and I don’t know many faculty who have extra time on their hands to develop extra activities as a work-around to the legislation.
But it is not just the data sovereignty requirements that are presenting challenges to higher education institutions. Students are now asking institutions for access to the data collected about them within the technologies hosted on campus. Using a Freedom of Information request, UBC student Bryan Short has been trying to get a copy of the data collected about him by the UBC LMS (Blackboard, branded as UBC Connect at UBC). In a five-part blog post series, Bryan neatly and perceptively outlines his experiences trying to get access to learning analytics collected about him using a Freedom of Information request (and does a nice takedown of the LMS in general). Normally, when a public institution has been served with an FOI request, they have 30 days to comply. UBC was unable to comply and has now asked for an additional 30 days to gather the information. I wonder what kind of technical hoops UBC might be jumping thru to even extract this information from their LMS in a meaningful way.
Sadly, this whole process has made Bryan feel like he is a “meddling, bothersome nuisance” for doing something he has the legal right to do.
I don’t think this will be an isolated incident. As digital privacy becomes a bigger issue within our society, I suspect institutions will begin to see more and more of these kinds of requests from students like Bryan asking for access to their learning data, especially if that learning data is being used in anyway to conduct an assessment of the student. Which makes me wonder how many institutions in BC would be able to respond within 30 days to a student FOI request for the data collected about them in the LMS?