< Back to Main Site

EDUCAUSE review onlineEDUCAUSE review online

Policy as an Enabler of Student Engagement


Policy Matters

© 2010 Merri Beth Lavagnino. The text of this article is licensed under the Creative Commons Attribution NonCommercial-ShareAlike License (http://creativecommons.org/licenses/by-nc-sa/3.0/).

EDUCAUSE Review, vol. 45, no. 5 (September/October 2010): 104–105

Merri Beth Lavagnino (mbl@iu.edu) is Chief Privacy Officer and Compliance Coordinator at Indiana University.

Comments on this article can be posted to the web via the link at the bottom of this page.

Today's educators are faced with a multitude of tools (e.g., collaborative workspaces, chat rooms, blogs, wikis, and podcast/video sites) that offer new potential for engaging students in learning. When such tools are institutionally provided, instructors can be confident that relevant policy issues have been addressed. But many instructors also want to use third-party hosted tools that are not yet offered by their institution or that are impractical or impossible for the institution to implement or purchase. Institutions struggle with how to appropriately manage the review of these tools for compliance with policy and applicable law concerning data privacy, security, and protection of intellectual property rights, especially given the exploding use of these tools and the typically limited number of knowledgeable staff to conduct reviews.

So if an institution can't keep up with all of these tools, what can it do? Some higher education institutions provide guidance for their instructors to perform reviews themselves. For example, the Indiana University Teaching Handbook includes a section titled "Use of Social Networks, Blogs, Wikis, and Other Third-Party Hosted Tools in Instruction,"1  which builds on an excellent and more succinct model created by the University of Wisconsin–Madison,2 to assist its faculty. Such detailed guidance is necessary for complicated or inventive uses of technology in instruction. But will the majority of instructors dabbling in the use of such tools spend the time needed to carefully consider all the issues outlined? Or will they glance at the length of these laundry lists and decide against dabbling at all, thus missing an opportunity to increase student engagement?

In fact, some Indiana University faculty have responded to the university's comprehensive self-service guidance by requesting that administrative staff conduct the reviews rather than asking instructors to do so. Certainly this would be ideal, reducing duplicative efforts and better ensuring that all risks are accounted for and addressed. But this may not be feasible, especially when staffing is lean, and the time delay required for a third party to review the instructor's plans may also introduce a barrier to faculty innovation.

Institutions may want to consider another strategy. In most cases, risks associated with the use of these tools can be minimized through the instructor's proactive review of just the most critical risks, ensuring that student engagement can be enhanced without endangering the institution.

Just How Risky Is the Technology Tool?

IT and legal professionals tend to exhaustively identify the policy, security, privacy, and legal issues associated with a new and innovative technology, treating each issue with the same level of importance. It is true that all issues need to be identified, but not all of the issues need to be considered equally. Moreover, issues may pose different levels of risk when the technology is used for different purposes; for example, an increasing number of institutions have outsourced student e-mail but not employee e-mail.

The most common uses of such technologies in instruction today do not pose the same level of risk as would be the case if the tools were used in, for example, e-commerce, donor relations, or patient care. Keeping this in mind, and as a measured response to the faculty request regarding reviews, a team at Indiana University3 evaluated the issues associated with uses of "cloud" technologies,4 consulted instructors about how they used third-party technologies in instruction, and strived to whittle the guidance down to the minimum necessary for the majority of instructional situations. Only three directives to instructors emerged.

#1: Don't put any information classified as highly sensitive into a third-party service without entering into a contract with the vendor.

Institutions should have a data-classification scheme, which identifies the information requiring the very highest level of protection.5 If the pedagogical objectives of the course require the instructor or students to enter this type of information into the third-party system, the instructor should not use the system without working with the appropriate institutional office to contractually require the service to comply with necessary security and privacy policy, law, and regulation. Fortunately, very few instructional activities will require the use of highly sensitive data, so the vast majority of instructors can move on to the second directive.

#2: Don't put any data covered by FERPA into a third-party service without entering into a contract with the vendor.

The Family Educational Rights and Privacy Act (FERPA) does not prohibit instructors from allowing students to use third-party tools as part of course activities. Content created by students when using such tools to fulfill course requirements (e.g., creating blogs on WordPress, posting videos to YouTube) should not be considered "student education records" under FERPA. However, copies of such records that are maintained by instructors in their own files do constitute FERPA-protected "student education records." If an instructor needs to disclose FERPA-protected student education records to the third-party service in order to meet pedagogical objectives, the instructor should not use the system without working with the appropriate institutional office to contractually require the service to comply with FERPA.

In most instructional situations, the third-party tool will be used only by students; for example, students will post to Twitter or Blogger, or create a survey in SurveyMonkey, or work on collaborative projects with their classmates using Google Docs. It may take a few moments of planning, but the instructor can usually figure out a way to maintain his/her FERPA-covered files using institutionally provided tools. This allows most instructors to move on to the third directive.

#3: Don't give away intellectual property owned by others.

This third directive is likely the only one that requires an investment of time by most instructors. First, as in all instructional situations, the instructor should be sure that use of copyrighted materials incorporated into content uploaded to third-party tools complies with copyright law. Additionally, institutions should have an intellectual property policy that outlines who owns the rights to various materials created or used in support of the institutional mission (e.g., traditional works of scholarship; works submitted by students to meet course requirements). The instructor should review the terms of service of the third-party tool; typically, the provider claims a license to copy, adapt, and share the content as needed to enable the user to access and use the service. If the license exceeds this limited scope, the instructor should ensure that the owner of the rights (typically the institution, the instructor, or the student) agrees with these terms.

If the rights are owned by the institution, instructors and students usually may upload that content to third-party tools only if one of the following conditions exists:

  • The terms of service for the site do not grant the third-party host or other parties rights to the content, other than a limited license to use it for the purpose of enabling the user's access to and use of the third-party service; or
  • the user has otherwise obtained permission from the institution.

A standard institutional copyright notice typically must be included when the content is uploaded.

If the rights are owned by the instructors or students, they should review the terms of service to ensure that they understand and are comfortable with those terms, and they should consider placing copyright notices on their content.6


In nearly all cases of using technologies to increase student engagement in learning, instructors can focus on three key risks: highly sensitive information, FERPA-protected information, and intellectual property. This leaves a small number of complex and inventive projects that will require additional scrutiny and full administrative review of the additional risks.

The policy, security, privacy, and legal issues related to using tools not hosted by an institution can be great, but providing lists of issues without a consideration of the corresponding risks associated with particular uses will cause policy to become a barrier to—rather than an enabler of—student engagement.


1. "Use of Social Networks, Blogs, Wikis, and Other Third-Party Hosted Tools in Instruction," Indiana University Teaching Handbook, <http://www.teaching.iub.edu/thirdparty_apps.php>.

2. University of Wisconsin-Madison, "Guidelines for Use of Non-UW-Madison Applications and Services for Instruction," <http://www.cio.wisc.edu/policies/Non-UWAppsServicesInstruction.doc>.

3. Many thanks to my colleagues Beth Cate, Associate General Counsel, and Kate Ellis, Instructional Technology Consultant.

4. See, for example, Karla Hignite, Richard N. Katz, and Ronald Yanosky, "Shaping the Higher Education Cloud," an EDUCAUSE and NACUBO White Paper, May 2010, <http://www.educause.edu/Resources/ShapingtheHigherEducationCloud/205427>; Steve McDonald, "Legal and Quasi-Legal Issues in Cloud Computing Contracts," <http://net.educause.edu/section_params/conf/CCW10/issues.pdf>; Office of the Vice President for Information Technology, University Information Policy Office, Indiana University, "Use of Cloud Computing," August 26, 2009, <http://informationpolicy.iu.edu/resources/articles/cloud_computing>; and EDUCAUSE Learning Initiative, "7 Things You Should Know about Privacy in Web 2.0 Learning Environments," September 2010, <http://net.educause.edu/ir/library/pdf/ELI7064.pdf>.  

5. The following list addresses most, if not all, sources of serious risks: Social Security numbers, credit card numbers, debit card numbers, bank account/financial account numbers, driver's license numbers, state ID card numbers, student loan information, foundation donor data, protected health information, individually identifiable health information, and passphrases/passwords, PINs, and security/access codes. Often, one of these elements needs to be accompanied by an individual's name in order to result in harm, but not always.

6. The Creative Commons license generator can help instructors and students create simple copyright notices that allow others to copy and distribute their works but that still require certain conditions, such as proper attribution. See "License Your Work," Creative Commons, <http://creativecommons.org/choose/>.

Merri Beth Lavagnino

Merri Beth Lavagnino is Chief Privacy Officer and Compliance Coordinator for Indiana University. In this role, she is charged with:

- Management of high-level strategies, plans, policies, and processes for legal and policy-compliant deployment and use of information, information systems, and technology, university-wide
- Coordination of efforts to protect personal and institutional information
- Promoting privacy principles that IU is to strive to align with in its policies and practices
- Developing and administering university-wide information privacy and security awareness and training programs
- Effective identification, assignment, and tracking of university statutory and other obligations across the gamut of administrative and academic areas

Before coming to IU, Lavagnino held faculty and staff positions at four other higher education institutions and one higher education consortium. She supported information technology in libraries at Temple University, Yale University, the University of Vermont, and the University of Illinois at Urbana-Champaign. She also coordinated the cooperative activities of the Chief Information Officers of the Committee on Institutional Cooperation (CIC), a consortium of the Big Ten Universities plus the University of Chicago.

Lavagnino earned her Master's degree in Library Science from Indiana University, and earned a Bachelor's degree in Education from Temple University. She is a Certified Information Privacy Professional (CIPP).


Most Popular

Stay Up-to-Date

RSS Email Twitter

Share Your Work and Ideas

Issues coming up will focus on designing the future of higher ed, digital engagement, and new business models. Share your work and ideas with EDUCAUSE Review Online.

E-mail us >


EDUCAUSE Members: $6.00
Non-Members: $6.00

Annual Conference
September 29–October 2
Register Now!

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.


Digital Badges
Member recognition effort
Earn yours >

Career Center

Leadership and Management Programs

EDUCAUSE Institute
Project Management



Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.


EDUCAUSE organizes its efforts around three IT Focus Areas



Join These Programs If Your Focus Is


Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.



2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations

Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.