Risks exist when university information is stored or transmitted using tools not provided or contracted by IU. The key things instructors must remember are:
1. Critical Information
Indiana University has a data classification scheme, which identifies the sensitive information elements that require the very highest level of security protection. Those elements are:
Social Security numbers
Bank account/financial account numbers
Credit/debit card numbers
Student financial aid information
Foundation donor data
Protected Health Information
Driver’s license numbers
Passphrases/passwords, PINs, access codes
State ID card numbers
If the pedagogical objectives of the course require an instructor or students to enter this type of information into the third-party tool, then do not use it before working through appropriate institutional offices to get a contract with the service. Fortunately, very few instructional activities will require the use of these sensitive information elements, so the vast majority of instructors can move on to...
2. Data Protected by FERPA
The Family Educational Rights and Privacy Act (FERPA) does not prohibit instructors from having students use third-party tools as part of the course activities. Content created by students when using such tools to fulfill course requirements (e.g., creating blogs on WordPress or posting videos to YouTube) is not properly considered a “student education record” under FERPA; however, copies of such records maintained in an instructor’s own files are subject to FERPA, just like other individually identifiable student data.
If the pedagogical objectives of the course require an instructor to enter FERPA-protected data into the third-party tool, then do not use it before working through appropriate institutional offices to get a contract with the service.
In most instructional situations, the use of the third-party tool is by the students only; for example, the students post to Twitter or work on collaborative projects with fellow classmates using Google Docs. There are ways for the instructor to interact with the tool without disclosing FERPA-protected data — and to maintain such FERPA-covered records on institutionally provided tools. Your campus Teaching and Learning Center stands ready to assist if needed. This allows a majority of instructors to move on to...
3. Intellectual Property
Much content used or created in a course is protected by copyright (and sometimes trademark and patent) law. Using third party applications requires the user to grant permission to use the content in certain ways. Often, this is a license that limits use to copying, adapting, and sharing the content as needed to enable the ordinary use of the application and affiliated services (a “limited license”). Sometimes application providers require a broader license or even a transfer of rights. Instructors should make sure:
That if a student must grant a license to their work to a third party application provider, such a license does not reach beyond the scope described above — or that if it does, the student understands and voluntarily agrees to grant the broader license and use the application;
That any IU intellectual property (including university-owned copyrighted and patented works and university trademarks and logos) is not uploaded to the application without prior authorization from the appropriate university officials; and
That their use of third-party copyrighted and trademarked content within a course complies with applicable law (e.g., that use of copyrighted material is a “fair use,” allowed under another provision of copyright law, or is authorized by the copyright holder), and that they instruct students to ensure their use complies as well.
The General Counsel’s Office and campus Teaching and Learning Centers are available to help guide instructors on these issues