Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Trust, Because You Can't Verify:Privacy and Security Hurdles in Education Technology Acquisition Practices

Easton Kelso, Ananta Soneji, Sazzadur Rahaman, Yan Soshitaishvili, Rakibul Hasan

TL;DR

The paper investigates privacy and security hurdles in EdTech acquisition within higher education by conducting 13 semi-structured interviews with EdTech leaders across seven HEIs. It reveals heavy reliance on FERPA/HIPAA, limited visibility into vendor and sub-vendor security, and contractual gaps that hinder data ownership clarity and post‑acquisition accountability, including data deletion. A risk-based, multi‑stakeholder approach emerges as necessary, with recommendations spanning federal/state/regulatory reforms, enhanced data governance, inter-HEI collaboration, and proactive auditing. The findings illuminate practical implications for improving governance, transparency, and vendor accountability to protect student data in rapidly expanding EdTech ecosystems.

Abstract

The education technology (EdTech) landscape is expanding rapidly in higher education institutes (HEIs). This growth brings enormous complexity. Protecting the extensive data collected by these tools is crucial for HEIs as data breaches and misuses can have dire security and privacy consequences on the data subjects, particularly students, who are often compelled to use these tools. This urges an in-depth understanding of HEI and EdTech vendor dynamics, which is largely understudied. To address this gap, we conducted a semi-structured interview study with 13 participants who are in EdTech leadership roles at seven HEIs. Our study uncovers the EdTech acquisition process in the HEI context, the consideration of security and privacy issues throughout that process, the pain points of HEI personnel in establishing adequate protection mechanisms in service contracts, and their struggle in holding vendors accountable due to a lack of visibility into their system and power-asymmetry, among other reasons. We discuss certain observations about the status quo and conclude with recommendations for HEIs, researchers, and regulatory bodies to improve the situation.

Trust, Because You Can't Verify:Privacy and Security Hurdles in Education Technology Acquisition Practices

TL;DR

The paper investigates privacy and security hurdles in EdTech acquisition within higher education by conducting 13 semi-structured interviews with EdTech leaders across seven HEIs. It reveals heavy reliance on FERPA/HIPAA, limited visibility into vendor and sub-vendor security, and contractual gaps that hinder data ownership clarity and post‑acquisition accountability, including data deletion. A risk-based, multi‑stakeholder approach emerges as necessary, with recommendations spanning federal/state/regulatory reforms, enhanced data governance, inter-HEI collaboration, and proactive auditing. The findings illuminate practical implications for improving governance, transparency, and vendor accountability to protect student data in rapidly expanding EdTech ecosystems.

Abstract

The education technology (EdTech) landscape is expanding rapidly in higher education institutes (HEIs). This growth brings enormous complexity. Protecting the extensive data collected by these tools is crucial for HEIs as data breaches and misuses can have dire security and privacy consequences on the data subjects, particularly students, who are often compelled to use these tools. This urges an in-depth understanding of HEI and EdTech vendor dynamics, which is largely understudied. To address this gap, we conducted a semi-structured interview study with 13 participants who are in EdTech leadership roles at seven HEIs. Our study uncovers the EdTech acquisition process in the HEI context, the consideration of security and privacy issues throughout that process, the pain points of HEI personnel in establishing adequate protection mechanisms in service contracts, and their struggle in holding vendors accountable due to a lack of visibility into their system and power-asymmetry, among other reasons. We discuss certain observations about the status quo and conclude with recommendations for HEIs, researchers, and regulatory bodies to improve the situation.
Paper Structure (33 sections, 1 figure, 1 table)

This paper contains 33 sections, 1 figure, 1 table.

Table of Contents

  1. Introduction
  2. Regulatory leverage:
  3. Security concerns:
  4. Contractual oddities:
  5. Contributions.
  6. Background and literature review
  7. Education technologies.
  8. Data collection, breaches, and liabilities.
  9. Privacy in HEI context.
  10. Methods
  11. Overview of Results
  12. Privacy Posture (RQ1):
  13. Inadequacy of Federal Level Policies
  14. Low Adoption of State Legislation
  15. Dealing with Intra- and Inter-national Policies
  16. ...and 18 more sections

Figures (1)

  • Figure 1: EdTech acquisition and usage timeline learned from our interviews. In light of our final codebook, we also summarize the important findings for each step, both for pre- and post-acquisition phases. Here, indicates a mandatory activity, and indicates an optional one.