On the 28th of January we held our first meeting of the DCAD Education Lab Journal Club. It was nice to see a few faces from outside DCAD in attendance too. The discussion was based around two articles:
- McKie, A (2020) “Do edtech apps keep student data safe?” Times Higher Education January 14.
- Berry, S (2019) “Non-institutional learning technologies, risks and responsibilities: a critical discourse analysis of university artefacts”Research in Learning Technology 27
These both explore the issues arising from the use of apps/tools/software (henceforth, just “apps”) in learning and teaching.
Institutional Apps
We drew a distinction between “institutional” and “non-institutional” apps. Institutional apps such as Turnitin, Blackboard/duo, Office365, TurningPoint, Box, etc. are all governed under a license agreement between the University and the vendor, and have been reviewed by Legal Services, the Information Governance Unit and CIS. Non-institutional apps were the rest – things that are often used, but without a formal University approved license agreement in place – e.g Twitter, ActionBound, Facebook, Padlet, Peerwise, DropBox. There was general support for the view that staff (and students) need help when selecting and experimenting with new apps.
One of the first problems we identified was knowing just what was or wasn’t an institutional app. Whilst there is a formal service catalogue published by CIS, it doesn’t provide the level of granularity that is needed to answer this question. There was also talk of whether we should draw up a “banned list” – a list of known offenders, apps that we should avoid because of serious risks of malware, unsavoury adverts or leakage of your data elsewhere?
Selecting Apps
Essentially we wanted to know the answer to the question: Are staff ok to use any apps they find? Probably not, but where do you draw the line? What if we ask students to try them? Berry warns of a risk of “diminished vigilance” in this scenario – students may be more trusting of an app recommended by their lecturers, assuming that they have been vetted and approved. Is that trust misplaced? Shouldn’t we be encouraging students to always approach new apps critically? Anna McKie also raised a good point about how complicated this area can become. If one member of staff uses a free version of an app and another member of staff uses the paid version, whilst they might appear the same to the student, they may be governed by very different terms and conditions – all very complicated.
Who has the time and skills to check an app – could you run a security audit on an app? Would you need access to the source code? Are you confident that you can make sense of the terms and conditions? Where should data be stored (yes the Brexit word appeared briefly at this point)? What would happen if an app you used was bought over by someone else? Whose permission do you need to use it? Can you enforce usage? What if someone says they don’t want to use the app or their account is somehow blocked? We were quickly raising more questions than answers.
Risk
When discussing risk, we began thinking about what made some tasks or apps low risk and others high. Some technical aspects can help to reduce risk of the data going places you don’t expect it to – e.g. if you can use it without having to log in, or where you can just choose the name that appears – but these tend to be gains at the expense of authenticity and validity, knowing who really said what. High risks could stem from the nature of the activity – no-one felt comfortable using a third party app for summative assessment – or the amount of data requested. There was definitely concerns around apps that require you to log in with Facebook, or Google – there is a real danger of making it easy for third parties to make connections.
Sam Berry’s article reviews institutional policies in this area and found them to be lacking. At Durham there are some general information governance policies that apply to these questions, but none that spell out whether the use of certain apps is or isn’t approved and the consequences of experimenting with non-institutional apps.
The discussion could have continued all day, but to conclude we decided on a series of next steps:
Outcomes
- DCAD will begin the task of trying to collate a list of institutional apps, to publish on our website. That’s not to say that DCAD will be able to support you with every question about them (central support still lies with CIS), but it should help both staff and students choose tools that are safer to use.
- We will talk to staff in Legal Services, the Information Governance Unit and CIS about ways to make the process of gaining institutional approval of new apps slicker and advice for those wanting to experiment with new, as-yet not adopted solutions and whether more guidance is needed in this area.