At a high level, more data about health care and outcomes can help lead to better future diagnoses and treatments. More data about students also holds promise, offering the potential to improve learning and help identify student weaknesses in ways that are not possible today. But as new technologies such as big data analytics usher in new opportunities, we also have the responsibility to ensure those technologies are used in ways that meet our laws and cultural norms.
As technology providers for educational institutions we hold an increasing amount of educational institution data, and we believe there are some clear lines that need to be drawn regarding how providers like us can use that institution data. Federal regulations such as the Family Educational Rights and Privacy Act (FERPA) and Health Insurance Portability and Accountability Act (HIPAA) provide clear limits, including prohibiting us from making various commercial uses of customer data, such as for advertising purposes. Our education customers also have made it clear to us that letting outside vendors access student data for advertising and marketing purposes is not okay.
[ For one way analytics can benefit education, read Big Data Profile: Jayanth Garlapati, DonorsChoose. ]
As we think about the appropriate ground rules for a world moving toward big data, it is important for us to understand why we even have to ask questions about vendor use of educational institution data.
In the not-too-distant past, most computer programs were run locally or on the premises of the organization where users resided. In recent years, advances in computing and networking technologies have ushered in a new era, where many applications are instead run remotely and customer data is also stored remotely, in the cloud. The movement of massive amounts of customer data to cloud data centers run by third parties puts that data into the hands of a new set of entities -- the cloud service providers.
And some of these providers actually establish their business with an aim of gathering, examining and making commercial use of the data that they hold for their customers. Many such businesses run user data through various analytics tools to generate advertising and marketing profiles. These so-called "ad-supported" businesses have proliferated in the consumer world. As schools and teachers have experimented with new technologies, some of the technologies offered by these ad-supported businesses have found their way into schools as well.
FERPA applies to any educational agency or institution that receives funding from the U.S. Department of Education, including most private and public postsecondary institutions. Although written before the era of email and cloud computing, the U.S. Department of Education has made it clear that FERPA imposes restrictions on how educational institutions engage cloud services providers and in turn how those providers must handle institution data, including email.
Higher education legal experts also have offered guidance about FERPA's application to cloud services and explained how it requires educational institutions to carefully restrict vendor use of institution data. In the words of another expert in this area, an email vendor must agree to access and use the contents of institution e-mail "only for the purposes for which the disclosure was made -- that is, for the purposes of operating our e-mail function, not for data mining."
HIPAA applies to any "covered entity" including health care providers such as university medical schools who maintain health records. It also applies to any "business associates" of the covered entity who use, disclose or maintain the covered entity's protected health information. Guidance from the U.S. Department of Health and Human Services makes it increasingly clear that many cloud providers should be considered business associates. HIPAA's so-called "privacy rule" restricts how any business associates can use protected health information stored in their systems, including prohibiting the business associate from mining the data for the business associate's advertising or other commercial purposes.
These legal protections recognize what should be a common sense point, but which apparently has escaped some cloud providers: data collected from educational institutions should not be mined, analyzed and used for advertising or marketing purposes by cloud service providers.
We welcome a broader dialogue on the appropriate uses of big data in the education setting, but we think discarding uses such as advertising and marketing by vendors themselves is an important initial step.
Cameron Evans is national and chief technology officer of U.S. Education at Microsoft. You can connect with him via Twitter @EDUCTO