Community

Four things to know about student privacy and ArcGIS Online

1194
0
03-15-2021 07:53 AM
AngelaLee
by Esri Contributor
Esri Contributor
2 0 1,194
‎03-15-2021 07:53 AM

As education moves increasingly online, information security and privacy become increasingly important. We on the Esri Education Team regularly receive inquiries about information security, privacy, and compliance with policies such as GDPR and FERPA. Although I have worked in the tech industry for many years, I don’t have a formal background in IT and wanted to educate myself on the issues. So I poured a big cup of coffee and spent some quality time exploring the ArcGIS Trust Center and other resources.  Here’s what I learned about privacy and ArcGIS Online.

student_privacy.jpeg

 

First, I wanted to understand the relationship between security and privacy.  Working with K-12 schools, colleges, and universities, we know student privacy is a huge concern to educators, administrators, students, and parents. So, are security and privacy synonymous? Not exactly.  A helpful discussion of the differences is available in the EDUCAUSE Information Security Guide.  Information security and information privacy overlap, with information security encompassing confidentiality, integrity, and availability.  Privacy concerns the rights of individuals and organizations with respect to personal information and how such information is collected, used, and disclosed.

Next, I wanted to understand what privacy measures Esri has put in place.  Esri has a general company Privacy Statement and a supplementary Products & Services Privacy Statement, with the general privacy statement governing Esri’s public websites and the Products & Services Privacy Statement Supplement governing ArcGIS Online, Esri Managed Cloud Services, Customers Support, and Professional Services. My key take-away is that there are two sets of concerns: a. the privacy of individuals purchasing and administering Esri products and services, and b. the privacy of individuals using Esri products and the data they create.

In the context of student privacy, the second set of concerns is more relevant. ArcGIS Online is designed for use by an organization, with many individuals (such as students and educators) using accounts and data.  The accounts and data are managed by an administrator, who acts as an intermediary between Esri and the organization’s members (i.e., students and educators).  Student privacy is affected by both the privacy and security policies of Esri as well as the policies of the organization (i.e., the school or university).  In fact, the privacy and security policies of the organization (school or university) have as much impact on the privacy of students and student-created data as Esri’s privacy and security policies.

Why is that?  In part, this is because no personal information of students needs to be provided to Esri for students to use ArcGIS Online.  Esri collects personal information only from the administrator who needs to interact with Esri (e.g., Customer Service, Technical Support). In addition, the ArcGIS administrator can choose to create usernames that do not use students’ given names or other personal information, and to limit the creation of member profiles to prevent personal information about members from being shared.  And while the creator (e.g., student) can choose to share, the administrator can limit the scope of sharing so that no student-created data can be shared publicly.  Finally, the organization’s IT policies create norms that help students understand what data are appropriate to share and with whom.  For example, it’s appropriate to share data with your teacher but not with the general public. The ArcGIS Security Advisor can help an ArcGIS Online administrator review ArcGIS Online (or ArcGIS Enterprise) security settings and logs and make informed choices.

securityadvisor.PNG

 

 The organization’s policies educate students about privacy as it relates to many products and services, not just ArcGIS Online.  Limiting the sharing of student-created data and student profiles can help maintain compliance with the Family Educational Rights and Privacy Act (FERPA), which concerns the privacy of student educational records, and compliance with the General Data Protection Regulation (GDPR).

Detailed information about the security and privacy controls in ArcGIS Online is available on the ArcGIS Trust Center. In particular, see the ArcGIS Security Checklist and Esri’s self-assessment answers in the ArcGIS Online Cloud Security Alliance Consensus Assessment Initiative Questionnaire.  The Cloud Security Alliance is a “not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing”. A wide range of industry security practitioners, corporations, and associations participate in this organization to achieve its mission. For additional recommendations on protecting student privacy within ArcGIS Online, especially in the context of K-12 education, see pages 22-31 of the document ArcGIS Online Organizations for Schools & Clubs.

To recap, then, what are the four things to know?

  1. When thinking about privacy and ArcGIS Online, there are two sets of concerns: a. the privacy of individuals purchasing and administering Esri products and services, and b. the privacy of individuals using Esri products and the data they create.
  2. The privacy and security policies of the organization (school or university) have as much impact on the privacy of students and student-created data as Esri’s privacy and security policies, because:
    1. No personal information of students needs to be provided to Esri for students to use ArcGIS Online.
    2. The organization’s IT policies create norms that help students understand what data are appropriate to share and with whom.  For example, it’s appropriate to share data with your teacher but not with the general public.
  3. Limiting the sharing of student-created data and student profiles can help maintain compliance with the Family Educational Rights and Privacy Act (FERPA), which concerns the privacy of student educational records, and compliance with the General Data Protection Regulation (GDPR).
  4. The ArcGIS Trust Center provides resources to help educators and administrators make informed choices to protect student data privacy when using ArcGIS Online.

As mentioned earlier, privacy is just one component of security.  Watch for another post exploring other aspects of security.  But first, time for more coffee.

About the Author
Esri Education Manager. Promoting value of Geo in learning and research to improve decision making. Firm believer that a map is worth a thousand words (at least). Midfielder. Chocolate fiend.