Third Party Services: Legal and Privacy Concerns

Third Party Services: Legal and Privacy Concerns

A third party service or tool to support teaching and learning means one that is developed by a company other than Instructure/Canvas. Many of these tools, also referred to as an external tools or LTI tools, have been vetted by the IU Security Office, and are approved for use at IU. LTI tools integrate seamlessly with Canvas, including passing a grade back to the Canvas gradebook.
For a complete list of approved third-party tools, see External tools available in Canvas.


Three Major Risks to Consider

Risks exist when university information is stored in tools or cloud services not provided or contracted by IU. Most instructional situations face three major risks.

  1. Critical Information: Information classified as "critical" may not be stored in any third-party tool without the university entering into a contract with the vendor.
  2. FERPA: Student records protected by FERPA may not be stored in any third-party tool without the university entering into a contact with the vendor.
  3. Intellectual Property:  Ensure that any and all content owners grant permission and express appropriate intent before any intellectual property is given away.

See Use of Cloud Services in Instruction for more detailed information regarding each of these three risks.


University Policy

As an instructor, if you use an application managed by a vendor with whom IU does not have a contract, and it collects protected student data, you may be subject to sanctions, according to university policy Disclosing Institutional Information to Third Parties (DM-02). If your intended use will collect any FERPA-protected data in a third-party tool, do not use it before working through appropriate institutional offices to get a contract with the service.


What is FERPA?

The Family Educational Rights and Privacy Act (FERPA) is a federal law that protects the privacy of student education records. Education records are directly related to a student and maintained by an institution or its agent for all enrolled students, including those in high school. Education records may exist in any medium (e.g., electronic or digital files including email, paper documents, fax documents, oral conversations, etc.). Education records include such things as personal identifiers and bio-demographic data (such as SSN, date of birth, ethnicity, gender, relationship information) and also academic records such as test scores, GPA, graded papers, exams, transcripts, advising notes, financial aid information, etc.)  Family Educational Rights and Privacy Act (FERPA)


Review of Third Parties Prior to Sharing Data

When institutional data is shared with a third party (for example, an information technology cloud provider), the university Committee of Data Stewards requires specific information to be submitted for review, and in the case of critical data, evaluated by the University Information via the  Security Office. Protect data shared with cloud services and other third parties.