What’s Legal isn’t Always Ethical: Learning Analytics and Article 2.5

by Kathleen Reed, Assessment and Data Librarian, Instructor in the Department of Women’s Studies, and VP of the Faculty Association at Vancouver Island University

Recently I met with members of an institutional unit outside the library that are working on building a predictive learning analytics system to identify at-risk students so that interventions can be made. The desired model is expansive, pulling in many points of data. The group wanted access to library user records, so they could match student ID numbers with library account activations, check-outs, and physical usage of library space. At my institution, like many others, students agree upon entering the university to have their institutional records be accessed for internal research. But do student actually know what they’re agreeing to when they click the “accept” button? How many of us actually read the fine-print when we access services, be they universities or a social media platforms? While technically the students may have given consent, I walk away from these meetings feeling like I need a shower, and questioning why so many people in education are uncritically hopping on the learning analytics train.

Librarian professional ethics mandate us to resist the panopticon-style student information systems being built by many post-secondary institutions in the name of “student success,” and that are built into learning management systems like D2L and Moodle. The American Library Association has clear policies on Privacy, and the Confidentiality of Personally Identifiable Information about Library Users. The ALA’s Code of Professional Ethics states, “We protect each library user’s right to privacy and confidentiality with respect to information sought or received and resources consulted, borrowed, acquired or transmitted.” (ALA, Professional Ethics) There’s been plenty of librarians talking about libraries and learning analytics; Zoe Fisher has a nice summary on her blog.

Don’t get me wrong – I’m not saying that learning analytics don’t have a place in education. But that place should be driven by informed consent of the people whose data are being analyzed. To me, simply throwing in fine print in a long legalistic document doesn’t count as “informed consent” (and IMHO it also doesn’t stand up to strict British Columbia privacy laws, but that’s a debate for another time). Students need to be told exactly which data are being accessed, and for what purpose. Right now, at least at my place of work, they’re not. I’m teaching in Gender Studies this term, and using the learning management system D2L. When I mentioned to students that I don’t look at the learning analytics that are a part of the instructor view in D2L, most were shocked that professors could look up when and what course information students were accessing.

I sit in Learning Analytics meetings and think “if only we were subject to the Research Ethics Board (REB)…” Despite my early-career eye-rolling at some of the hoops I’ve had to jump through for REB approvals, I’m coming to appreciate these bodies as a valued voice in keeping researchers within solid ethical boundaries. REBs make us stop and think about the choices we make in our research design, and the rights of participants. Because REBs serve this function, the research being done is frequently to a high ethical standard.

Contrast this with internal work being done that doesn’t require REB approval, or any training on ethics or privacy. Much of this work is done under the guise of the Tri-Council Policy Statement – Ethical Conduct for Research Involving Humans (2014) Article 2.5, which exempts institutional research from Research Ethics Board approval. Article 2.5 states:

Article 2.5 Quality assurance and quality improvement studies, program evaluation activities, and performance reviews, or testing within normal educational requirements when used exclusively for assessment, management or improvement purposes, do not constitute research for the purposes of this Policy, and do not fall within the scope of REB review.

Application Article 2.5 refers to assessments of the performance of an organization or its employees or students, within the mandate of the organization, or according to the terms and conditions of employment or training. Those activities are normally administered in the ordinary course of the operation of an organization where participation is required, for example, as a condition of employment in the case of staff performance reviews, or an evaluation in the course of academic or professional training. Other examples include student course evaluations, or data collection for internal or external organizational reports. Such activities do not normally follow the consent procedures outlined in this Policy.”

What this means is that most of the assessment work done in the library – unless it’s research for articles or conference presentations later on – is not subject to REB review. It’s the same for folks who are building learning analytics tools, or monitoring the progress of students within the institution. From what I’ve witnessed, the projects that fall under Article 2.5 are some of the most ethically-fraught ground within post-secondary education. I’m not arguing that anyone who does internal work should have to go through a full REB approval process. But they should have to have some training on ethics and privacy. Perhaps there should be the equivalent of a Research Ethics Officer for investigations that fall under Article 2.5, to help ensure that internal work is held to the same high ethical standard as research.

The guidance that REBs give and the mindset in which they train us to think is valuable, and should be more widespread in post-secondary institutions regardless of whether research falls into or outside of Article 2.5.

REBs, I take back every shady comment and eye roll I ever threw your way.

This article gives the views of the author and not necessarily the views the Centre for Evidence Based Library and Information Practice or the University Library, University of Saskatchewan.

The increasing need for ‘evidence’: surveillance and patron privacy

by Tegan Darnell, Research Librarian
University of Southern Queensland, Australia

Although I understand the need for demonstrating value and for evidence-based decision making in libraries in the current socio-political environment, recently I have experienced increasing concern over the ways that academic libraries are collecting data about the movements and behaviour of members of their communities. This is particularly of concern with the increasing use of technology using mobile devices that track members of the library community by location and library resource use.

Analytics packages monitor customer behaviour via smartphones with Wi-Fi capability. One application in particular, which I am going to call “Liquid”, collects unique media access code (MAC) addresses from each phone and then scrambles the code to anonymise the data before storing it on servers. Liquid’s business model concerns my greatly, as it provides the data about your own spaces to businesses (or libraries) for free, and then offers a premium paid service to access the aggregated data of other businesses (or libraries).

On a side note: The Mobile Location Analytics code of conduct was established after this technology had already been trialled for months. Customers were made aware of the technology, resulting in outrage about being monitored. This code of conduct applies only to retail spaces in the United States of America.

Once customer data is collected, it is made available to others for payment. While identifying data is not collected, the age and gender of individuals can be established through the aggregation of the billions of points of data that Liquid already collects. Not only that, but permission from customers is not required or sought. As long as customer name and address are not collected, data that may be identifiable is perfectly legal.

While Liquid itself has a primarily retail customer base, Australian academic libraries are considering (or trialling) this type of technology. While the benefits of having this data about library users are clear to me, it seems that the privacy of users is being minimised or dismissed. The benefits of this sort of data is considered more beneficial to library patrons than the potential risks of their exploitation.

I am sure you are all aware that privacy and confidentiality is fundamental to the ethics and practice of librarianship. The question I have is not whether or not a library should use this sort of tech to track the movement of users. My question is this:

Are data-driven information services and spaces an expectation from users, or are they driven by concerns about funding and library relevancy?

This article gives the views of the author and not necessarily the views the Centre for Evidence Based Library and Information Practice or the University Library, University of Saskatchewan.