He put WHAT in the lesson?
A Compliance Case Study
The People:
Dr. Harris – An instructor of Botany at VCU
Marc, Alex and Abby – Some of his Botany students
The Setting:
Dr. Harris’ classroom in the Trani Life Sciences Building
The Event:
As Dr. Harris’ Botany 101 class was about to begin, some of his students were discussing something funny in the homework he assigned last class.
Dr. Harris was in a rush to get back to his classroom in the Trani Building. Juggling his backpack, Starbucks and mail-order seedlings, he heard laughter coming from his room as he walked through the door. Some of his Botany students were gathered around a computer and laughing and pointing at the screen.
“Look!” a student named Marc shouted, “I AM doing better than you!”
“No way, dude! I slayed on the last exam,” argued his classmate Alex, “This must be old!”
The students looked up as Dr. Harris walked in. Suddenly, their conversation stopped. They looked at each other and then back at him and dispersed. “Was it something I said?” he joked. A couple of the students chuckled nervously, but most just looked at him.
“Okay!” said Dr. Harris, “Let’s get started. I trust you’ve each had the chance to complete the lesson I uploaded to Canvas on Tuesday. I’m going to pull it up so we can look at it together and discuss how this new content informs the experiments you’ve been conducting. If everyone would please login to Canvas, I’ll pull it up on the screen.”
Students began logging into their laptops and some checked their phones as they waited for the discussion to start. As he pulled up the lesson, Dr. Harris noticed he had a new Chat message from one of the students sitting in his classroom. He looked up at her and she looked back. Something told him to read her message:
Hey –
I just thought you’d like to know what everybody was laughing at when you walked in. I know you probably didn’t mean to, but in one of the graphics in the lesson you gave us on Tuesday, there’s this thing that looks like a flier on a bulletin board. Someone discovered that if you click on it, it shows you all of the names, V-numbers, and grades for all of your students.
You should probably take it down. Sorry.
Abby
Dr. Harris realized his heart was pounding, his head was spinning and he felt an urge to sit down. Wait! What was she talking about? How could that happen?
Then he remembered. The picture Abby mentioned was in a Thinglink he created, where students clicked on different parts of an image and each part was a link to a website or document they needed to study. He found the Thinglink and started clicking on the links.
“Nope. This one is good,” he said to himself, “And this one works, and….wait. Oh, no.” When he clicked on that part of the image, it took him to a report showing sensitive student information, including V-numbers and grades. He must have created this assignment at a time when he was doing other things, and in all of his clicking and copying and pasting, he inadvertently allowed students to link to a grade report he had saved to his Google drive.
This was serious. Disclosing sensitive student information was a FERPA violation. How many students had followed that link? How many had seen this? He secretly hoped – for the first time, ever – that students had not done the homework.
Dr. Harris realized the class was staring at him, wondering when the discussion would begin. “Class,” he began, “there’s something we need to discuss. You can go ahead and log out of Canvas and close your laptops.”
The Takeaway:
Dr. Harris was right. He’d committed a pretty big FERPA violation by sharing confidential student information with his classes. FERPA stands for Family Educational Rights and Privacy Act, and it’s a federal law that protects the privacy of student records. Fortunately, he did the right thing; he owned his mistake and did damage control. He told students what happened, and he removed the assignment from Canvas. He deleted all sensitive student information stored in Google documents and sheets from his Google Drive, and he contacted the Information Security Office to report what happened. They, in turn, contacted University Counsel and the Integrity and Compliance Office.
Fortunately, the damage was limited in scope, since Dr. Harris only assigned this homework to 76 students. He sent them an email asking them not to copy or forward any of the sensitive information, and to delete it if they had saved it. He also sent a letter to students whose V-numbers and grades had been revealed.
Ultimately, the harm that Dr. Harris inflicted was unintentional, but we can all learn from the mistakes he made:
- Canvas keeps track of student grades but the gradebook of record is Banner. Instructors should never copy and store student grades anywhere else.
- Sensitive information should never be stored in Google Drive.
- People with links can reconfigure documents and spreadsheets in Google, so make sure you’re only giving access to people who need it, and that you’re sharing documents correctly.
- Anyone can make mistakes. But, it’s a good idea for instructors to consult with their IT Support team or the Center for Teaching Excellence for a second set of eyes when they’re setting up an assignment that links to documents on Google Drive or the internet, especially if they don’t do it very often.
(Special thanks to Dan Han, Chief Information Security Officer, for these tips on securing student data.)
As always, the names and details in this case study have been changed to protect the people involved in the actual case.