Protecting sensitive data is a shared responsibility. The University of Michigan’s compliance with the Family Education Rights and Privacy Act (FERPA), the Federal law that governs release of and access to student education records, and other applicable federal, state, and international privacy laws depends in large part on the individual choices made by instructors in online learning environments. Meanwhile, such environments introduce many new privacy risks, particularly when students are recorded and when external learning or communication software is integrated into the course.

In Practice

There are two key areas in which student privacy considerations are vital in online settings: recorded content for asynchronous use, and the integration of third-party applications. Faculty should pursue decisionmaking in these areas only after consultation with their department’s leadership as well as with central U-M offices, as applicable, such as the U-M Information and Technology Services (ITS) Teaching and Learning Group. Ideally software integration and recording decisions will be made well in advance of the course’s start date to leave time for waivers and consent forms to be completed by students, if necessary.

Recordings: Recording students as part of a virtual class, including over BlueJeans, Zoom, Google Meet, etc., can be particularly helpful for making content accessible for students with disabilities or those with challenging schedules or who are located in time zones that would limit their ability to participate in synchronous learning. However, recorded student participation remains protected under FERPA and can be subject to applicable state laws governing education records as well as broader recording statutes wherever the students are physically located. Recorded student presentations can introduce additional protections, such as personality (e.g., name, imaged, likeness) rights, that may further limit sharing. In addition to treating recordings as “education records,” academic units and/or faculty opting to record students or request they record themselves for assignments should ensure students first receive notice that they may be recorded and, when needed, the opportunity to provide consent. Many states, for example, prohibit a professor, advisor or other University official from recording a student without consent. See U-M’s FAQ on Recording and Privacy Concerns for more.

Third-Party Data Collection: Caution must also be taken when it comes to carrying out educational activities through the use of third-party applications that have not been vetted by the ITS Teaching and Learning Group or subject to a U-M Data Protection Addendum. While there can certainly be some appeal to using “non-core” Google services, social media platforms such as Facebook, Twitter, and Instagram, and group chat applications like GroupMe and Slack as part of remote learning, faculty need to weigh the privacy risks against the pedagogical benefits offered by these tools as well as understand where pursuing additional waivers or consents may be necessary.


When and how should I provide notice to students that they will be recorded?

As a best practice, only record a lecture, exam or other academic activity if there is a legitimate need to do so. In those cases, notice and/or consent is likely only needed if the students themselves (their voice, their face, etc.) are recorded. A recorded lecture of a professor teaching content in the absence of students, for example, does not trigger the privacy concerns highlighted above. If you are anticipating a need for recorded content that involves the students (e.g. their participation, discussion, etc.), ideally notice should be provided and consent should be gathered prior to registration or enrollment in a course unless students will be given the option to opt-out.

How will I know what third-party software I can use in my classes and when I would need to obtain a FERPA release, etc.?

Personally identifiable information and student education records are listed as “moderate” under U-M’s data classification levels. ITS provides detailed guidance on these topics, including a list of approved and unapproved services for these data types as well as an interactive data-service pairing tool. Unique questions can also be addressed to Information Assurance through the ITS Service Center.

Where can I find additional resources on this topic?

The Center for Academic Innovation maintains this Collection of Additional Resources.