In the wake of sweeping campus closures due to the COVID-19 crisis, we are seeing a rapid move to digital learning and with it a wave of questions about students’ privacy and data security. The discussion around privacy and security has always been an important one, but given the state of education, it has become critical to understand how to go fully digital without sacrificing the privacy of your students. 

But how do you know if you’re in good hands? You need to find out if the products, services, and companies you are working with are using best practices, complying with industry standards, and committed to privacy and security. At VitalSource, we don’t just adhere to these standards and best practices, we have spent decades creating them with industry partners. With that in mind, we have compiled the following list of questions you can ask to get the information you need. 
 

1. How much Personally Identifiable Information is being collected by the platform or provider?

Truly securing data and protecting privacy happens long before the users get to it. Seek out products that are designed for privacy. Vendors should not collect any more information from users than what is required to deliver the service or facilitate the transaction and should have sound practices for deleting that data when it’s no longer needed. In the world of digital course materials, this means products are designed to seamlessly deliver course materials to learners with a single click and can work without requiring Personally Identifiable Information (PII).   

2. What kind of control do users have over their data?

Users should have control over how their data is stored. Vendors should never share user data without consent or sell identifiable data to a third party.  The user should always be able to opt in or out of sharing data, especially to third parties.  The platforms you are using should clearly comply with regulations regarding PII handling and be able to demonstrate how they do it. 

3. How long is data stored?

Personal data should only be stored for the minimum time required to provide services or fulfill contractual obligations; beyond that, personal data may not be used in the best interest of the user. 

4. With what standards and certifications should a platform or provider be complying?

It is great if a vendor says that privacy and security are important to them, but one way to know if they are using best practices is by asking what standards they comply with. Invest in products and technology that maintain conformance with the standards that matter, such as GDPR, COPPA, FERPA, Safe Harbor, the UK Data Protection Act of 2018, the California Consumer Privacy Laws, SOC2 II, and others. 

5. What additional safeguards are there?

As you evaluate products, privacy is crucial, but there is more to know. For example, beyond personal data, consider the network and product security. Companies that are truly invested in privacy and data security will seek third-party audits and technologies to secure their platforms. Best practices for these types of security include the following: 

• Physical Security – Platforms should be hosted in data centers that have been certified as ISO 27001, PCI/DSS Service Provider Level 1, and/or SOC2 II compliant. All third-party systems and services should undergo thorough third-party technical and contractual due diligence. 
  
  
• Network Security – Platforms should utilize best-in-class cloud products that can scan for network vulnerability, as well as use intrusion detection and intrusion prevention systems to keep a continuous watch on the security of customers’ data. 
  
  
• Data Security – Data should be stored using logical separation of client data in a SaaS multi-tenant environment that is encrypted in transit and at rest, and automatically backed up.   
  
  
• Disaster Recovery Planning – While we never want the worst to happen, your EdTech partners should be prepared.  Live DR systems that are geographically separated with automated failover should be expected at a minimum. 
  
  
• Product Security – Customers should be able to manage access authentication and single sign-on (SSO) options. 

Asking each of these questions will help you see if the company or product you are using is fully committed to user privacy and designed with privacy and security in mind. 

At VitalSource, we are proud of our decades of commitment to this topic. Our products are built with privacy by design. We invest in those products to stay up to date. We get an outside audit performed against our systems covering security, privacy, and confidentiality. These are all steps that companies should be taking if they say they are committed to privacy and security. Now, more than ever, students and institutions are turning to digital learning, and they should be able to do so knowing their privacy is protected and respected by the companies entrusted with their learning. 

To learn more about VitalSource’s commitment to data privacy and security, read our position paper. 

Al Issa is the Chief Technology Officer at VitalSource. Follow him on Twitter at @acissa.