Privacy Governance Not Included: Analysis of Third Parties in Learning Management Systems

Purpose: This paper aims to address research gaps around third party data flows in education by investigating governance practices in higher education with respect to learning management system (LMS) ecosystems. The authors answer the following research questions: How are LMS and plugins/learning tools interoperability (LTI) governed at higher education institutions? Who is responsible for data governance activities around LMS? What is the current state of governance over LMS? What is the current state of governance over LMS plugins, LTI, etc.? What governance issues are unresolved in this domain? How are issues of privacy and governance regarding LMS and plugins/LTIs documented or communicated to the public and/or community members? Design/methodology/approach: This study involved three components: (1) An online questionnaire about LMS, plugin and LTI governance practices from information technology professionals at seven universities in the USA (n = 4) and Canada (n = 3). The responses from these individuals helped us frame and design the interview schedule. (2) A review of public data from 112 universities about LMS plugin and LTI governance. Eighteen of these universities provide additional documentation, which we analyze in further depth. (3) A series of extensive interviews with 25 university data governance officers with responsibilities for LMS, plugin and/or LTI governance, representing 14 different universities. Findings: The results indicate a portrait of fragmented and unobtrusive, unnoticed student information flows to third parties. From coordination problems on individual college campuses to disparate distributions of authority across campuses, as well as from significant data collection via individual LTIs to a shared problem of scope across many LTIs, the authors see that increased and intentional governance is needed to improve the state of student privacy and provide transparency in the complex environment around LMSs. Yet, the authors also see that there are logical paths forward based on successful governance and leveraging existing collaborative networks among data governance professionals in higher education. Originality/value: Substantial prior work has examined issues of privacy in the education context, although little research has directly examined higher education institutions' governance practices of LMS, plugin and LTI ecosystems. The tight integration of first and third-party tools in this ecosystem raises concerns that student data may be accessed and shared without sufficient transparency or oversight and in violation of established education privacy norms. However, these technologies and the university governance practices that could check inappropriate data handling remain under-scrutinized. This paper addresses this gap by investigating the governance practices of higher education institutions with respect to LMS ecosystems.