Creating a safe learning environment, in which teachers are fairly certain that students are who they say they are, only authorized learners and academic community members have access to online information, and electronic information is protected, requires the technical specialists, faculty members, and administrators to have a plan in place. Most often, the technical security of a system is the domain of IT specialists, who receive input from other members of the institution. Other policies, such as those involving privacy, tend to be established by the administration in response to legal or social initiatives. However, at whatever level is appropriate, these concerns must be addressed before learners and teachers can feel that their online classroom is a secure, supportive environment that promotes learning and collaboration.

Privacy

Who has access to view files? What kinds of information are being gathered by the institution? How is personal information used? These are just a few questions surrounding online privacy, especially as it relates to learners’ and faculty members’ use of institutional Web sites. Information about site users may be gathered from group e-mail, bulletin board posts, chat transcripts, newsgroup listings, and whiteboard files, for example. Whenever people use a public forum for their information, they should be aware that others will read, and may use in a different context, their information.

Personal information submitted through online forms, evaluations, or questionnaires may be stored and evaluated by a host of administrators, faculty, or even outside audiences. Although site visitors or students who are asked to fill out these interactive documents can choose not to participate, they may not realize how their information can be used, or who ultimately may view their comments or personal information if they do participate.

Online courses may be monitored, so interactions among the learners and teacher can be documented or evaluated by administrators or other teachers. Cookies may store information about passwords or system preferences. Tracking the way learners and teachers use institutional course and other Web sites also may take place, so that the computer used to access the site is noted. The duration of the visit, type of browser, and paths taken among pages can be recorded.

All these examples involve privacy issues, and novice teachers or learners may have no idea how much information has been compiled about them and their computing practices. An equally serious concern is the way that information will be used and the people who will have access to it. Administrators, in collaboration with faculty, staff, and learners, need to develop policies regarding the types and amounts of information being collected and acceptable ways for data to be used. Everyone who accesses the institution’s Web site or databases or uses institutional computers must be made aware of how, when, and especially why information is being gathered.

The University of Arizona’s Electronic Privacy Statement does an effective job of describing the type of information collected by the University: e-mail and forms, system generated, monitoring, and cookies. The policy details how this information is to be used and indicates an alternative to online submission of personal information. Throughout the multipage site, the University emphasizes that information gathered electronically is kept in house and is not sold or distributed to outside parties. Cautions about public electronic information, such as messages posted on bulletin boards, are made to users, who are also notified that the University does not keep transcripts or logs of public information. Confidential information, such as student records, is protected by law. The types of electronic data and their possible uses and safeguards are well delineated in this document.

Many universities and colleges emphasize their privacy policies at the institutional Web site. Online courses then should provide a link to the institution’s privacy statement (and security information) so that learners understand the approach being taken to create a safe learning environment. The flavor of the statement reflects each institution’s special concerns about such a broad issue.

The Industrial Centre’s site at The Hong Kong Polytechnic University assures users that it not only complies with the Personal Data (Privacy) Ordinance, but that it will try to exceed global standards. The Robert Gordon University in the United Kingdom explains all situations in which certain types of information are used for practical projects or ongoing research. Data may be gathered through click-stream, HTTP protocol elements, and searches, and site users are alerted to these possibilities. Contact information and detailed descriptions of data types are prominently displayed in this privacy policy.

Canada’s Athabasca University assures site visitors that the university does not sell or rent information gathered from its Web site. The data-collection process is described in reader-friendly language, which provides definitions of basic terms like cookies. All use of information complies with the relevant sections of the Alberta Freedom of Information and Protection of Privacy Act. E-mail, phone, and fax contact information conclude the privacy statement. The language used in this statement is easy to understand, and the style can help allay readers’ fears about privacy violations.

In the U.S., the University of Alabama states up front that site users’ privacy is respected and no data are collected unless visitors participate in online research. The University further explains how responses to electronic questionnaires are used. Privacy practices are in compliance with the Family Educational Rights and Privacy Act (FERPA). The University of Alabama’s statement is thorough, highly readable, and concise—one page. Niagara University takes a stylistically different approach by first listing ways that their Web site notifies users of information being collected. In greater detail, the University explains how information may be gathered and used by cookies, log files, newsletters, surveys, and referrals from friends. Opt-out mechanisms that give visitors the right to refuse providing personal information are in place throughout the site. This multipage document thoroughly details the University’s practices.

WebCT courses offered through the University of Tasmania are password protected. The current privacy policy statement describes how server logs accumulate data about class members’ access to the course site. This information is used to help designers improve the course. The data also allow teachers and university staff who have academic reasons for using the information to assist learners and to monitor their progress. All information gathered through the course site helps improve the online educational experience. The statement also cautions learners about posting messages in public places, such as bulletin boards and chat rooms, where other students can read them. Posting only information that you are comfortable with anyone knowing is a good rule of thumb. Phrasing the policy statement to address online course concerns is important. Individual courses may need privacy statements in addition to those written for the institution at large.

These examples illustrate the variety of approaches that institutions can take in presenting their privacy statements. The particular concerns of their students, faculty, staff, and target market influence how much information is presented and which issues are covered in greater detail. By understanding the concerns and interests of the majority of visitors to and users of your site, you can craft a well-organized, friendly statement that helps allay fears about interacting with Web-site information. In addition to describing policies affecting the entire institution, you may want to develop privacy policies that refer to situations specific to online courses or programs. You may want to review several privacy policies before you develop your own, for an online course or program or the entire institution. Effective privacy policies should include descriptions of the following:

• Types of information gathered

• Situations in which information is gathered

• Ways the information is used

• Who can access the information

• Where information will be sold or rented, if applicable

• The length of time that information is kept

• Security measures in place to protect site visitors’ or users’ personal information

• Opt-out procedures and alternatives to sending personal information electronically

• Contact information to personnel who can answer questions about policies and procedures

• Applicable laws about privacy and security

You also may want to monitor sites that deal with privacy in general, just to keep up with trends in national and international privacy and security. Whether you are a teacher or an administrator, it is important to keep up with international trends and requirements if you are working with online education. Some organizations with sites that may be helpful include Privacy.org, Privacy International, Privacy.net, and the Online Privacy Alliance. These few examples are representative of a growing number of sites dealing with privacy and security issues.

Security

Another ongoing debate involves computer security not only for online programs, but also for the entire campus. Security measures should be included in the institutional policies relating to campus-wide computer use. Although these policies should be in place for on-site as well as online faculty, staff, and learners, they are especially important to those who work completely online and receive and submit electronic information. Online security may involve something as simple as requiring updated virus protection software and then making it available (preferably free) to all learners and teachers. The university or college may require teachers to accept assignments only through the course bulletin board or e-mail accounts, so that they can be automatically tracked and scanned for viruses.

Larger security measures may involve the distribution of passwords and login information created by IT personnel. Administrative policies then set standards for providing passwords to faculty and students and setting penalties for permitting unauthorized users to have these codes. The periodic changing of passwords also should be encouraged, if not monitored for compliance.

Files can be encrypted, and institutional policies established to keep Web sites, including course sites, and administrative databases as secure as possible. Students want to know, for example, that their records and payments are secure and that no unauthorized person may gain access to academic or personal information, such as credit card numbers. Servers can be made more secure for faculty files or databases.

Many institutions have set up departmental groups or university/college committees to develop new policies as security measures change. Technological changes and shifts in the political climate may require security policies to evolve in response. Concerns about technoterrorism, for example, can provide the impetus for more stringent security measures. A good example of a university-wide security statement is one created by Oxford University. The Web site offers links for those needing more information about security issues or wanting to discuss new developments or concerns. The Computer Security Web pages link readers to virusprotection information, news about possible problem areas, and FAQ lists.

The site links users to local and outside newsgroups, such as ox.sig.security, alt.comp.virus, sci.crypt, comp.os.netware.security, and comp.security.firewalls. As you can tell from the names of these newsgroups, individual groups may emphasize a specific security topic. Contact information helps faculty in particular alert officials to possible problems or vulnerabilities with the current system.

Administrators at your university or college should establish a similar center for providing information and troubleshooting. This body also should advise administrators and faculty about the best way to protect electronic information.

Reports may be issued by faculty committees. For example, the University of Wisconsin-Madison’s Web site offers a report compiled by the Ad Hoc Electronic Data Advisory Committee way back in 1991. This report provides information about similar security measures at other universities’ IT Web sites. However, the policies put in place as long ago (in online educational terms) as the early 1990s are still an effective example of ways to emphasize information for faculty and administrators. Warnings about file confiden- tiality, comments about U.S. federal acts referring to privacy and security, definitions, security procedures, and recommendations are detailed in the committee’s report. Promoting institutional policies and explaining the rationale for them go a long way in helping all faculty members be aware of and participate in the decision-making processes regarding security. Although this type of document should be updated when committee members or policies change, the level of detail in the University of Wisconsin-Madison’s report makes it a useful model for developing your own policies and procedures.

As with privacy policies, you should review what other institutions are providing in their security statements. These examples will help your institution draft and electronically publish effective security standards.