Breakout Session: Canvas Third Party Integrations

melodyc_lam · ‎07-26-2023

Presentation Title and Presenter

Canvas Third Party Integrations: Evaluating Faculty Needs, Use of Protected Data, and Accessibility

Summary

Christopher Casey, University of Michigan-Dearborn, Coordinator of Digital Education

Question: How does an institution deal with 3rd party integrations/LTIs while keeping institution data safe and ensure accessibility for all?

Details

Consider how the data is being used by the 3rd party vendor
Consider how the integration/LTI works with various devices and with accessibility needs in mind
Manage risk by doing the following:
- Use the eduappcenter allowlist to manage access to LTIs for your staff or use permissions on roles to manage access to LTIs
- Install external LTIs on "anonymous" data mode so that LTIs are not ingesting sensitive data from Canvas
- Scope developer keys if possible
Create a process by which integrations get approved by the institution

Conclusion

One of the biggest reasons why I attended this breakout session is that North Carolina's Department of Public Instruction is putting into place stringent rules regarding how student data is being used by 3rd party vendors, which also includes Canvas integrations. This requires us to go through the vendor and make sure that they comply with various items such as data storage, usage, and privacy. It seemed from the packed room that other school districts and higher ed institutions are also facing very similar situations with giving data to 3rd party vendors. It can be very easy to forget that your Canvas instance is using student data and passing it on to integrations using the LTI standard.

Vetting Canvas integrations can be difficult, especially in the K12 realm where we don't have many resources that can help us with vetting an integration along with the other things that Canvas admins do every day. Knowing that there are tools that even K12 users can use to mitigate risk with using student data in integrations was great, and I learned that about setting integrations to "anonymous" mode can work with some "cosmetic" limitations (like the LTI not knowing what the student's name is) which can be great with "free" LTIs.