I think it is not an easy task to provide a security/privacy plan. One thing is the WeBWorK application, and the other is that data is stored on an outside server.
The whole thing turned out to be great, because we don't have to deal with hardware and OS issues anymore. I still update the problem libraries and the application, and set up the courses myself, but IT has a linux expert who deals with the server part and with the OS.
IT security (which is separate from IT) was willing to open up the firewall only after a long and frustrating security testing cycle, and I had to contact WeBWorK developers several times to get advice or modifications that IT security finally did not flag for vulnerabilities. I guess it is a continuous struggle with security. (for example we had hundreds of false positive vulnerabilities, when for non existing links WeBWorK returned OK status along with the error messages).
I don't know if there is any IT nowadays with no linux expert. Otherwise it is hard to argue why they would not support one more server with an application, which is clearly educational, free software, developed through grants from NSF, has numerous awards, and huge number of universities are using it. Universities have several servers with FERPA compliance, IT takes care of it. Here is one more to take care and to do their job.
Try to go through the chair, dean and provost, explaining them how great this is and how much money this will save students.
Be nice to IT people, and especially IT security, no matter how frustrating it is.