School Reopenings Bring Wave of COVID-19 Student-Data-Privacy Concerns
Whether it happens in-person or remote, this year’s back-to-school season is bringing with it a host of new data privacy concerns.
Chief among them: How to safely and legally store and share videos of classroom lessons featuring students, and what to do with all the new sensitive health information being collected by schools now administering health surveys, doing daily temperature checks, and tracing the contacts of students and staff who have contracted or been exposed to the coronavirus.
“Reopening plans must balance protecting health and protecting student privacy and educational rights,” said Amelia Vance, the director of youth and education privacy at the Future of Privacy Forum, which earlier this month released a new “Student Privacy and Virtual Learning Guide” along with the National Center on Learning Disabilities.
“It is a difficult—but incredibly important—balance,” Vance said. “Schools and districts should have clear plans in place for how they will collect, use, and store health data to ensure it is not ultimately used to limit educational access or opportunities for vulnerable students.”
Remote Learning Drives Ed-Tech Expansion
With the coronavirus pandemic still ravaging the country and sowing uncertainty in schools, 9 in 10 district leaders say they plan to incorporate some level of remote instruction into their reopening plans, according to the most recent survey of K-12 professionals administered by the Education Week Research Center in late July.
That means an abundance of platforms, software programs, and apps will be a regular part of students’ education. With this new reality comes fresh concerns about how all that technology will be collecting, storing, and using students’ personal information. Parents who wish to opt out of such technology usage, already limited in their options before the pandemic, will now be even more constrained.
To minimize the potential risk and build trust, Vance said, schools should consider establishing and sharing a set of limited and vetted ed-tech products they intend to use during remote learning.
That list shouldn’t include social media. Despite the appeal of reaching students on the platforms they regularly use in their personal lives, teachers and administrators should avoid delivering instruction on platforms such as Instagram Live, TikTok, and YouTube.
“Many social media tools were developed for general audiences, not students, and are therefore unlikely to be compliant with student privacy laws and best practices,” according to a blog post from the Future of Privacy Forum this spring.
And what about providing teletherapy services to students with special needs or disabilities?
Avoid “public-facing” platforms like Facebook Live, the new virtual learning guide advises, and, if possible, use platforms that your school district has a contract with. The federal department of Health and Human Services has offered greater flexibility around using commercial services that are not public-facing, such as Zoom, Facebook Messenger, and FaceTime.
Tips for Data Safe Videoconferencing
How are schools managing the broader shift to video-based instruction?
Eighty-two percent of district leaders expect teachers to pre-record video lessons and make them available for students to watch on demand, according to the most recent EdWeek Research Center survey. And when it comes to live videoconferencing, 8 in 10 principals and district leaders have approved their schools to use Zoom or Zoom for Education and Google Hangouts. Smaller numbers have approved use of Microsoft Teams, GoToMeeting, Skype, and other platforms.
A student’s mere participation in such videoconferencing likely does not trigger the Family Educational Rights and Privacy Act, or FERPA, the nation’s primary student data-privacy law. That likely changes, however, the moment “a student’s image, name, or voice is recorded and stored by the school,” according to the new NCLD and Future of Privacy Forum guide.
To make sure schools are protecting students’ privacy during videoconferences, the Consortium for School Networking, a professional association for school-technology leaders, developed an online guide.
Whenever possible, avoid recording classroom discussions with students, the group advises. Create guidelines that ensure any videos involving students are secure both in transit and while being stored. Make sure only necessary personnel can access the videos and set a schedule for deleting all videos after a set period of time.
Also critically important, said CoSN CEO Keith Krueger, is to avoid any “practices that might result in the videos being publicly available.” That means no open Google Drive links, posts to private YouTube accounts, or emailed files.
One strategy used by many school districts trying to take such concerns into account: Using learning management systems that are specifically designed for K-12 schools and have built-in tools for meeting with students, such as Canvas.
Protecting Sensitive Health Data
Another new concern for schools is all the sensitive health data on students now being collected.
In late July, 3 in 5 district leaders told the EdWeek Research Center they planned to do daily temperature checks of students and staff. Ninety-two percent said they’d require sick students to stay home, and 79 percent said they’d require students who were exposed to the virus to do the same. A handful were also planning to administer their own COVID tests.
“The complexity of this work across students and employees can’t be overstated,” said Krueger of CoSN. “In addition to state reporting requirements and privacy laws, schools also need to consider anti-discrimination laws, labor laws, and more.”
As important as ever, he advised, schools should avoid rushing a technology solution into place just to create the appearance of action. Strong privacy and security measures—including legal reviews for compliance with state and federal law, plans to minimize the data that are actually stored, limiting access to those data, and ensuring that “robust physical, technical, and administrative controls” are in place—are essential.
One tangible example of data minimization that Krueger described: A record stating that a given student will be attending classes remotely for two weeks is far less invasive, sensitive, and susceptible to misuse than a record indicating that student had a high temperature and exhibited other coronavirus symptoms and therefore is being forced into quarantine for two weeks.
Be careful of the proliferation of symptom-tracking apps now marketing themselves to schools, said Vance of the Future of Privacy Forum. Many have privacy policies that indicate compliance with HIPAA, the federal health-privacy law, but do not mention FERPA, which is the law most likely to actually apply to use in schools.
There are also important considerations around equity and anti-discrimination to consider, many of which are discussed in detail in a series of issue briefs created by the forum. Trust is essential, said Vance, so parents and students feel comfortable honestly reporting their symptoms, without worry that such information might be used to exclude them from certain classes or educational opportunities down the road.
To that end, experts across the board stressed a common point: In a time of high anxiety and tremendous uncertainty, as back-to-school season is certain to be, transparency is critical.
“If there was ever a time to over-communicate with parents about your [privacy] plans,” Krueger said, “this is it.”