School Stakeholders Navigating Student Privacy
Parents, students, and educators are navigating a novel educational landscape. Some schools are relying on a virtual model that requires significant technological involvement, others have opened up their facilities for in-school learning, with significant testing and safety precautions, and others have created a fusion of the two. Each of these models comes with privacy risks of their own.
The Center for Democracy and Technology commissioned research on student privacy during COVID-19 and found that 86% of teachers have expanded the technology that they are using. This study also found that 1 in 5 teachers using technology that had not been approved by either their school or the district to which the school belongs. About half of the teachers in the study have not received training at all. The other half received training focused on legal compliance.
The Future of Privacy Forum (FPF) and 23 other education, healthcare, disability rights, data protection, and civil liberties organizations released a report called “Education During a Pandemic: Principles for Student Data Privacy and Equity.” This report proposed privacy forward ways of navigating student data privacy in this pandemic environment.
The FPF report focuses on student health data because certain COVID-related data gets reported to local and state health departments. Pertaining to student health data, the FPF report recommends that schools implement a data minimization principle. “Any COVID-19 related requests for or collection of the health information of students, their families, or school staff must be narrowly tailored to the information necessary to determine whether an individual has or does not have COVID-19 or whether a requested reasonable accommodation or modification related to COVID-19 is necessary.”
The proposal also recommends that the information only be allowed to be shared with the community or general public if de-identified or aggregated. The FPF did caveat that privacy concerns should not prevent the disclosure of de-identified information about COVID-19 cases that would allow the community to “adequately protect themselves and policymakers to make evidence-based decisions.”
The Family Educational Rights and Privacy Act (FERPA) is a Federal law that protects the privacy of student education records. FERPA applies to all educational agencies and institutions that receive funds under any program administered by the Secretary of Education. The term “educational agencies and institutions” under FERPA generally includes school districts and public schools at the elementary and secondary levels, as well as private and public institutions of postsecondary education.
FERPA permits educational institutions to disclose, without prior written consent, personally identifying information (PII) from student education records to appropriate parties in connection with an emergency, if knowledge of that information is necessary to protect the health or safety of a student or other individuals. This is commonly known as the “health or safety emergency” exception to FERPA’s general consent requirement. The Department of Education’s FERPA & COVID-19 guidance provides that “law enforcement officials, public health officials, trained medical personnel, and parents (including parents of an eligible student) are the types of appropriate parties to whom PII from education records may be disclosed under this FERPA exception.” The health or safety emergency exception is not meant to apply to a “generalized or distant threat of a possible or eventual emergency for which the likelihood of occurrence is unknown, such as would be addressed in general emergency preparedness activities.” However, the guidance is clear that If an educational agency or institution determines that “an articulable and significant threat exists to the health or safety of a student in attendance at the agency or institution (or another individual at the agency or institution) as a result of the virus that causes COVID-19, it may disclose, without prior written consent, PII from student education records.”
When it comes to remote learning, the FPF proposes that schools have a data governance system including policies and procedures in place to monitor data access, sharing, and transfers. The FPF warns educational institutions not to make decisions solely based on results obtained from technology. They refer to the technologies adopted to combat the pandemic as “imperfect” and capable of producing false positives. Certain analytics tools, they claim, would be discriminative if used as the sole measure of a student’s performance or abilities.
FERPA would not apply purely to a student’s participation in virtual learning. However, where the setting requires recording and storing of a student’s image, name, or voice, it may become a FERPA protected education record. Educational institutions will need to evaluate the use of certain technologies on a case-by-case basis.
COVID-19 has presented stakeholders of schools with novel student privacy issues. There are solutions being presented, and some existing legal guidance to assist schools, districts, educators, parents, and teachers navigate these pandemic times.