Due to COVID-19, K-12 schools were forced to quickly move all learning online, whether they were fully prepared from a technology perspective or not. Many districts across the country have announced they will continue remote learning into the fall.
As educators, students, and parents scrambled to make remote education work, many new technology tools and digital platforms quickly entered the arena — some have been offered to school districts by EdTech companies, and others are free products that teachers or students have found on their own.
In the rush to find tools that help us communicate, teach, hold graduation ceremonies, and support students online, it’s easy to start sharing links, images, videos, and more without considering how this information may relate to student privacy.
We cannot allow student privacy to take a backseat to convenience in a remote education era.
Here are some key considerations for district IT departments to ensure student privacy in the age of remote learning.
While the terms security and privacy are often used interchangeably, they are two distinct concepts. It’s important for IT directors and district leaders to consider them individually in order to ensure both security and privacy standards are met.
While privacy cannot exist without security, the reverse isn’t necessarily true. Having strong cybersecurity measures in place doesn’t automatically ensure adequate student privacy.
Security is about protecting information from cyberattacks and digital damage. Good cybersecurity practices involve the use of technology and physical methods to prevent unauthorized access to a school’s network or accidental corruption of data.
Privacy is about protecting students’ right to control their personal information and how it’s used. Good privacy practices involve creating procedures for how student data is collected, stored, and shared.
It’s possible for a school to have cybersecurity measures, while still failing to comply with student privacy laws by sharing and storing student data in noncompliant ways.
For instance, some higher education institutions have tried making use of phone sensors, Wi-Fi networks, or online proctoring via webcams. Cybersecurity aside, these methods have raised serious concerns about violating student privacy.
When adopting new technology tools for remote education, be sure to consider how it may impact student privacy and create guidelines if needed for sharing information. Consider establishing a separate privacy program from your cybersecurity program, with its own set of guidelines and training to ensure compliance.
There’s no such thing as a free lunch, and there’s no such thing as a free technology tool.
Remind teachers and students that any free applications, file sharing services, video conferencing platforms, and other digital tools are using another form of currency as payment for using the tool: data.
Collecting user data is how many companies are able to offer these products for free to users. Advise your teachers to pay attention to privacy policies when signing up for a free tool. Companies that collect email addresses, social security numbers and other personally identifiable information (PII) are required to have a public-facing privacy policy.
Encourage your teachers to always see if they can open an educator account for a tool rather than a consumer account. For example, Zoom offers education accounts, which follow a separate privacy policy than basic Zoom accounts.
As schools struggled to meet student needs in the face of COVID-19, many companies have generously offered free or low-cost EdTech products to districts, to help schools adjust to remote education.
While these offers may be appreciated, district IT leaders must do their due diligence to vet any tech provider before entering into a contract. Companies may suggest they are FERPA compliant, whether they are or not. IT should always have a conversation with a potential tech vendor to ask them key questions about privacy.
Encourage your teachers and faculty to use the software provided by the school, as these have not only been vetted by IT but also have contracts in place to define how data gathered on those tools can be used and shared, and restrict companies from using that data for advertising or other non-approved purposes.
With school-related images and recordings being shared daily, it’s more important than ever to make sure all staff are familiar with student privacy guidelines such as FERPA and COPPA.
If an image or recording includes student faces or names, it is considered an education record in the eyes of FERPA. That means it’s subject to strict guidelines for storing, sharing, and accessing the file.
Remind teachers that if they want to share photos online, they must ensure no student faces, names, or other identifying information is seen in the picture.
Caution your teachers about recording on video-conferencing platforms. Show them how to ensure that no students’ faces, names, or voices are included in the recording. Even better, encourage teachers to use a videoconferencing tool to record themselves giving a lesson alone, without students present. This is the safest way to ensure that you don’t violate student privacy.
The World Privacy Forum released a report in April revealing that thousands of K-12 schools in the US are not adequately informing parents and students of their rights to opt-out of having their information shared. Of more than 5,000 primary and secondary schools studied, only 39% made FERPA opt-out forms online and available to the public.
FERPA gives students the right to access and amend their own educational records and to restrict a school from disclosing “directory information” — a broad category that includes not only name and date of birth, but also photographs, social media handles, parent or guardian home address, and primary language spoken.
Being compliant with FERPA is not enough. As the report states, “many schools, while technically compliant, have not done enough to encourage students and parents to effectuate their FERPA opt out rights.”
FERPA opt-out rights should be prominently posted on your school website and in communications to parents. Make the process for opting out as convenient as possible, and refrain from using language that discourages students and parents from opting out of directory information sharing.
While districts and their IT leaders are heavily focused on implementing effective technology tools to enable remote learning, be sure you’re not embracing convenience at the expense of privacy. The more digital tools we use, the more important it is to protect our students’ right to control their personal information.