Corrected: This article was updated to correctly reflect that PlayWell is a privacy compliance consulting firm.
Schools are confronting a wide range of potential problems around student data privacy as they scramble to put technology tools for virtual instruction in place during extended school building shutdowns.
Teachers have already begun connecting with students using a variety of digital tools, some of which are new to them and their schools and weren’t designed for classroom use—everything from videoconferencing apps like Zoom to digital devices like Chromebooks and learning platforms like Babbel and BrainPop.
An unprecedented number of online interactions between teachers and students from their respective homes introduce new privacy questions that lack easy answers. And at least one state’s governor, aiming to speed up implementation of new remote learning tools, has temporarily waived legal requirements for agreements between school districts and technology companies that typically include student data privacy provisions.
The challenges for schools in staying abreast of privacy concerns have become acute as companies have begun offering temporary free subscriptions to their expensive tech products, said Antonio Romayor Jr., chief technology officer for El Centro Elementary School District in California.
Some teachers in his district have begun bypassing the typical vetting procedures for new tech products by adding the free products directly to their single sign-on platforms for students and teachers to use, he said.
Some of those free products could eventually cost schools and parents money, which means anyone using them should be extra careful about offering credit-card information when signing up, Romayor said. Programs that aren’t vetted in advance also might run afoul of privacy policy. “It’s a constant struggle,” he said.
While the new technological landscape for schools feels unprecedented in many ways, schools still have an obligation to inform parents of how their students’ data is being used, even if the teaching is occurring outside school buildings. Federal laws—such as the Family Educational Rights and Privacy Act (FERPA) and the Children’s Online Privacy Protection Act (COPPA)—should help guide school leaders in deciding what new technologies to use.
“The rules, the regulations apply whether the student is actually in the classroom physically or is at home being taught through a distance learning framework,” said Linnette Attai, president of privacy compliance consulting firm with education clients PlayWell and a close observer of student privacy issues.
Student privacy experts are recommending that school districts take a deliberate, rather than frenetic, approach to adopting new technologies, and guard against overinvesting in new tools before being fully aware of how they work and how they could jeopardize students’ data privacy.
Cheri Kiesecker, co-chair of the Parent Coalition for Data Privacy, wants parents and schools to minimize as much as possible the amount of student data that’s being collected and sold by tech companies. She felt the same before the COVID-19 outbreak.
In fact, Kiesecker points to a 2018 warning from the FBI noting that the consequences of ed-tech companies collecting too much data on students “could result in social engineering, bullying, tracking, identity theft, or other means for targeting children.” Most U.S. states earned a “C” or lower grade from a 2019 survey of student data privacy protections by Kiesecker’s organization and the Network for Public Education.
As schools rush to put remote learning programs in places, Kiesecker argues that those student data privacy problems could get significantly worse. And that could have long-term consequences for many students. “Data is actually your identity and a form of social currency,” she said.
Speed vs. Quality
Schools are struggling to find the balance between moving quickly and prioritizing privacy, said Andrea Bennett, executive director of California IT in Education, a membership group for IT professionals in the state’s K-12 schools. Teachers and administrators at schools that haven’t focused on technology in the past are eager to quickly adopt new tools and catch up to help students. “That enthusiasm, I’m afraid, is something that might lead them into using an app that might not be safe,” she said.
Some schools in need of a quick technology solution have signed up for services while simultaneously negotiating an agreement, rather than waiting to start until an agreement is drawn up, said Laura Pollak, a program specialist for the Nassau Board of Cooperative Educational Services in New York state. Legal experts in districts should be administrators’ most trusted source of guidance on these kinds of more flexible approaches, she said.
Several states, including California and Connecticut, have clearing-houses that vet education software tools so they can be used by any school districts in those states.
But in most states, such as New York, each district has to individually vet a new product. For Manhasset Union Free School District in New York, “this is a process that has taken as long as six months” and is now more urgent than ever as schools move to remote learning, said Sean Adcroft, the district’s director of instructional technology and libraries.
In Connecticut, meanwhile, Gov. Ned Lamont signed an executive order last week that allows the state’s education commissioner to temporarily waive its student data privacy law, “as he deems necessary in order to provide quality online educational opportunities to students during the period in which schools classes are canceled.”
The law, passed in 2016, requires schools and companies entering a partnership to sign a written contract that explicitly states the company will not use student data for any purpose beyond the company’s stated function. “The Commissioner of Education has alternative means to assure that student data is afforded privacy protections, including federal student privacy laws, without the use of a written contract,” the order says.
Jennifer Jacobsen, one of the original advocates for the 2016 law and the parent of a high schooler, said she empathizes with the goal of waiving the order to help schools get remote learning programs up and running. But “proper notifications and transparency to their families is not any less important today than it was yesterday,” she said.
Companies that have been offering education technology products for several years have already been working to comply with existing privacy requirements, said Sara Kloek, director of education policy, programs and student privacy for the Software & Information Industry Association. She’s more concerned at this point about companies whose products aren’t designed for education.
“Ed-tech companies need to figure out how to help schools through all of the marketing jargon and get through what the product actually does and how it can help the school,” Kloek said.
“The decisions to close many schools came so quickly, and schools just didn’t have the time” to take stock of potential privacy issues before jumping into planning, Attai said. “We imagine there will be and likely have been mistakes made.”
On-Camera Concerns
The online videoconferencing tool Zoom has emerged as one of the most popular resources for educators during the early days of the COVID-19 outbreak, in part because the company is offering the service free to all K-12 schools. Data privacy advocates recommend that schools only use the company’s education product, which includes specific provisions for FERPA compliance that the company’s other products lack.
The Parent Coalition for Data Privacy recommends that parents consider covering students’ webcams unless they’re actively using the Zoom platform—or transitioning to the similarly free, open-source Jitsi, which doesn’t require anyone to create an account. The coalition cites an Federal Trade Commission complaint filed by the Electronic Privacy Information Center in 2019 that alleges the company activates users’ webcams even when they’re not using the platform.
Some educators have been wondering whether they need parent permission before inviting students under the age of 13 to participate in Facebook Live chats, according to Bennett. Others want to establish rules for appropriate and safe conduct while teachers and students are on camera—“making sure there’s nothing inappropriate in the background, someone walking around without a shirt on,” she said.
Schools are taking different approaches to regulating videoconferences to avoid student privacy violations as well—some in Pollak’s area are discouraging any video face-to-face interactions with students, while Romayor’s district has instructed teachers to conduct only “whole-group” video chats, rather than conferencing with individual students.
Staying Informed
Parents play a role in protecting students from threats to their personal or data privacy, whether they realize it or not. Romayor said he often talks with parents who haven’t heard of FERPA or aren’t aware of laws that prohibit predatory activity or digital marketing to children. Districts have been trying for years to educate teachers on best practices for protecting student data privacy, but that continues to be a work in progress.
The lack of widespread knowledge about the intricacies of student data privacy can cause problems for schools, he said. If students or parents send a text message that contains a student username or password with identifying information, that student’s identity could be at risk of being stolen. If school employees access district data on a personal computer that has a virus, they could be compromising that data.
Romayor has been working on resources to keep district employees abreast of its policies and practices around privacy, and he’s drafting a letter to families, in both English and Spanish, that summarizes federal and state laws around student data privacy.
Bennett said schools should send as much information to parents by regular mail as possible, to avoid excluding parents who don’t have internet access or aren’t frequently checking school sites or social media. Among parents, “The biggest frustration I’ve seen is lack of communication,” she said.
Some parents are expressing more pointed concerns. In Montgomery County, Maryland, a group of parents has been lobbying the school system for several years to share the details of its contract with Google for Chromebooks—specifically, whether the company is deleting students’ data according to the district’s policy. The urgency of their efforts has increased now that the district is distributing devices to students who don’t already have them.
“Once we allow students to use Chromebooks at home, they’re likely to use them for school work for exponentially more time—given social distancing, no teacher oversight, etc,” says the parents’ draft letter to the district. “This will turn the small spigot of information that currently flows to Google into a virtual firehose.”
The technological and logistical chaos in K-12 education during the COVID-19 outbreak is likely to continue for some time. Educators may feel they need to rush to get things up and running, but experts caution them to take the time to figure out the best approaches for protecting students’ data privacy.
“I think everyone needs to pay attention, make smart decisions, not rush to grab technology where technology is not needed, and fall back on old-school teaching,” Attai said. “There’s nothing wrong with some good worksheets, there’s nothing wrong with writing essays.”