COVID-19 has placed districts, schools, and educators in unprecedented circumstances as they balance health concerns, academic responsibilities, and equity concerns to determine how to reopen this fall. How does student privacy relate to this planning? For this blog series, Future of Privacy Forum (FPF) has interviewed state, district, and school student privacy leaders, to reflect on lessons learned from the rapid transition to online learning in the spring and to offer best practices regarding student data privacy as schools plan for the coming academic year.
On July 28, Juliana Cotto, a policy fellow on FPF’s youth and education team, spoke with Tope Akinyemi, Chief Privacy Officer for the New York State Education Department, about lessons learned, model data privacy agreements, data protection officers, and how discussions of student privacy have evolved.
Juliana: What are some of the lessons learned from online learning last spring? How should they inform our preparations for the fall?
Tope: We’re still collating those lessons, but I think the biggest thing we saw is the need to have negotiated contracts in place with vendors for tools that could support remote learning at the scale needed. One reason is that tools made for business conference calls were required to provide continuity of education through virtual classrooms in the emergency we found ourselves in. This left little time for lengthy negotiations. Many school districts ended up signing short-term, trial 30-, 60-, or 90-day click-through agreements pending negotiation of contracts that aligned better with state laws. With this hindsight and in preparation for the fall, we’re working on putting together what we’re calling a model data privacy agreement (DPA). DPAs can be used with any vendor, almost like a supplementary contract in addition to vendors’ service agreements, but they specifically address privacy and security.
Juliana: What are the key things the state wants to include in the model data privacy agreements?
Tope: Our state law is very specific about certain things that need to be included. The DPAs primary purpose will be to make sure that the contracts align with state and federal laws. It also aligns with best practices when it comes to contracting with technology vendors to protect student data. For instance, it will address what will happen with the data post-contract termination, specifically secure destruction and secure deletion. Standard click-through terms and conditions for vendors usually give broader leeway with this than a negotiated contract does, so this is definitely one provision that we’re looking at addressing in the model DPA. The DPA will also clearly outline the prohibition on selling personally identifiable information (PII) or using it for marketing purposes. This is also clearly described in our state law. These are the DPA terms and conditions that we think will aid school districts or other educational institutions to quickly get an agreement that aligns with the requirements in New York Education Law §2-d, especially if we already have a model DPA that they can use as a starting basis for discussions with vendors.
Juliana: Do you believe schools, educators, families, and students will be better informed this fall regarding protecting student privacy in a virtual setting when schools use video conferencing?
Tope: I think these stakeholders in New York are more informed because of our state law, New York Education Law §2-d, and we just went through the rulemaking process for its implementing regulations, Part 121, in January. So this is all still very top of mind for a lot of our districts and schools. Also, when remote learning commenced in March, certain security concerns, particularly with video conferencing platforms, emerged that were well discussed in the public space. There were concerns raised by different parties and several state attorneys general, including New York state’s attorney general. There is definitely a new level of awareness on both sides; the quick switch and pivot made technology vendors more aware that they had to create a safer space for education than for their general-offering customers. And a lot of them took the initiative to start working very quickly on aligning with the new normal for protecting student data across all states, not just New York. On the policymaking side or school side, people started talking about which tool should be used to deliver remote learning, the process of signing a click-through agreement and its impact, and how to make such agreements compliant. These conversations have been useful in continuing to raise awareness and preparing for the fall.
Juliana: As schools prepare for the fall, how should they consider and prioritize student privacy?
Tope: I think the biggest thing is education and training that cuts across all staff who will have access to student personally identifiable information. I’ve done a lot of conferences and seized opportunities to speak to stakeholder groups across the state. We are also planning support and training for the school data protection officers. We hope to support agencies as they train their teachers because when it comes to actual practical delivery of education, we are really talking about the teachers in the classroom. They are the ones making the decisions: will students be recording themselves for this assignment, posting it to a website, etc.? Teachers are looking for creative ways to deliver their instruction, but they don’t necessarily have vast knowledge of data privacy and security issues because they’re educators and teachers; their goal is to deliver and teach the subject. We have to focus on making sure that the staff, the teachers who are really on the front lines of delivering content, feel supported, know what they’re supposed to do, know what they’re not supposed to do, and more importantly, if there is a mistake or error that compromises PII or a system that stores it, they should know whom to call and feel comfortable reaching out. This is huge and where we are heading.
Juliana: What are some best practices for protecting student privacy in a remote, virtual setting
Tope: A foundational best practice is negotiating terms and conditions with the vendor, to outline what the vendor can and cannot do with protected information. This may not seem intuitive, because you might want to jump to talking about IDs and passwords and stuff like that, but most of the time, the tools that we use are third-party proprietary platforms; they’re not designed by the state education department or the district. The delivery of virtual classrooms and data storage are all technology-based in a way that we have not designed and don’t control; we’re procuring this. So, understanding how to handle and protect that information is paramount, and the way to do that legally is through the agreement. When it comes to freeware, the things available online for free, if data protected by state or federal laws will be implicated, districts may find that negotiating a contract, even if it is for a paid version that adequately protects the data, is the safest option.
Juliana: What are strategies or best practices to build trust with families to assure them that schools will protect their children’s privacy?
Tope: Overall, I think transparency is key. New York Education Law §2-d requires districts and educational agencies to put certain information on their websites. For example, agencies must post a parent bill of rights for data privacy and security that includes how to submit a complaint or report an incident that pertains to PII and whom to contact. This way, if there is an incident, parents have a certain level of awareness. It’s a good idea to communicate with parents, empower them with information, and give them a chance to ask questions and become aware. We have this process here in New York, where every educational agency and school district is supposed to appoint what we’re calling a data protection officer (DPO). That person’s contact information is supposed to be on the website. This way, parents know whom to reach out to if they have questions.
Juliana: Have you seen the conversation on student privacy change as a result of the shift to online learning? How do you believe the conversation will evolve?
Tope: I saw the conversation start shifting in the summer of 2019. Before that, those of us in this field talked about data privacy and security in the education space. It was a tough battle to convince people struggling to balance budgets and several other priorities to make privacy and security a priority. But then by the summer of 2019, a wave of ransomware attacks swept through the US. In New York, we had several attacks that targeted our school districts. This caused broader awareness, and understanding began to develop about what I had been trying to flag––that there really is a risk, and data security and privacy is not just a value-added issue. These are issues that, if not addressed, can affect the ability of a school to deliver its core mission because if systems are down and not accessible, that mission can be negatively impacted. The New York School Education Department designated the National Institute of Standards and Technology’s Cybersecurity Framework as the standard for educational agencies’ data security and privacy policies and programs, in Part 121 of the Commissioner of Education’s regulations. With this, our agencies started moving from informal processes that varied in each district, to using a national standard as the formal guide for developing and advancing their data privacy and security programs.
In general, and it doesn’t matter which sector is being discussed, change is not easy. When a new concept is introduced, there can be a struggle to shift people’s attention to focus on implementation and adoption. Sometimes there is a really wide pivot to an extreme, where people are scared to do almost anything because they’re afraid they will run afoul of the laws and regulations. We don’t want that either, and I think the conversation is now more balanced. We recognize that there are risks but also that we still need these tools and technologies to deliver the core mission of educating the people of New York. During COVID, when students cannot always be physically present in school buildings, there’s no question that we need technology. We need platforms that allow the virtual delivery of classes and education. So we focus on addressing and mitigating the risk by using a risk-management approach.
Juliana: What trends in technology do you think we’ll see schools adopt for the fall?
Tope: I honestly don’t think we will see a lot of new trends, but instead, we’ll see creative use of the same tools, like Zoom being co-opted into a platform for education delivery––who would have thought? Business platforms intended for meetings have turned into education platforms and even platforms used for private parties. I’ve attended Zoom graduations, weddings, and funerals. This is the creativity––using tools for non-traditional purposes. By the end of the school year, my son was doing PE via one of these virtual platforms. The PE teacher would send them instructions to do x number of pushups, and so on.
Laws are also changing to allow for this creativity. For instance, HIPAA has made some changes to allow doctors to use some of these same tools for virtual doctor visits. You couldn’t do that before; it had to be a particular platform. I think we’ll continue to see some flexibility built into those laws to allow creative use of tools that already exist. The caution is ensuring we are planning for privacy and security, so that it’s not an afterthought. You must always think about the lifecycle of the data, from creation to deletion. I was so pleased that you talked about the audio for this interview, and you told me what specific purpose you will use it for and when you will delete it. Every time there’s a new data collection or new PII processing, that is the point at which plans have to be built to protect it, from creation to deletion.
This interview was conducted by Juliana Cotto on July 28, 2020. It has been edited and condensed for clarity.