FPF’s Education Privacy Newsletter – March 2020

The novel Coronavirus (COVID-19) continues to disrupt schools around the world. As of today, over 100 countries have announced school closures, upheaving “over half of [the] world’s student population.”

We’ve rounded up the latest coverage on the student privacy-related challenges stemming from the pandemic, in addition to our usual updates. Also bookmark FPF’s new webpage tracking key resources being released on privacy and data protection around COVID-19.

As always, feel free to reach out to us at any time with student privacy questions.

Top News

Schools everywhere are struggling to effectively respond to the virus, especially when it comes to responsibly sharing student information. 

• On March 24th, Senators Markey (D-Mass), Durbin (D-Ill), and Blumenthal (D-Conn) sent a letter to the FTC and U.S. Department of Education (USED) requesting both agencies jointly provide student privacy guidance to the edtech community as schools rapidly transition to online learning. The letter also requests the agencies to provide student privacy guidance for parents.
  • Unfortunately, the letter doesn’t raise what FPF sees as the most urgent student privacy issue during this crisis: the rapid proliferation of non-education services offering their services to schools and being adopted by educators without student privacy vetting. As U.S. educators move online, we recommend that they check out our publication, The Educator’s Guide to Student Data Privacy.
• USED released guidance on how schools can share information during this public health emergency while being mindful of student privacy and FERPA, as well as a one-pager, providing useful links to FERPA guidance applicable to virtual learning. AASA and FPF released an FAQ last Friday which builds on that guidance and provides examples.
• Meanwhile, the governors of Connecticut and New Hampshire each released executive orders on the applicability of their student privacy laws during the pandemic. Connecticut’s Commission for Educational Technology has also created the best webpage I’ve seen yet on remote learning resources.
• EdWeek reports that, as of today, 47 states have closed K-12 schools. 
• Postsecondary schools began responding in a variety of ways, either announcing week-long school closures or gradual migrations to online-only learning for the remainder of the academic year. For more details, see this crowdsourced list of US postsecondary school closures and policies.
• EdWeek released a report on Cyberattacks on Schools, which included a helpful article on how the coronavirus will compound the problem of cyberattacks on schools. FPF published a guest blog from Amy McLaughlin warning educators about cybercriminals capitalizing on COVID-19 fears through phishing and included tips for keeping school data and technology safe.

Schools subject to shutdowns are now wrestling with the equity issues more than ever, as they try to ensure students who rely on schools for meals, shelter, internet access are appropriately supported during the pandemic.

• Online education initiatives borne from this emergency largely rely on tools that were built for office, not education environments–like Zoom for synchronous classroom meetings. We’re closing following @slamteacher and @jessifer for their advice on student-centered and privacy-protective online learning advice.
  • Advocates worry that using such tools in the school environment will expose students to several privacy and equity risks: increasing monitoring/surveillance, privacy when using webinar platforms, teachers using un-vetted applications to serve their students, disadvantaging students without access to devices at home or the internet, and “zoombombing,” where unauthorized individuals enter a class on the platform and disrupt it (highlighting the importance of educators checking online learning tool default settings). University of Southern California has this great resource with several ways that educators can mitigate the risk.
  • Schools are also finding creative ways to continue supporting the mental health of their students, but some initiatives include using tools that are not necessarily compliant with privacy laws–though HHS has relaxed telehealth requirements during this emergency.
• The Atlantic projects what the world will look like based on how long schools are closed – weeks, months, or even a year from now.

Secretary DeVos announced on Saturday that USED will grant waivers to states that are now unable to meet mandatory testing requirements due to school closures. A proposed COVID-19 relief bill would allow the Secretary to grant states waivers from statutory or regulatory compliance requirements imposed by the Every Student Succeeds Act.

USED released supplementary guidance emphasizing that “ensuring compliance with the Individuals with Disabilities Education Act (IDEA), Section 504 of the Rehabilitation Act (Section 504), and Title II of the Americans with Disabilities Act should not prevent any school from offering educational programs through distance instruction.”

• Critics find this guidance insufficient, and that it could “open the door to districts curtailing their services for disabled students over the long term because they may claim they don’t have the resources.”
• USED’s Office of Civil Rights also released a fact sheet on protecting the civil rights of students during this pandemic, as well as a short webinar on Online Education and Website Accessibility.

As children’s privacy continues to make headlines, advocates push for stronger protections and policymakers around the world are exploring related legislation, guidance, and enforcement actions:

• On March 26th, the Campaign for a Commercial-Free Childhood and Center for Digital Democracy wrote to the FTC requesting the Commission to use it’s § 6(b) authority to study how companies collect information from children and how edtech collects information from students, including a list of sample questions for these studies.
• On March 5th, Senators Graham (R-SC) and Blumenthal introduced the EARN It Act, an act that would amend Section 230 of the Communications Decency Act–a provision that exempts platforms from liability for user-uploaded content–by making platforms liable for activity and content related to child sexual exploitation unless they “earn” exemption by adhering to standards determined by a commission.
  • Critics argue that the act would in effect prohibit encryption by forcing companies to either “accept liability [and] undermine the protection of end-to-end encryption by adding a backdoor for law enforcement access, or avoid end-to-end encryption altogether.”
• Also on March 5th, Senators Markey and Blumenthal introduced the Kids Internet Design and Safety (KIDS) Act, which would amend COPPA by increasing the age of children protected on the internet to 16 and prohibit platforms from branded, sponsored, or influencer marketing to kids under 16.
• Poland’s Data Protection Office issued a fine against a school in Gdansk that collected students’ fingerprints when they entered the school cafeteria to verify their meal plans. However, biometrics are still being used in similar ways around the world; schools in New Jersey use a vein reader on cafeteria lines and schools in Australia are trialing facial recognition to measure attendance.
• The UK’s Information Commissioner’s Office has an open consultation for providers of online services that will inform the ICO’s guidance on the Age Appropriate Design Code. The questionnaire is open until March 27th.

Before the wave of school closures, schools and districts continued their focus on surveillance as a way to increase school safety:

• Portland, Oregon school districts reached a turning point in SRO body camera debate. The city’s school board and police department tentatively reached an agreement prohibiting the police department from covertly operating cameras. The school board is reviewing a draft MOU that “would allow the police department to have custody of video recordings but restrict their release.”
• Video recordings are now required in classes that serve special education students in Dallas Independent School District (a 2015 Texas law already required that cameras with audio be added to those classrooms upon request; check out these FAQs and legal analysis on recordings in schools). Parents may not opt-out, but can instead have their child moved to a non-recorded classroom.
• The Wall Street Journal released an article examining how and why colleges track students in physical and virtual spaces, including the perspective of both privacy advocates and universities seeking to provide for their students. This follows The Washington Post’s article in December on location tracking of college students.
• Over 1,000 students and staff at Wesleyan University (where enrollment is about 3,000) voiced concerns over a new timekeeping app that would potentially use location tracking.
• MTV joins the list of prominent media outlets writing or featuring articles concerned about facial recognition in schools with this op-ed. The student-led coalition Fight for the Future advertises that students have successfully advocated for over 60 colleges and universities to pledge against using the technology.

Schools and districts often struggle to balance student privacy and school safety–but what happens when data is shared with immigration officials?

• After a school incident report was allegedly shared with immigration officials and resulted in the deportation of a student, the City of Boston is drafting new privacy policies for how schools may share information with law enforcement. Immigration and civil rights advocates argue that the new policy doesn’t address the problem sufficiently.
• Immigration authorities recently arrested a parent at an Oregon school bus stop. ICE officials called the stop “routine,” while school officials claim that bus stops are sensitive locations (aka locations where, according to a longstanding ICE policy, ICE enforcement actions should not occur absent exigent circumstances). ICE argued that marked bus stops are sensitive, while unmarked are not: the Oregon Department of Education issued guidance in response, calling for increased FERPA training and creating a toolkit for schools and districts regarding undocumented community members.

FYI: Quick Hits

• The University of Buckingham’s Institute for Ethical AI in Education issued a “call for evidence” to support the Institute’s work regarding the responsible uses of AI in education. Evidence is due by May 29, 2020. Answer the call and find the Institute’s Interim Report here.
• New research indicates that “gaps in student privacy” emerge when school nurses collaborate with local health departments to improve student health. We strongly recommend these great new resources on data privacy in school nursing from The Network for Public Health Law.
• The Wall Street Journal examines whether the Benefits of Digital Devices in School Classrooms Outweigh the Downsides through two perspectives: one that finds technology essential in the modern classroom, and another that finds we use technology all too much–and adversely impact marginalized populations when we do so.
• YouTube is once again under scrutiny for tracking kids on its platform: a Massachusetts mother filed suit against the video streaming service for COPPA violations, allowed to go forward by a Massachusetts law allowing individuals to sue companies for practices deemed unfair by the FTC.

Highlighted Resources

• FPF published a wiki of COVID-19 privacy resources, available here: the wiki includes official guidance from government agencies around the world, best practices, and emerging solutions. If you have additions or suggestions, please contact comments@fpf.org.
• On Monday, March 30th, USED is hosting a “FERPA & Virtual Learning” webinar discussing FERPA FAQs and the large-scale shift to online learning. Register here.
• USED created a COVID-19 resource page that includes guidance, a webinar on accessibility and online learning, and a fact sheet on serving children with disabilities. USED also published a one-pager listing their resources related to online learning and FERPA.
• USED’s Student Privacy Policy Office published several resources in addition to its recent COVID-19 FERPA FAQs:
  • An updated PPRA Complaint form
  • Colleges and the 2020 Census: Privacy Webinar
  • Malicious Software Data Breaches: Scenario, Facilitator Guide, and Handouts
  • Postsecondary Data Breaches: Scenario, Facilitator Guide, and Handouts
  • Data Breach Scenarios
  • Password: Facilitator Guide, Handouts
  • Dual Enrollment Data Breach: Scenario, Facilitator Guide, and Handouts
• FPF and AASA published a whitepaper for school administrators covering data-sharing during the pandemic, including FERPA and HIPAA considerations.
• The Council of Administrators of Special Education has great COVID-19 advice and resources.
• The National Conference of State Legislatures compiled resources regarding state initiatives to address education and COVID-19.
• The Berkman Klein Center for Internet & Society at Harvard University released a new report on youth and digital citizenship.
• The K-12 Cybersecurity Resource Center released a new report, “The State of K-12 Cybersecurity 2019 Year in Review”
• The Cornell University Library Academic Assembly passed a Resolution on Responsible Governance of Student Data.
• Data Quality Campaign released a state and district research partnership fact sheet, detailing the benefits of research partnerships and more.
• The Library Freedom Project has a roundup of recommendations for teachers and learners during the rapid transition to online learning.

Recess

Interested in staying updated? Subscribe to our newsletter here.