FPF’s Student Privacy Newsletter – November 2020

FPF’s Student Privacy Newsletter – November 2020

Welcome to FPF’s Student Privacy Newsletter! With the fall semester coming to an end, we’ve rounded up noteworthy student privacy issues that have surfaced as schools rotate between in-person and remote education.

As a quick programming note: we’re excited to announce that our team has grown! Learn more about our new colleagues Karsen Bailey, Juliana Cotto, Dr. Carrie Klein, Jim Siegl, Bailey Sanchez, and Casey Waughn here.

We’ve also released multiple new resources:

Top News

Schools that reopened in person this fall are relying on testing and information gathering to monitor and mitigate the risk of COVID-19 in their communities, and will likely continue to depend on these measures in 2021.

  • To help raise awareness of related apps and tracking materials, the ACLU published a resource to help college students understand the privacy measures in place for any mandated apps called Ten Questions College Students Should Ask About Their Schools’ COVID-19 Apps.
  • The Markup and Recode reported that schools are using surveillance technology to assist with reopening. Some are new tools like AI powered thermal-imaging systems or wearable technology, while others are using existing video surveillance systems that have been retrofitted to measure social distancing.
    • Schools around the country are turning to contact tracing in an effort to stem outbreaks, but they might not be thinking through the privacy implications of collecting student data or movements on a day-to-day basis.
    • Oakland University is requiring students and staff to wear health monitoring devices as a prerequisite for being on campus—the devices track the wearers’ proximity to other community members, temperature, heart rate, and respiration rates. Similarly, in Beijing, students are wearing wristbands that monitor temperature fluctuations in real-time.
    • UC San Diego released a cell phone-based COVID exposure system. While it is optional, the school is urging community members to install the system to continue to keep the campus safe.
    • Fayette County Public Schools in Georgia invested $525,000 on 75 thermal cameras to detect if anyone with a fever enters the building. The school claims that the information will be stored locally and deleted “eventually.” However, there is no proof this technology will make a difference in COVID-19 diagnoses.
    • Some schools are using technology to supplement physical cleaning measures (installing UV lights to clean air shafts) while others are relying on technology to measure social distancing and conduct exposure notifications through location information
    • The University of Arizona was able to identify COVID-19 cases before they spread using wastewater testing, which links cases to an area within a residential hall rather than an identifiable individual.
  • The Electronic Frontier Foundation argues that schools should not mandate the use of apps in their return to school strategies, since these mandates assume students have access to compatible devices and exacerbate existing “wealth and racial divides.” They developed a “University App Mandate Pledge” that requires universities to be transparent about their data collection processes.
    • Wired notes that students may hesitate to accurately report their health information to university-run programs–there may be shame in testing positive for COVID and students may feel uncomfortable sharing their results with school administrators. At some schools, however, a student’s test results will not be revealed to their professors, potentially putting faculty at risk.
  • Some schools are resorting to physical measures—Notre Dame has hired extra security personnel to patrol the campus to make sure the community is following COVID-19 guidelines or stay-at-home orders.

But…what do schools do with the information they collect? Schools at every level are struggling with effectively reporting instances of COVID-19 to their communities.

  • Many schools have misinterpreted the laws that govern this data, and are refusing to report information that they can permissibly share for fear of violating FERPA or HIPAA. As a result, the U.S. Department of Education recently released a blog on student privacy and reporting cases of COVID-19. In March, FPF and AASA teamed up to respond to FAQs on the topic, available here.
  • In some cases, even when schools do report cases to their communities, the presentation of those statistics can confuse parents or even raise unwarranted concerns.
  • The New York Times created an interactive map and data repository of the number of COVID-19 cases on college and university campuses across the country.

For more information on the student privacy concerns arising during the pandemic, check out our latest Reopening Schools Issue Briefs: Part 1: Increased Data Collection and Sharing, Part 2: Thermal Scans and Temperature Checks, Part 3: Wearable Technologies & COVID-19, Part 4: Location Tracking & COVID-19, and Part 5: Online Monitoring & COVID-19. For these and more student privacy and COVID-19 resources, take a look at our COVID-19 resource repository.

The virtual classroom also creates deep questions about equity as schools think through how in-person policies translate to the online environment, which FPF’s Amelia Vance and Anisha Reddy explored in a recent op-ed. Earlier this year during “emergency” online learning, a student in Michigan was sent to juvenile detention for failing to complete her online schoolwork—but there remain lessons to be learned as we enter an entirely remote semester:

  • Another Michigan student was removed from an online classroom for sending too many messages.
  • In Arizona, a student was withdrawn from a public school after having technical issues accessing their online classes. According to Arizona state law, this is the protocol if a student has ten unexcused absences; however, all of this student’s absences were caused by an inability to access class.
  • In Baltimore, the police were called to the home of a student because the student displayed BB guns on a bedroom wall, visible to others in the student’s virtual classroom. A similar situation occurred in Colorado, when a teacher called the police on a seventh grader for playing with a toy gun, and is now receiving backlash. These events raise questions about privacy, and how discipline is being handled in a virtual classroom.

The pandemic has also upended how exams are administered, since most standardized tests are typically conducted in person. We previously discussed the AP Exam snafu, but exam administration around the globe is increasingly under scrutiny:

  • Critics continue to raise privacy and equity concerns about remote proctoring software, strengthened by powerful student anecdotes. Vice notes how use of this software disproportionately harms “low-income students, students with disabilities, students with children or other dependents, and other groups who already face barriers in higher education”—for example, the software fails to verify the identity of students of color and uses flags for cheating that unfairly target students with disabilities. Software has also allegedly compromised the cybersecurity of student computers in some cases. However, there are concerns that academic misconduct is growing across the globe.as online learning continues.
  • In July, the International Baccalaureate (IB) Diploma Programme took an unconventional approach to calculate final exam grades for high school seniors; rather than creating an alternative to a year-end exam, IB administrators created an algorithm to infer what a student’s final grade in a subject would be based on teacher predictions, past assignments, and historical testing patterns. Educators and students found the results surprising because students who typically performed well in a particular class received a poor predicted score. IB results define postsecondary opportunities for students around the world and, as a result of this year’s grading system, many students fear they will have admissions offers revoked.
    • The Norwegian Data Protection Authority announced that they commenced an investigation into IB’s decision under Article 22 of the GDPR, which, among other things, prohibits decisions “based solely on automated processing, including profiling, which produces legal effects concerning [an individual] or similarly significantly affects [them].”
    • In the UK, the administrators of the GCSE and A-Level exams took a similar approach in August. Exam results were calculated using teacher predictions and historical performance data rather than having students actually sit for the exams. This decision resulted in widespread criticism, and some predict that schools will be inundated with GDPR data subject access requests

FYI: Quick Hits

  • The Tampa Bay Times uncovered a troubling predictive policing initiative in which a county sheriff’s office used education data to create a list of potential criminals. The information included in the initiative includes a student’s grades, attendance information, and disciplinary information—students on the list were unaware of its existence, as were their families.
  • Vice’s Motherboard investigated the Lockport School District’s controversial school safety partnership with a facial recognition company and found that the tool had several technical problems (for example, misidentifying broom handles as guns) but would nevertheless “automatically alert police when it detects weapons or certain people on the district’s ‘hot list.’” Further, the company “misled the district about the accuracy of the algorithm it uses and downplayed how often it misidentifies Black faces.”
  • The Age Appropriate Design Code came into effect in the UK on September 2, 2020 with a 12 month transition period. The code sets 15 standards for online services whose products children might use, to minimize the collection of children’s data and to give children and parents more agency regarding the types and amount of data collected. The code includes high privacy settings by default; prohibiting profiling, nudging, and collecting geolocation data; and child-friendly language in privacy notices.
  • Twitter provided us with a great example of how grading by algorithm can be gamed–a mother and son found that adding a string of related words to the son’s exam responses ensured that he would receive 100% on all of his algorithm-graded assignments.
  • ACT agreed to a $16 million class action settlement pursuant to a suit filed against the organization for allegedly revealing student disability information to college recruitment programs.
  • The Pennsylvania Supreme Court will hear an appeal from a 2018 case where police charged a college student for robbery after obtaining Wi-Fi logs for a list of students who accessed the network in the dorm where the robbery occurred. The national ACLU, ACLU of Pennsylvania, and Electronic Frontier Foundation filed amicus briefs arguing that the Wi-Fi logs were illegally obtained and used as evidence in the case, violating the privacy of all the students listed on the log.


  • The National Center for Education Statistics published the “Forum Guide to Data Governance,” which includes case studies from exemplary school district data governance programs across the country.
  • Data Quality Campaign published their 2020 Education Data Legislation Review—43 bills focused on “safeguarding student data,” and 5 states considered legislation that would protect the privacy of higher education student records.


Related Resources

  • Uncategorized

    Checklist to Help Schools Vet AI Tools for Legal Compliance

    Apr 24, 2024

    Schools and districts around the United States are currently grappling with how to vet new edtech tools that incorporate generative AI. Whereas various groups …

    Learn More
  • Uncategorized

    FPF Releases Policy Brief Comparing Federal Child Privacy Bills

    Jun 10, 2022

    Learn More
  • What We're Reading

    FPF’s Student Privacy Newsletter – April 2021

    Apr 5, 2021Bailey Sanchez and Amelia Vance

     Good afternoon, and welcome to another issue of FPF’s Student Privacy Newsletter! Below, we’ve rounded up noteworthy student privacy issues that surfaced…

    Learn More