FPF’s Student Privacy Newsletter – November 2020

Welcome to FPF’s Student Privacy Newsletter! With the fall semester coming to an end, we’ve rounded up noteworthy student privacy issues that have surfaced as schools rotate between in-person and remote education.

As a quick programming note: we’re excited to announce that our team has grown! Learn more about our new colleagues Karsen Bailey, Juliana Cotto, Dr. Carrie Klein, Jim Siegl, Bailey Sanchez, and Casey Waughn here.

We’ve also released multiple new resources:

Today, FPF and the National Education Association released Rethinking Video Mandates in Online Classrooms: Privacy and Equity Considerations and Alternative Engagement Methods, to address the key privacy and equity considerations arising from requiring students to be on camera as they learn from home.
To help guide schools through the tough decisions they are making to reach students in-person and remotely during the pandemic, FPF and 23 other education, disability rights, civil rights, and privacy released Education During a Pandemic: 10 Principles for Student Data Privacy and Equity.
We partnered with the National Center for Learning Disabilities for our new white paper, Student Privacy and Special Education: An Educator’s Guide During and After COVID-19.
We’ve updated our series of teacher training materials to provide teachers with clear steps on how to secure their remote teaching environment, online accounts, and more. This includes 12 new and updated teacher training modules, which are short video trainings accompanied by an activity, on topics including why it is important to protect student data, best practices in protecting student data, having private conversations with students in a remote setting, and advocating for a culture of privacy at your school.
We are proud to announce that we released Pledge 2020, an updated version of the Student Privacy Pledge—the result of a year and a half of multistakeholder conversations and feedback about how to improve the Pledge. Key changes to the Pledge include two new substantive provisions, an updated definition of the data covered by the Pledge, and a series of guidelines to help readers understand Pledge provisions. You can see the updated text of Pledge 2020 here, and the guidelines here.
For more of our work, check out the resources section at the end of the newsletter!

Top News

Schools that reopened in person this fall are relying on testing and information gathering to monitor and mitigate the risk of COVID-19 in their communities, and will likely continue to depend on these measures in 2021.

To help raise awareness of related apps and tracking materials, the ACLU published a resource to help college students understand the privacy measures in place for any mandated apps called Ten Questions College Students Should Ask About Their Schools’ COVID-19 Apps.
The Markup and Recode reported that schools are using surveillance technology to assist with reopening. Some are new tools like AI powered thermal-imaging systems or wearable technology, while others are using existing video surveillance systems that have been retrofitted to measure social distancing.
- Schools around the country are turning to contact tracing in an effort to stem outbreaks, but they might not be thinking through the privacy implications of collecting student data or movements on a day-to-day basis.
- Oakland University is requiring students and staff to wear health monitoring devices as a prerequisite for being on campus—the devices track the wearers’ proximity to other community members, temperature, heart rate, and respiration rates. Similarly, in Beijing, students are wearing wristbands that monitor temperature fluctuations in real-time.
- UC San Diego released a cell phone-based COVID exposure system. While it is optional, the school is urging community members to install the system to continue to keep the campus safe.
- Fayette County Public Schools in Georgia invested $525,000 on 75 thermal cameras to detect if anyone with a fever enters the building. The school claims that the information will be stored locally and deleted “eventually.” However, there is no proof this technology will make a difference in COVID-19 diagnoses.
- Some schools are using technology to supplement physical cleaning measures (installing UV lights to clean air shafts) while others are relying on technology to measure social distancing and conduct exposure notifications through location information.
- The University of Arizona was able to identify COVID-19 cases before they spread using wastewater testing, which links cases to an area within a residential hall rather than an identifiable individual.
The Electronic Frontier Foundation argues that schools should not mandate the use of apps in their return to school strategies, since these mandates assume students have access to compatible devices and exacerbate existing “wealth and racial divides.” They developed a “University App Mandate Pledge” that requires universities to be transparent about their data collection processes.
- Wired notes that students may hesitate to accurately report their health information to university-run programs–there may be shame in testing positive for COVID and students may feel uncomfortable sharing their results with school administrators. At some schools, however, a student’s test results will not be revealed to their professors, potentially putting faculty at risk.
Some schools are resorting to physical measures—Notre Dame has hired extra security personnel to patrol the campus to make sure the community is following COVID-19 guidelines or stay-at-home orders.

But…what do schools do with the information they collect? Schools at every level are struggling with effectively reporting instances of COVID-19 to their communities.

Many schools have misinterpreted the laws that govern this data, and are refusing to report information that they can permissibly share for fear of violating FERPA or HIPAA. As a result, the U.S. Department of Education recently released a blog on student privacy and reporting cases of COVID-19. In March, FPF and AASA teamed up to respond to FAQs on the topic, available here.
In some cases, even when schools do report cases to their communities, the presentation of those statistics can confuse parents or even raise unwarranted concerns.
The New York Times created an interactive map and data repository of the number of COVID-19 cases on college and university campuses across the country.

For more information on the student privacy concerns arising during the pandemic, check out our latest Reopening Schools Issue Briefs: Part 1: Increased Data Collection and Sharing, Part 2: Thermal Scans and Temperature Checks, Part 3: Wearable Technologies & COVID-19, Part 4: Location Tracking & COVID-19, and Part 5: Online Monitoring & COVID-19. For these and more student privacy and COVID-19 resources, take a look at our COVID-19 resource repository.

The virtual classroom also creates deep questions about equity as schools think through how in-person policies translate to the online environment, which FPF’s Amelia Vance and Anisha Reddy explored in a recent op-ed. Earlier this year during “emergency” online learning, a student in Michigan was sent to juvenile detention for failing to complete her online schoolwork—but there remain lessons to be learned as we enter an entirely remote semester:

Another Michigan student was removed from an online classroom for sending too many messages.
In Arizona, a student was withdrawn from a public school after having technical issues accessing their online classes. According to Arizona state law, this is the protocol if a student has ten unexcused absences; however, all of this student’s absences were caused by an inability to access class.
In Baltimore, the police were called to the home of a student because the student displayed BB guns on a bedroom wall, visible to others in the student’s virtual classroom. A similar situation occurred in Colorado, when a teacher called the police on a seventh grader for playing with a toy gun, and is now receiving backlash. These events raise questions about privacy, and how discipline is being handled in a virtual classroom.

The pandemic has also upended how exams are administered, since most standardized tests are typically conducted in person. We previously discussed the AP Exam snafu, but exam administration around the globe is increasingly under scrutiny:

Critics continue to raise privacy and equity concerns about remote proctoring software, strengthened by powerful student anecdotes. Vice notes how use of this software disproportionately harms “low-income students, students with disabilities, students with children or other dependents, and other groups who already face barriers in higher education”—for example, the software fails to verify the identity of students of color and uses flags for cheating that unfairly target students with disabilities. Software has also allegedly compromised the cybersecurity of student computers in some cases. However, there are concerns that academic misconduct is growing across the globe.as online learning continues.
In July, the International Baccalaureate (IB) Diploma Programme took an unconventional approach to calculate final exam grades for high school seniors; rather than creating an alternative to a year-end exam, IB administrators created an algorithm to infer what a student’s final grade in a subject would be based on teacher predictions, past assignments, and historical testing patterns. Educators and students found the results surprising because students who typically performed well in a particular class received a poor predicted score. IB results define postsecondary opportunities for students around the world and, as a result of this year’s grading system, many students fear they will have admissions offers revoked.
- The Norwegian Data Protection Authority announced that they commenced an investigation into IB’s decision under Article 22 of the GDPR, which, among other things, prohibits decisions “based solely on automated processing, including profiling, which produces legal effects concerning [an individual] or similarly significantly affects [them].”
- In the UK, the administrators of the GCSE and A-Level exams took a similar approach in August. Exam results were calculated using teacher predictions and historical performance data rather than having students actually sit for the exams. This decision resulted in widespread criticism, and some predict that schools will be inundated with GDPR data subject access requests.

FYI: Quick Hits

The Tampa Bay Times uncovered a troubling predictive policing initiative in which a county sheriff’s office used education data to create a list of potential criminals. The information included in the initiative includes a student’s grades, attendance information, and disciplinary information—students on the list were unaware of its existence, as were their families.
Vice’s Motherboard investigated the Lockport School District’s controversial school safety partnership with a facial recognition company and found that the tool had several technical problems (for example, misidentifying broom handles as guns) but would nevertheless “automatically alert police when it detects weapons or certain people on the district’s ‘hot list.’” Further, the company “misled the district about the accuracy of the algorithm it uses and downplayed how often it misidentifies Black faces.”

The Age Appropriate Design Code came into effect in the UK on September 2, 2020 with a 12 month transition period. The code sets 15 standards for online services whose products children might use, to minimize the collection of children’s data and to give children and parents more agency regarding the types and amount of data collected. The code includes high privacy settings by default; prohibiting profiling, nudging, and collecting geolocation data; and child-friendly language in privacy notices.
Twitter provided us with a great example of how grading by algorithm can be gamed–a mother and son found that adding a string of related words to the son’s exam responses ensured that he would receive 100% on all of his algorithm-graded assignments.
ACT agreed to a $16 million class action settlement pursuant to a suit filed against the organization for allegedly revealing student disability information to college recruitment programs.
The Pennsylvania Supreme Court will hear an appeal from a 2018 case where police charged a college student for robbery after obtaining Wi-Fi logs for a list of students who accessed the network in the dorm where the robbery occurred. The national ACLU, ACLU of Pennsylvania, and Electronic Frontier Foundation filed amicus briefs arguing that the Wi-Fi logs were illegally obtained and used as evidence in the case, violating the privacy of all the students listed on the log.

Resources

The National Center for Education Statistics published the “Forum Guide to Data Governance,” which includes case studies from exemplary school district data governance programs across the country.
Data Quality Campaign published their 2020 Education Data Legislation Review—43 bills focused on “safeguarding student data,” and 5 states considered legislation that would protect the privacy of higher education student records.

State Education Agency Data Sharing and FERPA – NASBE – National Association of State Boards of Education
USED published a Parent and Family Digital Learning Guide to help parents support their children’s use of technology in their education—it includes helpful tips related to privacy, security, and digital citizenship.
The Department of Education’s Student Privacy Policy Office published a short animated video that explains the FERPA Complaint Process.
As a part of the Learning Keeps Going Coalition, FPF, Common Sense Media, Connecticut Commission for Educational Technology, Edvolve, National Council for the Social Studies, and Student Data Privacy Consortium co-curated list of resources to help education stakeholders understand the basics on keeping technology systems safe, protecting student data, and promoting healthy digital decision making during the pandemic.
The Institute of Education Sciences’ SLDS Grant Program published several new resources that touch on student privacy, including:
- Data Governance Charter Guide & Template: Single Agency Version
- Key Components of a Data Governance Program: Guide & Rubric
- SLDS Issue Brief: How to Engage and Train Stakeholders Regarding Privacy and Security Best Practices
- SLDS and Forum Webinar: Responding to SEA and LEA Needs for Virtual Learning Solutions
The ACLU of Rhode Island released a report surveying the privacy protections afforded to students who utilized devices from their school district.
Data & Society created “A Poverty Lawyer’s Guide to Fighting Automated Decision-Making Harms on Low-Income Communities” – a guide that spotlights automated decision making in education, including a portion on school surveillance.
Data Quality Campaign published national parent and teacher polls that found both groups feel more data is necessary to address student needs during COVID-19, which also highlights the lack of virtual education training most teachers report undergoing.
Data Quality Campaign also also published a series of resources at the intersection of COVID-19 and education, covering maintaining trust and student privacy during COVID-19, and how to support individual students while they are at home, which includes a recommendation that districts review privacy and security practices to ensure secure tools are in use.
FPF published blog posts on:
- The effects of New York’s new student privacy regulations (Part 121) on educational technology companies;
- How the Federal Trade Commission’s updates to the COPPA FAQs will affect schools; and
- The Student Data Privacy Consortium’s new model National Data Privacy Agreement for school districts to use with their technology service providers.
- We also published a series of “Student Privacy During COVID-19” interviews with state, district, and school student privacy leaders, which reflect on lessons learned from the rapid transition to online learning in the spring and offer best practices regarding student data privacy in the current academic year. Find the series here.
In September, FPF co-hosted a webinar on Student Privacy and EdTech, focusing on teacher training with the Law & Economics Center at George Mason University’s Antonin Scalia Law School. The Law & Economics Center highlighted their survey of elementary school educators across the country, focusing on their use of edtech and understanding of student privacy laws.
For insight into our international work, FPF submitted comments to the United Nations Office of the High Commissioner for Human Rights Special Rapporteur’s call for contributions on children and privacy and to UNICEF’s draft policy guidance on AI for children, and published a blog post outlining the European Commission’s efforts to possibly harmonize the age of consent across the EU.
Here are some potential model student privacy policies and practices that we found interesting since our last newsletter:
- A School District developed a opt-out form for parents to opt their child out of remote classroom recordings.
- The University of Texas published Online Learning Student Privacy FAQs that includes sample student privacy syllabus language.
- Fairfax County Public Schools developed a searchable repository of edtech tools in use in the district, outlining the purpose of the tool and other details in an easily digestible form.
A UK edtech membership organization developed a code of practice for wellbeing and mental health analytics, with many principles that apply at a global scale.
ClassLink, AASA, AESA, CoSN, and SETDA partnered to create a “Back to School Rubric” to help schools and districts assess their readiness for reopening.
Common Sense Media published a report on “Tweens, Teens, Tech, and Mental Health: Coming of Age in an Increasingly Digital, Uncertain, and Unequal World 2020.”
Data Quality Campaign published a resource outlining the critical uses of a parent portal for communicating with parents about student data.
5 Rights Foundation developed Risky-by-Design, an interactive website outlining how application design decisions can impact how young people make decisions online.
In late November, the Council of Europe adopted Guidelines on Children’s Data Protection in an Education Setting, providing policymakers and commercial providers with principles for protecting student data.
The OECD published a report outlining how different countries around the world approached protecting children’s privacy online.
The Family Online Safety Institute published Tools for Today’s Digital Parents, a research report surveying how parental controls on applications for children are actually helping parents.

FPF’s Student Privacy Newsletter – November 2020

Top News

FYI: Quick Hits

Resources

Recess

Related Resources

Checklist to Help Schools Vet AI Tools for Legal Compliance

FPF Releases Policy Brief Comparing Federal Child Privacy Bills

FPF’s Student Privacy Newsletter – April 2021