OETC Spotlight

A New World of Student Privacy

With closures come countless questions on student privacy and compliance— but few answers

The question posed by Portland Public Schools teachers was a simple, but startling one: In a time of school closures and videoconferencing, how closely should they be scrutinizing each student’s home and surroundings?

Don Wolff, the CTO of PPS, said some teachers are worried or uncertain about how to fulfill their duties as caretakers of their students.

“They are concerned about, ‘I’m a mandatory reporter — how far does that go? Does that mean I should be scrutinizing everything when a student is on screen? Should I be scrolling through each of my students so I can see what’s in the background? How far does this go?’”

The question is just one of the perhaps countless student privacy and security concerns posed by an abrupt and unplanned shift to online learning.

While there is existing guidance from federal law — FERPA, CIPA and, to a lesser extent, COPPA — school districts across the country are being left with relatively scant guidelines from state and federal authorities, and it has been up to them to navigate an arena with many, many questions but few solid answers.

FERPA, CIPA and COPPA at a glance:

FERPA: The Family Educational Rights and Privacy Act of 1974 gives parents certain protections in regard to their children’s education records, including report cards, transcripts, disciplinary records, contact/family information and more.

CIPA: The Children’s Internet Protection Act was passed in 2000, and requires schools and libraries to filter out obscene or harmful content on the internet. If schools aren’t compliant, they are not eligible for E-Rate funding. They must also monitor the online activities of minors and educate them on appropriate online behavior, including cyberbullying awareness and response.

COPPA: The Children’s Online Privacy Protection Act, passed in 1998, applies to the collection of personal information of children under 13, and gives parents control over what information may or may not be shared. COPPA applies to companies, not schools. However, some companies request that schools provide parental consent instead of parents or facilitate getting parental consent.

Don said the questions keep coming in — the most recent being, is it a FERPA violation for non-students to see classroom lists of IEP or special education students?

“If a student’s parents are walking by or helping them navigate a virtual learning platform, is the parent seeing that list a violation that we need to be aware of and take action on?”

There are also questions that aren’t about legality, but safety.

“Zoom is a great example,” said Corin Wyatt, Instructional Technology Innovation Supervisor of the Northwest Regional Education Service District. “It’s not against any federal law to have a kid’s face on the screen, it’s when you start to mix other information in there. I’ve had students in the past that are in the middle of custody battles, or have a relative that’s been incarcerated and are getting out of jail, and they’re at real risk. There are legitimate reasons (for privacy) that aren’t legal reasons, they’re safety reasons, and we may or may not know those as institutions.”

Amelia Vance, the Director of Youth and Education Privacy at the Future of Privacy Forum in Washington, D.C., said that an immense amount is being asked of CIOs and technology directors.

“All of a sudden, the CIOs and CTOs that have been trying to convince their bosses how important security is for years are now competing with very important priorities like making sure kids are fed, making sure kids have access to the internet, and making sure special education services are still available,” she said. “Trying to push privacy and security up that list? That’s a hard task.”

The group, she said, are often between a rock and a hard place, citing recent coverage about Fairfax Public Schools in Virginia, where technology workers voiced alarm about security concerns which higher-ups ignored — until they had to cancel several days of classes to stop incoming attacks. Now, the district is facing lawsuits and has retained legal counsel.

“Now there’s a law firm that’s been hired, it’s nonstop drama, and all I can think of as I’ve been following this is how much this removed the credibility of the school district to deliver education. Ideally, other districts and CTOs can get ahead of that, and can also be delivering communications about privacy both to the staff and to parents,” she said.

Then, there’s the question of what mediums can — and cannot — be trusted.

“A lot of times teachers will find a really cool online tool and sign kids up for it without letting their districts know, or reading the TOS and thinking about what kind of info on the kids they might be giving away,” said Corin. “COPPA directly states that you have to get permission from parents if the vendor is collecting any personal information, and teachers might just not know. It’s not that they’re being malicious.”

For his part, Don said his district is sticking with the tried-and-true right now.

“As we move forward, we’ve made some distinctions about which apps can and can’t be used,” he said. “We need to make sure that we’ve got an enterprise agreement that gives us access to the backend, so we can make sure that we can track (interactions).”

“If we increase security too much, to where teachers and students can’t log on or are disconnecting … it’s a pretty burdensome shift that may cut that digital lifeline, and the fix may be worse than the vulnerability.”

William Dembi, a CISSP and Security Architect for the Idaho Digital Learning Alliance, said that the balance between security and access has been hard to strike.

“If we increase security too much, to where teachers and students can’t log on or are disconnecting … it’s a pretty burdensome shift that may cut that digital lifeline, and the fix may be worse than the vulnerability.”

He is still grappling, he said, with so many situations that are unprecedented.

“An interesting one in general is with Zoom-bombing … CIPA immediately comes to mind. CIPA requires you to filter questionable content for children, and your E-Rate funding is reliant on that as well. So the issue is, is CIPA still relevant during this time when a student is using your device or tools outside of your network?”

More than anything, he said, it’s a constant dance of risk management, of anticipating and addressing vulnerabilities while also making the experience for students easy and accessible.

“It can be difficult motivating students even without barriers,” he said, “and every barrier you add makes it more difficult for them to learn.”

But despite all the challenges, everyone OETC spoke with retains optimism and excitement about the new opportunities that have arisen with distance learning.

The time is right, Don said, to try not only new tools, but entirely new approaches.

“It’s like, ‘Take a breath! Let’s find some fun things that engage your brain and start synapses firing that aren’t that typical memorization, that typical ‘how do we do school’ in the U.S.,” he said.

“There’s a whole swath of students out there who don’t have as many connections … let’s provide them a tether back to their school system where they have access to learning and connection 24/7, not just the six hours a day they’re in class. That, to me, is really the promise of technology.”

Past Spotlight Posts

Remote Zoom panel: How school districts are adjusting to security and support needs during school closures.

“It’s never going to be the same”: Hardship, frustration, and the surprising opportunities found in K-12’s response to the ongoing COVID-19 pandemic.

Dark web search engines, “zero-trust” models and your weakest link – Eight actionable cybersecurity practices your institution should follow according to Jack Maynard

Six employee communication tips from Know Your Team’s Claire Lew

Q&A: Tricia George on being named a Top 10 Innovative technology director

PSU CIO Kirk Kelly on how a department-wide overhaul landed them in the top 100 IT workplaces

Q&A: John Peplinski of Beaverton School District

Silverton kids get hands-on — and paid — with IT

How Salem-Keizer’s Bob Silva thwarted a $1.5-million phishing scam

Q&A: University of Oregon CISO Leo Howell

Newberg Superintendent Joe Morelock uses data to find invisible problems — and surprising solutions