COVID-19: Student Privacy Issues in Virtual Learning
Protecting Student Privacy in Virtual Learning During the COVID-19 Pandemic
By: Sara C. Saucier
April 10, 2020
Due to COVID-19, Governor Ned Lamont has canceled all public-school classes through at least May 20, 2020. Connecticut public schools have quickly pivoted to virtual learning to ensure continued education for students. Although this change is necessary to promote and secure students’ safety related to the risks of COVID-19, school districts may face unintended consequences related to student privacy in their implementation and use of virtual learning. During this unprecedented time, school districts are reminded to protect students’ privacy and follow Federal laws, including, but not limited to, the Family Educational Rights and Privacy Act (“FERPA”) and the Protection of Pupil Rights Amendments (“PPRA”) and Connecticut state laws, including, but not limited to, the Connecticut Student Data Privacy Law (see Conn. Gen. Stat. §§ 10-234aa through 10-234dd). On March 30, 2020, the United States Department of Education, Student Privacy Policy Office (“SPPO”) released a webinar that addressed common questions and guidance about FERPA and virtual learning, which can be found here.
FERPA. FERPA is a Federal law that protects the privacy of personally identifiable information (“PII”) in students’ education records. See 34 CFR § 99.3. “Education records” are records that are: (1) directly related to a student, and (2) maintained by an educational agency or institution or by a party acting for the agency or institution. 34 CFR § 99.3. The school district cannot disclose PII from students’ education records, without written consent, unless the disclosure meets one of the exceptions. See 20 U.S.C. § 1232g; 34 CFR Part 99. For virtual learning, the exception that will most commonly apply is the “school official” exception. Under the “school official” exception, school districts are permitted to outsource institutional services or functions to third parties (including providers of online learning software applications) as long as certain conditions are met. See 34 CFR § 99.31 (a)(1)(i). If an exception does not apply, the school or district must obtain written consent from the parent or “eligible student.” The consent form may be electronic as long as the record and signature: (1) identifies and authenticates a particular person as the source of the electronic consent; and (2) indicates such person’s approval of the information contained in the electronic consent. School districts should consider whether parental consent is appropriate, even in instances where FERPA does not require parental consent. This determination should be made on a case-by-case basis.
Under FERPA, School employees who have a legitimate educational interest may take PII from students’ education records home. School employees, however, who are working from home must take special precautions to ensure that PII from students’ education records is not disclosed, including, but not limited to: conferencing in a separate room when an employee’s partner or other family member is home, or avoiding discussing PII altogether.
Similarly, as a best practice, teachers should not disclose PII from students’ education records during virtual classroom lessons. This safeguards students’ privacy in the event that there is a non-student observing the class. In general, school districts should discourage non-students from observing virtual classroom lessons and/or recordings in the event that PII from a student’s educational record is disclosed.
Teachers may make a recording of the virtual lesson available to students as long as no PII is disclosed (or written consent is obtained prior thereto). Schools are reminded, however, that video records of virtual classroom lessons may qualify as “education records” subject to FERPA.
The Protection of Pupil Rights Amendments (“PPRA”). The PPRA is another federal law that limits what providers of educational services can do with student information. Under the PPRA, the school district must, with exceptions, “directly notify parents of students who are scheduled to participate in activities involving the collection, disclosure, or use of personal information collected from students for marketing purposes, or to sell or otherwise provide that information to others for marketing purposes, and to give parents the opportunity to opt-out of these activities.” See 20 U.S.C. 1232h(c)(2)(C)(i). This may become an issue when school districts utilize online websites and applications. School districts, however, are not required to provide parental notice or the opportunity to opt-out when schools use students’ personal information that it collects from students for the exclusive purpose of developing, evaluating, or providing educational products or services for students or schools. See 20 U.S.C. § 1232h(c)(4)(A).
Connecticut Student Data Privacy Law. The Connecticut Student Data Privacy Law (Conn. Gen. Stat. § 10-234aa through 10-234dd) applies to any situation in which school districts use educational technology that captures or accesses student information, records, or data. Although generally when the school district shares or provides access to student information, student records, or student-generated content with a contractor, the school district must have an existing contract with the contractor that complies with Conn. Gen. Stat. §§ 10-234bb(a)(1) through (a)(10), Education Commissioner Cardona issued guidance on March 24, 2020 that allows the school district to bypass the process of crafting individual contracts that fall under the data privacy statute by signing the Connecticut Student Data Privacy Pledge, which can be found here. Under the new procedure, if the school district shares or provides access to student information, student records, or student-generated content with a contractor, the school district must either: (1) have an existing contract with the contractor that complies with the Connecticut Student Data Privacy law; or (2) limit their use to companies that have provided digital assurances that they will comply with Connecticut’s law by signing the Connecticut Student Data Privacy Pledge. A “contractor” means “an operator or consultant that is in possession of or has access to student information, student records, or student-generated content as a result of a contract with a local or regional board of education.” Conn. Gen. Stat. § 10-234aa (1). A “consultant” means “a professional who provides noninstructional services, including, but not limited to, administrative, planning, analysis, statistical, or research services, to a local or regional board of education pursuant to a contract with such local or regional board of education.” Conn. Gen. Stat. § 10-234aa (3).
The information contained in this post is general in nature and offered for informational purposes only. It is not offered and should not be construed as legal advice. Any specific questions about this information should be directed to Attorney Nicholas Grello, Attorney Kyle McClain, or Attorney Sara Saucier.