Protecting Student Data Privacy in a Remote Learning Environment
Schools are increasing the use of technology for recordkeeping and learning applications (edtech). Some teachers may be implementing education technology with little, if any, administrator oversight.
The FBI has warned that this recent uptick in edtech use is a growing threat to student privacy.
As the student data universe expands, it’s important to consider what data you generate, where it’s stored, and who controls it. Since most K-12 students are minors, it’s also important to understand the privacy implications beyond FERPA and inform parents about student data being accumulated. Here are some steps to take.
Understand the Data
Administrators should conduct an inventory and survey teachers to learn where your school collects and stores student data. Consider everything from enrollment information to health forms to classroom edtech data.
Develop a Policy
Once you know what data is generated and where it is located, develop or update your student data policy to address:
- Who will approve classroom applications that create, collect, or store student data
- Appropriate uses for student data
- Who decides what student information will be collected and where it will be stored
- How to secure the collected information
Consult with your school’s attorney to understand Children’s Online Privacy Protection Act (COPPA) and your state’s student data laws. Even independent schools may have student data protection obligations under state law.
Finally, determine how often to review your policy. Designate someone to track student data and update the policy periodically.
Understand Outside Vendor Contracts
Most schools contracts with vendors that create or store student data, such as a records management system or remote learning applications. Many vendor contracts require user agreements that are difficult to negotiate, but you should understand what happens to the student data they generate.
When contracting with vendors, consider:
- Who will own and possess your student data? The vendor may want ownership of the data generated by its technology. Ask whether the school can access the data at any time. Find out how any subcontractors handle the stored data.
- Where and how will the data be stored? Understand whether storage is subcontracted, the nature of that agreement, and who’s responsible for storage security. Data may be stored in foreign countries; keep in mind that some countries have less stringent privacy laws than the United States.
- How can the vendor use the student data? Understand what rights the vendor reserves for itself and whether it intends to sell the student data (either in the aggregate or for individual students). Know whether other companies will mine this student data and limit marketing as much as possible.
- Is the data de-identified? Find out how much of the data can be linked directly to an individual student, especially regarding educational performance.
- How else might the data be used? Consider the impact of storing data for a long time or later use. Also, understand whether the vendor can alter the terms of the user agreement or contract without your school’s permission.
- How do you know the data will be secure? The vendor should provide information on its privacy and storage policies as well as the results of a third-party security audit. You also should understand what will happen, and whether you will be notified, if there is a data breach. Determine whether the data is encrypted, and when (in transit, in storage, as backed up). While you are unlikely to secure indemnification from a vendor, explore whether that is negotiable.
- Will parents be able to view or access the data? This is especially important if the students are minors. Many parents will want access and assurance that they control what is known or shared about their children.
- Who will control data destruction? What will happen to the data if a student leaves your school or you stop using the vendor? Know whether the data will be destroyed or returned to you.
In an era of remote learning and ever-changing technology comes the expansion of data accumulation and storage. Careful management of student data can allow for school oversight and protection of student privacy.
About the Author
Heather Salko, Esq.
Manager of Risk Research
Heather oversees the development of risk research publications. Her areas of expertise include employment law, Title IX, and student mental health. Before joining the Risk Research team, she practiced employment and insurance coverage law and handled UE liability claims for more than a decade.