Security

4 Key Questions To Help You Protect Remote Learning Data Privacy

In the quest to provide engaging online learning, universities must be mindful of privacy laws.

Leroy Rooker is the nation’s leading expert on FERPA and senior fellow at the American Association of Collegiate Registrars and Admissions Officers.

If you’ve ever gotten a parking ticket or had your car towed, you know that there are countless ways to unintentionally break the law. Likewise, the increased use of virtual learning has introduced countless ways for educators to unwittingly violate the Family Educational Rights and Privacy Act.

More commonly referred to as FERPA, the law was enacted in 1974 to protect the rights and privacy of students, whether in grade school or college. A lot has changed, however, over the past 46 years. Between the internet’s rapid evolution and a pandemic that’s forced the bulk of instruction online, there are countless new ways that universities, faculty and staff can violate FERPA. To avoid infringing on students’ privacy rights requires a mindful, intentional approach that takes into account numerous potential questions and risks.

MORE ON EDTECH: Learn how to protect data privacy in a remote learning landscape.

1. Is It Actually an Education Record?

While FERPA itself is technology neutral, it is important to note that whatever method or technology is used in an educational setting, it can’t result in an unauthorized disclosure of a student’s education records. But what, exactly, qualifies as a student education record?

The answer to that question largely depends on two factors: capture and maintenance. For instance, imagine a professor decides to record a live lecture to repurpose for future asynchronous courses. Over the course of that lecture, various students chime in to ask questions or participate, resulting in their faces, names or other identifying information being recorded. Class ends, the camera is turned off and students leave, but the recording lives on forever, with student identities and a record of their participation available for posterity at the touch of a button — at least until someone presses “delete.”

Of course, it’s not just recorded lectures. From temperature scanning to occupancy tracking and contact tracing, universities are considering a wide range of technologies in their efforts to track the coronavirus and prevent transmission. While these technologies will likely play a critical role in protecting student health, universities and their IT teams must remember to consider and apply FERPA guidelines when implementing them. That means being mindful and recognizing that a student education record is being created.

2. How Will That Record Be Used?

In years past, classroom interactions between a professor and student primarily happened in real time. Class would end, and that fleeting interaction between instructor and student disappeared into memory. But now, with recorded lectures and online learning, not only is that moment often documented, it has the potential to be saved and shared with dozens, hundreds or even thousands of future viewers.

Or take, for instance, contact tracing. The very nature of it requires the creation and maintenance of records. Temperatures, diagnoses, absences and location monitoring — all of these immediately become protected information once they’re linked to a specific student, recorded and filed away.

While FERPA does allow for certain disclosures to be made in cases of health or safety emergencies (contact tracing among them), it also requires that a notice of the disclosure be kept in the student’s education record. Similarly, if an instructor records a lecture and realizes it includes imagery, audio or other information that could identify a student, the instructor must generally ask that student’s permission before sharing it outside of that specific classroom setting.

DOWNLOAD THE WHITEPAPER: Overcome your compliance challenges.

3. What About Your Vendors?

FERPA compliance doesn’t only require that your institution and its faculty obey regulations; it also requires that your technology vendors do. The quick pivot to online, remote and hybrid learning has necessitated that many colleges implement new technologies and services, many of which could potentially expose protected student data.

For example, many universities are using proctoring services to ensure students do not cheat when taking exams online. What are those providers doing with the records they’re creating when monitoring tests? What about their videoconferencing, collaboration and learning management systems? Are these platforms creating student records? If so, how will the information be protected from unauthorized disclosures, and how will students be provided access to them?

This is a particularly critical undertaking for universities trying to balance FERPA compliance with virtual instruction — and a particularly complicated one as well.

Throughout my career, I’ve yet to encounter vendors who didn’t say their products were FERPA compliant. Some of them actually are — but not all. Many, if not most, have not had an independent party review their product. When selecting vendors, it’s crucial that they be properly vetted to determine whether they truly understand and comply with FERPA regulations. Otherwise, you might find your institution facing the consequences of violating student privacy without ever having realized what you were doing.

MORE ON EDTECH: Learn the difference between security, privacy and confidentiality.

4. When In Doubt About FERPA, Ask

In general, the average professor is fairly aware of FERPA — but without necessarily being an expert in all of its nuances, of which there are many. Fortunately, there are offices at your institution that are specifically tasked with understanding FERPA and with helping faculty and staff (IT included) to remain compliant.

Whether through the registrar’s office or your university’s general counsel, stay aware of who at your institution is the go-to resource when it comes to ensuring FERPA adherence in any vendor contracting. Then, when the time comes and you find yourself facing a risk or uncertainty, don’t hesitate: Ask them.

MORE ON EDTECH: Learn how higher ed CPOs and CISOs can boost student privacy.

MicroStockHub/Getty Images