Oct 19 2020

How to Protect Student Data When Using Online and Emerging Tech

The expansion of virtual instruction requires not only devices and strong networks but also knowledge about how to safeguard sensitive information.

Schools need technology — a lot of it — to operate both remotely and in person. But there’s another need that K–12 administrators should also prioritize, experts say: data privacy.

“With the sheer volume and quantity of online services, districts should look at all the details,” says Ed Snow, assistant director for the instructional technology services team at the Wisconsin Department of Public Instruction. “Most of these technology systems are in the cloud, and there is data being transferred back and forth, so that piece of the puzzle has to be fortified and secured.”

The privacy concerns of remote learning, such as images captured on camera during videoconferencing, are just one facet. Administrators at many schools also are doing temperature checks, raising questions about medical data and HIPAA compliance. Some are using surveillance technologies in support of contact tracing, opening up another avenue for privacy violations. Those newer efforts involve collecting sensitive information on students and employees — data schools are required to safeguard.

“Administrators and IT leaders at the school and district levels must protect student privacy, both because it’s the right thing to do and because it’s the law,” says Mindy Frisbee, senior director of learning partnerships at the International Society for Technology in Education (ISTE). “That means that only the right people have access to the right data at the right time, and there are legal and secure ways that we can do that.”

Be Mindful of the High Stakes of Protecting Student Data

For IT teams, putting those principles into practice to protect student privacy during the pandemic requires some finesse and knowledge of the scope of relevant laws.

Does a temperature check at the front door fall under HIPAA compliance guidelines? Most experts say no. But the rules around FERPA, the Family Educational Rights and Privacy Act, are less clear cut.

“FERPA is concerned with how data is stored — what is stored and where it is stored. Part of that is security, making sure it is secured, and part of that is privacy, knowing who has access to it and when,” Frisbee says. The regulations don’t spell out rules for safeguarding data, however, “so it falls to the district to have the expertise, to have the right people and the right policies involved.”

The stakes are high to get it right, especially when it comes to surveillance used for contact tracing.

“We are dealing with unprecedented levels of invasive surveillance equipment — proximity detection, location tracking, biometric tracking,” says Albert Fox Cahn, executive director of the Surveillance Technology Oversight Project.

“Tech implemented in the name of COVID-19 could be used to track students and potentially penalize them for everything from truancy to substance use and countless other offenses,” Cahn says. “We’ve seen really disturbing cases where students have police show up at their door because of conduct they engage in in their own bedroom: Having a toy gun in their own bedroom is suddenly a law enforcement matter.”

For in-home learning, “countless people with access to these children’s cameras could easily misuse that access,” he says. Parents could sit in on a class, compromising other students’ privacy. Kids might record classroom sessions and post them to YouTube. It’s a privacy minefield.

Educators Tackle the Challenge of Navigating Data Privacy

What’s the first step IT staff need to take to clear those obstacles? Call in the lawyers. FERPA is a subtle and complex regulation, and officials must understand the rules before they start applying fixes.

That said, there are practical steps IT can take today to tighten privacy controls. IT staff should thoroughly vet any third-party tech products deployed in support of online learning or student surveillance. “Depending on the product, you can set these up in an open way or in a very narrow way. You need to know what controls the vendor offers,” says Amelia Vance, the Future of Privacy Forum’s director of youth and education privacy.

When in doubt, it’s best to go with vendors that understand schools’ needs — tools such as Google Workspace (formerly G Suite) and Zoom for Education.

“With the education-specific products, you can enable special privacy protections. Those are the vendors you want to work with — the ones who understand the privacy implications,” Vance says.

READ MORE: Working remotely? Here's how to maintain FERPA compliance. 

It’s also important to ensure that third-party contracts spell out the privacy practices and then enforce those practices.

“There is the promise of the software, what they say they can do. Then there’s the contractual piece, what they say they will do. Then there is a third step — what they actually do. You need a constant audit and review process to ensure they are doing what they say they will do,” Frisbee says.

Technology can help IT staff sort through the promises and realities of software.

“We have seen products like CatchOn or LearnPlatform that allow IT managers to wrap their arms around what is actually being used,” Vance says. “That empowers them to get contractual agreements that ensure student privacy on the products the teachers are actually using.”

Solid contracts should apply to free software as well. “If it’s free, the contract should be even tighter, because you don’t know how they are making their money,” says Annette Smith, director of instructional media and technology at the Wisconsin Department of Public Instruction and a SEDTA member.

As a matter of policy, classroom management tools should not be managed by artificial intelligence. “We strongly advise against automated proctoring or automated identity systems, software that penalizes student for how often they blink or how often they raise their hands,” Cahn says.

Rather than trust AI to take attendance or oversee the students, districts should train IT leaders and teachers to meet the privacy challenge. “We are in a new world, and people need that support to understand what your policies and procedures mean to them in the real world,” Wisconsin DPI’s Snow says.

There are other basic steps IT staff can take for better data privacy, such as prioritizing secure devices and internet connections. “You need to make sure every student has a high-quality laptop and a high-quality internet connection for remote learning, because older equipment is much more vulnerable to attacks and exploits that could compromise student privacy,” Cahn says.

IT can also safeguard privacy by focusing on cybersecurity, Smith says.

“We can’t separate cybersecurity from privacy because they are too interconnected.”

metamorworks/Getty Images