Tips for Schools: Balancing Privacy and Educational Continuity in the Coronavirus Era
We know that many school districts and schools are using education technology tools to provide crucial remote learning opportunities and to stay connected with students. These tools will prove even more essential as we move from Act of God Days to Remote Learning Days. Some options may not strictly comply with relevant state and federal laws, which we discussed in a previous alert. The US Department of Education recently provided guidance that schools should steer clear of any application that the US Department of Health and Human Services has not deemed HIPAA compliant; the current list includes Tik Tok, Facebook Live, Twitch, and chat rooms like Slack. Accordingly, we suggest schools avoid using those tools with students. The status of other platforms may be less clear, however, and Districts will have to weigh the legal and privacy risks associated with tools against the need to provide continuity of education. As always, we are available to assist in your review of tools before you roll them out to families. In the meantime, we recommend that you keep the following data privacy rules of thumb in mind when conducting such reviews.
- It is legally permissible to use video conferencing and virtual learning software applications and platforms to engage with students. To fully comply with data privacy laws, schools must verify that the vendors with which they share student data (either directly or when a student generates data by using a service required for school) only use the data to provide students and teachers the platform or tool. Schools that use vendors that share student data with third parties or use it to target marketing to students may inadvertently run afoul of state and federal privacy and data sharing laws.
- The best option is to use tools that are provided by a vendor with which the district or school already has a contract or with which the district or school can enter into a data sharing agreement now. In those cases, as always, we recommend that schools use our student data privacy addendum to facilitate compliance with state and federal law.
- We understand, however, that given the immediate need for these tools it may not always be possible for schools to use existing vendors or to negotiate a new agreement with a vendor. In those cases, a school should review the vendor’s online terms and conditions, privacy policies, and other online agreements to verify the vendor provides adequately robust protections for student privacy and does not misuse or allow misuse of student data.
- Schools that vet tools and deem them compliant with data privacy laws are not required to obtain written parental consent for general videoconferencing with students. It remains best practice to notify parents of the school’s commitment to student data privacy, the tools being used, and any privacy limitations for those tools of which school is aware. Note that requiring parents to waive privacy rights or provide passive consent to use technologies that do not meet basic privacy requirements may raise legal concerns and is not a best practice when it comes to data sharing.
- We do recommend obtaining written parental consent before providing one-to-one services to students through virtual tools, as such services may implicate legal and privacy concerns beyond student data privacy laws.
- Remember that even programs that have solid privacy protections can be breached, particularly if care is not taken to use all available protections. Stories of “Zoom-bombing,” where hackers hijack a presenter’s screen during classroom instruction, are becoming commonplace. Take steps such as setting up meetings with a private link generated specifically for the meeting, requiring use of a password for entry, and, if possible based on the nature of the meeting, limiting screen sharing to the host only.
We know that these issues are ever evolving, and that the priority is—as it should be—providing continuity of education to students. We are available to assist you in reviewing any options you are currently using or would like to use to minimize the potential impact on student privacy while maximizing student access and continuity of services for students during this unprecedented challenge.