Protecting students’ online privacy: Special considerations during distance learning

With school closures due to the COVID-19 pandemic having led to the widescale implementation of distance learning, local educational agencies must be vigilant in protecting the privacy of student data that may be gathered electronically. While districts and county offices of education have always had a duty to protect students’ privacy, the sheer number of students going online to communicate with teachers and participate in digital learning increases the potential for abuse. Risks include the misuse or monetization of students’ personal information collected through websites and applications, as well as the inadvertent violation of laws pertaining to the confidentiality of student records. In extreme circumstances, a breach of the data could lead to identity theft or jeopardize a student’s safety.

Some technology resources, including educational websites or applications, may require students to enter personal information such as their name, user name, address, phone number or email to access the instruction. A number of federal and state laws protect this type of personal information from collection by third-party vendors. The federal Children’s Online Privacy Act (16 CFR 312.1-312.12) requires online businesses that sell products or services for children to obtain parental consent before collecting personal information about children under age 13. The Student Online Personal Information Protection Act (Business and Professions Code 22584-22585) prohibits companies that provide online services to students from selling student data or using the data to advertise to students, and requires companies to delete student data upon request by a school or district. The California Consumer Privacy Act (Civil Code 1798.100-1798.199) requires a business to disclose the personal information it collects and the types of third parties to which the information is shared or sold, and prohibits a business from selling the personal information of a child under age 16 without consent.

While these laws are aimed at businesses and online services, LEAs also have an obligation to safeguard against the misuse of students’ personal information. LEAs may:

  • Establish procedures for the selection of technology resources that include an evaluation of privacy and security considerations
  • Review the terms and conditions of websites and applications to determine whether student information is collected for marketing and advertising purposes, and avoid using such sites to the extent possible
  • Inform students and parents/guardians if a website or application that collects personal information for marketing purposes is used for instructional purposes, and advise them of their right to opt out of the dissemination of personal data by that site
  • Provide information to students and parents/guardians on how to configure the privacy settings on their devices
  • When using a video conferencing tool such as Zoom, have students use one account, such as their school email, just for that site. The nonprofit organization Common Sense advises that such a practice is the safest way to protect students’ data from being tracked and collected, because educational accounts are part of school subscriptions that come with stronger privacy protections.

Although the federal Family Educational Rights and Privacy Act authorizes LEAs to disclose “directory information” (i.e., information contained in a student’s records that would not generally be considered harmful or an invasion of privacy if disclosed), districts and COEs should be cautious in applying the “directory information” exception to provide student information to online services. What qualifies as directory information is specified in law and can only be disclosed if the LEA has adopted a policy or administrative regulation identifying the information as directory information. Examples include the student’s name, address, telephone number, email address and date of birth. Furthermore, parents/guardians must be notified at the beginning of each school year of the categories of directory information that the LEA plans to release, the recipients of the information, and the right of parents/guardians to refuse the release of such information. If parents/guardians have exercised this right, it may not be feasible for districts to use applications and online programs that require personally identifiable information from student records to create student accounts or profiles. In addition, Education Code 49073 specifically prohibits releasing information to a private profit-making entity.

For other types of student records (e.g., grades, transcripts, schedules, papers, tests, disciplinary records), FERPA generally prohibits disclosure unless specifically authorized by law for persons or agencies with a legitimate educational interest or other legally authorized purpose, or the parent/guardian or adult student has provided written consent. When sharing records electronically, schools should be careful to avoid inadvertently violating confidentiality laws pertaining to such records.

Caution should also be exercised in using video lessons and virtual classrooms where students are visible. Teachers should be informed of potential problems that may occur if they record or take photos of students and share them online. A safer alternative is to only record the lecture or lesson, not the parts that involve students. Staff should be reminded of LEA policy regarding the publication of student photographs, names or other personally identifiable information on district or school websites. See CSBA’s sample Board Policy 1113 – District and School Web Sites.

For further information about the confidentiality of student records, see BP/AR 1340 – Access to District Records, BP/AR 5125 – Student Records and BP/AR 5125.1 – Release of Directory Information.