School’s Out for Summer! (School’s Out Forever?): Distance Learning Policies and The New Normal

By Rachel LaBruyere

Over the past few weeks, parents all over the country let out a collective sigh of relief when the school year ended. They could relinquish their new duties as at-home [insert subject here] teacher. Meanwhile, college and graduate students sat for final exams remotely, shifted to pass/fail grading rubrics, and mourned lost graduations and rites of passage.

Educational institutions from elementary schools to law schools are now considering whether to go fully or partially online in the fall of 2020 and beyond. While privacy has long been a conversation in the education sector, data privacy and cybersecurity issues should be front and center for not only decision-makers but also educators, faculty, and administrators as they make these decisions. Data privacy and cybersecurity issues will not be new to those in the education sector, but what may be novel are all the different parties who may now have access to personal information. These include technology vendors who are not familiar with the student data regulatory landscape, as well as new sources of data as more online tools are leveraged in the distance learning environment. The shifting privacy and cybersecurity landscape makes this a daunting task even for the most tech-savvy institutions. So, where should one start? As discussed in detail below, educators and administrators should ground themselves in applicable requirements under federal and state privacy laws, conduct due diligence on all education technology vendors, and implement or update distance learning policies.

Elementary and secondary schools and school districts should screen any and all technology vendors that might be used to connect with students prior to engaging them or audit their current vendors. First and foremost, vendors should be compliant with the Children’s Online Privacy Protection Act (COPPA). COPPA applies to operators of commercial websites and online services (including mobile apps) directed to children under 13 that collect, use, or disclose personal information from children and operators of general audience websites or online services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13. COPPA requires these sites to obtain parental consent before collecting information from children under 13 years old.

While COPPA does not apply directly to schools, recent FTC guidance issued in April 2020 makes clear that schools should consult with attorneys and information security professionals to review the privacy and security policies of technology vendors they plan to use. Schools and school districts must be careful to contract only with vendors who have done a full COPPA review and are complying with COPPA requirements. COPPA requires, among other things, a regulated company to post a clear and comprehensive privacy policy that describes what data the vendor collects and how the vendor handles data, notifies parents before the company collects information from their children, and obtains parents’ verifiable consent before collection.

A high priority for all schools—including colleges and universities—should be training their educators on best practices to protect the security of and privacy of personal information when using online tools, such as enabling all security measures provided by a vendor (like multi-factor authentication); not sharing any account information (such as passwords or PINs) with anyone; using strong passwords (and different passwords) for their accounts; requiring all educators to take periodic cybersecurity training which covers how to identify a potential cyberattack and how to report it; and requesting permission from students’ parents (if the student is under 18 or the age of majority) or the students before recording a live class session where students are participating.

All schools should also ensure that educators know what the Family Educational Rights and Privacy Act (FERPA) is and that educators are prepared to comply with FERPA when using online teaching tools. For example, educators must not disclose student record information to any third party (including a vendor!) unless the student or the student’s parent has given consent for that disclosure.

At the state level, North Carolina enacted its own student privacy act in 2016, N.C. Gen. Stat. §§ 115C-401.2 et seq. The act prohibits websites and online service providers to K-12 schools from engaging in targeted advertising that uses any collected personal student information. The act also prohibits any sale or disclosure of covered information (except for enumerated exceptions) and requires the service provider implement security procedures and delete covered information upon request by a school or a local board of education. Like COPPA, this law applies to private enterprises, not directly to schools themselves. However, savvy school districts should select technology vendors who are familiar with this state law and have a proven track record of compliance.

If this sounds like a lot of ground to cover, it is. But there is a way to do this comprehensively that preserves educators’ time and efforts for the virtual classroom while safeguarding privacy practices. Schools and universities may want to consider drafting a universal “Distance Learning Policy” that incorporates not only these legal considerations but also best practices that both educators and students (and their parents) are expected to adhere to in order to ensure privacy and security throughout the school term.

By carefully crafting distance learning policies that center on the privacy and security of student and school data, schools can equip educators with the tools they need to safeguard data, so educators can focus on developing engaging and innovative curriculum to keep students learning, even from a distance.