COVID-19 and Privacy

As Schools Plan Re-Openings, Privacy Is a Consideration

By Samantha Cleaver

Schools across the country started closing because of COVID-19 in mid-March.

But earlier this month, Montana Democratic Gov. Steve Bullock gave schools the option of re-opening for the rest of the school year. He was the first U.S. governor to do so.

Gov. Bullock’s directives on May 7 included implementing in-person and remote learning, acknowledging the schools’ role in “the health of students, families, and communities.”

At schools that opened up again, among the precautions taken were staff wearing face masks, spacing students 6 feet apart and checking student temperatures at the door.

Most districts across the country now remain closed, setting their re-opening sights on the 2020-2021 school year this fall.

On Tuesday, the Centers for Disease Control and Prevention (CDC) outlined detailed guidance for schools to keep in mind as they begin again. These included options for virtual learning and daily health checks for students and staff, keeping in accordance with applicable privacy laws. 

The privacy considerations of re-opening are just starting to be discussed, however. A May report by the American Enterprise Institute (AEI) in Washington outlines two primary considerations: public health and online learning. 

“Everyone understands why schools have been playing catch-up — but now, we’re two months into it.”

Rick Hess, American Enterprise Institute.

Public Health and Privacy 

As schools resume, they may collect information about student health — temperatures, even tracking and tracing, Rick Hess, an AEI resident scholar, told Digital Privacy News.

The CDC echoed that in their guidelines — saying that, among other hygiene measures, schools should consider daily health checks of students and staff.

That type and scope of data collection only will serve public health if it can be shared beyond the school building. As such, what is permissible when sharing student health data? 

Michael Sweeney, chief data officer with the Montana Office of Public Instruction, said this decision-making and data-sharing would be at the local level.

In Montana, “each school will work in conjunction with their health department and community,” Sweeney told Digital Privacy News.

FERPA and Student Health Data

In K-12 education, health records are education records, according to LeRoy Rooker, senior fellow with the American Association of Collegiate Registrars and Admissions Officers (AACRAO).

That means they fall under the Family Educational Rights and Privacy Act (FERPA), not the Health Insurance Portability and Accountability Act (HIPAA). 

Current FERPA regulations require schools to obtain additional consent to release student health information, unless it is under a health-emergency exemption.

Under this exemption, if the health and safety of the student or others is at risk, then you can share health information without signed consent.

Traditionally, this has been used if a student has tested positive for a disease and other students in the class need to be notified, Rooker said.

How each disclosure is handled would depend on whether the school sees it as an emergency.

The only exception, said Rooker, would be if state laws provide other safeguards or limitations. In those cases, school officials must abide by state laws as well as FERPA.

“You can have a state law that affords more protection than FERPA,” he said.

Online Learning and Privacy 

Starting in the fall, schools will open with any variety of schedules, from alternating days to full remote learning.

Either way, districts will see an increase in remote learning, necessitating a focus on ensuring the same level of student privacy at school and at home.    

Currently, “schools are working with technology that’s not meant to be used for instruction,” AEI’s Hess told Digital Privacy News.

This technology is amassing data that’s not normally permitted, such as vendors that capture tracking information.

The reactive nature of this year’s closings because of COVID means that schools are working to do the best with what they can use right now, Hess said.

But heading into next year, he added, districts will need to get ahead of privacy concerns.

“Each school will work in conjunction with their health department and community.”

Michael Sweeney, Montana Office of Public Instruction.

Creating Safe Online Learning 

Regarding online learning, FERPA and the Children’s Online Privacy Protection Rule (COPPA) define what is and is not permissible.

Schools must work with vendors to strengthen services and ensure that laws are being followed, AACRAO’s Rooker told Digital Privacy News.

FERPA, he explained, is clear on protecting student privacy regarding online vendors — including the ability to protect student records, which often involves having a contract that specifies that the records belong to the school.

“FERPA is technology neutral,” Rooker said, “but schools have to protect student privacy and make sure the data is not used for other purposes.”

Determining Needs

One organization that helps schools align privacy with operability is the Student Data Privacy Consortium (SDPC). The group, based in New Albany, Ohio, consists of more than 3,000 members, including 28 states, vendors and schools.

Its focus is helping schools determine how to establish the privacy levels they know they need, said Larry Fruth, executive director and CEO of the Access 4 Learning Community, of which SDPC is an affiliate.

Fruth suggested that districts start with a database of signed vendor agreements that could give schools leverage when negotiating privacy contracts.

But since instruction begins in the fall, institutions “need to have the privacy processes in place that they’d use if everyone was in the school building,” he said.

Privacy vs. Public Good  

Right now, schools are figuring out what to do to open again safely. AEI’s Hess called on schools to determine how to get ahead of these issues.

The privacy expectations very likely will be different when students return in the fall, unlike when they were sent home in March.

“Everyone understands why schools have been playing catch-up,” Hess said, “but now, we’re two months into it.”

Sweeney, the Montana chief data officer, predicted that COVID-19 would force a reevaluation of privacy laws as conflicts between daily practice and protecting privacy continued to emerge. 

“There’s going to be a tension,” he told Digital Privacy News, “between public good and individual right to privacy.”

Samantha Cleaver is an education writer based in Charlotte, N.C.

Sources (external links):