This is a continuation of our blogs about the intersection of remote education and the law.
Adapting to a remote learning environment as the effects of the COVID-19 pandemic unravel has been a constant learning process. The Internet has seemed like uncharted territory for some districts. “Zoom-bombing,” disruptions of video conferences by hackers and pranksters, have continued to occur during school board meetings and, in some cases, led to police investigations. Now that distance education is no longer as foreign, teachers and administrators have time to prepare for a remote fall semester. For many this will be a necessity. This preparation must address privacy and security concerns as well as rules and regulations surrounding Internet usage. Students may need to access age-appropriate sensitive material when researching hot-button issues, and educators will not want to restrict technology use so broadly as to limit learning opportunities.
Unless school technology managers are hiding otherworldly coding prowess, almost all institutions partner with third-party companies that provide technology services such as videoconferencing tools, academic data analysis and interactive experiential learning activities. With the proliferation of available software providers and hardware distributors, the risk of data breaches, unintended disclosure and inherent liability increases.
These partnerships with both general and education-focused technology companies require careful consideration. Contracts and policies regarding existing partnerships warrant an immediate second look before fall 2020. Educators should be hypersensitive to who retains control of hardware and software, while maintaining a safe online environment for students and their families. Librarians and technology managers, frequently unsung heroes in the education field, are critical to the vetting process.
First, schools must do diligent research on each provider. While Zoom may have been the videoconferencing tool of choice during the 2019-2020 school year, the prevalence of “Zoom-bombing” and the potential for unwanted disclosure of Personally Identifiable Information (PII) has already begun to shift the tide. The summer affords administrative teams the opportunity to consider other widely used and trusted communications services like Microsoft Teams and Webex, and to assess privacy policies that account for COPPA and FERPA regulations. Some states have even provided guidance as to the safest companies. For instance, Connecticut relaxed its Student Data Privacy Act this spring, allowing for technology companies to sign onto its state privacy pledge in order to inform schools whether the company has agreed to follow Connecticut’s statutory requirements in response to unauthorized disclosure of information.
Second, schools should maintain a robust inventory of all contracts. Many technology directors track their laptops, tablets and chargers with strict numbering systems and meticulous spreadsheets within the school building. They now must be even more scrupulous when distributing such technology to students studying from home. Additionally, schools should keep a record of contracts with families, including acceptable use policies and liability waivers, to ensure that the hardware is used and maintained safely. Under COPPA, schools may act as agents for parents when partnering with third-party software providers, but it is worth reconsidering strict family contract language if preparing for a full remote semester or year.
In the distance education context, each school should have a repository of contracts with any third-party provider and review now any multi-year contracts prior to the 2020-2021 academic year. All educational software providers should have policies that specifically comply with FERPA and COPPA, especially those that use technology to track computers if they get lost. Any software using location data should apply encryption to protect the confidentiality of children’s information.
Third, schools will need to address the absence of in-classroom assistants. If there is anything that we have learned about teaching these past few months, it is that holding students’ attention for extended periods of time is an art form. Many K-12 classrooms consist of more than one educator, including instructional assistants and other paraprofessionals. Remote students, by contrast, are often left unmonitored, save for the virtual talking heads on their computer screens. Teachers may not always be able to take attendance reliably or monitor student attention throughout the class.
Most importantly, the physical absence of some assistants could have devastating effects on certain students with disabilities. Per the Department of Education, schools are required to provide educational services for students with disabilities if the general student population is receiving them. Therefore, it is imperative for schools to ensure that they have software to accommodate these students, whether it is an interactive learning tool or videoconferencing platform that allows for breakout rooms. However, accessibility considerations go beyond the Individuals with Disabilities Education Act (IDEA) and Americans with Disabilities Act (ADA).
Fourth, all schools must be cognizant of income disparity. The broadband digital divide is one particular concern. High-speed Internet access is required for most telecommunications programs, let alone other software used while videoconferencing and sharing screens. When roughly one-eighth of the country has no access to a broadband connection, the inequality becomes more apparent in educational institutions. Students should not be required to sit in hotel parking lots and access low-security connections without a password.
Rather than suggesting that students use phone hotspots and cell data, schools should consider partnering with cable companies and other telecommunications providers. For example, the Massachusetts Department of Elementary and Secondary Education has partnered with public media outlets to provide alternatives for students without high-speed access. If such partnerships do not fall within the school budget, consider asking media companies to help. As a last resort, incorporate lesson plans that do not require complex interactive software and differentiating for students with limited access is a start.
Going a step further, schools using videoconferencing technology should discuss requiring school logos as virtual backgrounds or allowing certain students to opt out of providing a video feed. This could prevent discomfort resulting from economic differences which become glaringly apparent when students’ home situations are on display for the entire class.
Fifth, schools should begin adapting their acceptable use policies to create a heightened sense of accountability. Older K-12 students may need access to certain material involving language or violence that some may find offensive for English or social studies courses. If students are using school-provided equipment, schools should consider editing acceptable use policies to include certain latitude directly linked to the education goals.
For instance, if planning to assign projects that may include such sensitive information, an acceptable use policy could require an acknowledgement from students that they have read and understood the limits of such use. For middle school students, it may be more appropriate to seek a statement from parents that they are retaining some level of control over tech usage. While schools may monitor students more easily in person, the era of distance education necessitates a different allocation of risk.
School employees should be signing acceptable use agreements as well. Certain information under FERPA must be accessed only by specific faculty members, such as notes from a school psychologist. All teachers should be aware of who has access to certain sensitive data and software login credentials. Similarly, parents and students should be informed of these levels of information access and how data will be used.
Finally, technology managers and librarians should exhibit accountability through their own practices as well. Something as simple as creating e-mail addresses for students can be laden with latent privacy issues. If creating a network of e-mail addresses, it is obviously advisable that the network itself is internal on the district or school’s private DNS servers. More importantly, if student e-mail addresses are created, they should not contain any PII outside of names, per FERPA. For example, arranging e-mail addresses by student identification numbers (email@example.com) may allow other students and their parents to decipher otherwise anonymous grades or scores, not just for this school year, but throughout their K-12 enrollment.
If unable to establish an internal network, a school or district should create a password-protected forum where students and teachers can communicate, hosted by a trusted provider and monitored closely. Companies that can provide forum software with multi-level authentication procedures are preferable.
Furthermore, technology managers and librarians should continuously and routinely update their hardware and software. Just as students are required to come to school with up-to-date immunization records, all technological equipment must be installed and maintained with the most recent patches before use. All systems should be tested weekly, and it is important to retain a third-party monitoring service that works around the clock to prevent security breaches.
Adjusting to a full remote learning environment has been quite a feat. But the world of education is changing in perhaps permanent ways, and educators must prepare as if it is for the long haul. School leaders must underscore the necessity of adaptation to remote learning as an essential part of evolving society. They must apprise their teachers of the liabilities associated with distance education, teaching them how to use certain products safely and effectively and consistently provide tutorials while modeling these practices themselves.
Lutzker & Lutzker is available to review contracts with third-party vendors, as well as draft more tailored privacy policies and consent forms for educational institutions and programs.