Two months into the physical distancing measures put in place to slow the spread of COVID-19, and most students and educators have found ways to adjust to remote learning. Though the quick transition from in-person to remote learning presented many challenges to start, a new normal has begun to emerge.

How long schools will remain closed is, in many cases, still unknown, however it’s clear that remote learning will still have to continue in some form perhaps until the end of the year. As institutions prepare for this future, issues surrounding the protection of data privacy have become pressing.

What are the responsibilities of institutions with regards to data privacy, and how can educators continue teaching in a remote environment while protecting the rights of students?

Understanding the law: FERPA and COPPA

Data privacy in the educational setting isn’t simply a nice-to-have, it’s legally required. Two laws, FERPA and COPPA, govern data security with regards to education records and children’s privacy online.

The Family Education Rights and Privacy Act, commonly referred to as FERPA, is a federal law that regulates access to educational records and aims to protect student privacy with regards to educational information. FERPA enables parents to request and receive access to their child’s educational records (report cards, disciplinary records, etc.) The law also prohibits educational institutions from sharing such records without written parental consent. Once the student reaches the age of 18, these same rights transfer from the parent to the student.

The Children’s Online Privacy Protection Act, known as COPPA, is a federal law that limits the collection, access, and use of information about children under the age of 13 on the internet. The law applies to websites directed towards use by children and mandates: disclosure of the site’s privacy policy, procurement of written parental consent for collection or distribution of personal information of children under 13, and the ability for a parent to review and request deletion of child’s information. The law prohibits operators from keeping childrens’ records for longer than necessary and from collecting more information than that which is deemed essential.

As institutions broaden the scope of technology they employ in order to facilitate remote learning, the burden is on them to ensure providers comply with the above laws when and where they apply.

Why free software is never truly free

In the shuffle from face-to-face to remote learning, many students and educators have had to scramble to find solutions to meet new challenges. Free software is often a quick and alluring option, but it’s important for everyone at the institution to be aware that when it comes to online tools, there really is no such thing as a free lunch.

In reality, users may safely assume that when there is no monetary cost associated with using a platform or product, the payment is actually the exchange of their personal data. As such, a lot of free software will not comply with the above regulations (FERPA and COPPA) and can thus expose students and institutions to risk.

Steps institutions can take to protect data privacy

As students and educators are spending greater amounts of time online, institutions should be more vigilant than ever before in guarding data privacy.

If your institution’s data privacy protections are not up to snuff, a few ways to begin making improvements include:

First, make sure both IT departments and decision-makers have a solid grasp on what the needs of the institution are. It’s helpful to survey students and faculty to understand these needs, as some may not be obvious to those who aren’t involved in the day-to-day management of coursework and teaching.

Next, software recommendations should come from the top and be consistent across the institution. Allowing departments to go rogue is a slippery slope towards piecemeal implementation that can eventually inspire users to come up with their own “workarounds”. For every need, the IT department should have a vetted solution on hand.

Finally, the importance of properly training staff and educators cannot be overstated. Users need to be aware of all the solutions that they can use and understand the risks of relying on tools that haven’t been properly vetted and implemented by IT. Make sure the risks of non-compliance both to the user and to the institution are clearly communicated.

Transitioning to online learning from traditional in-person settings hasn’t been easy on anyone, but these additional challenges shouldn’t be an excuse for lax data privacy protections. Institutions should focus on researching and vetting secure solutions to meet the needs of students and educators in this new landscape.