Cybersecurity & Standards, Equity in Civic Technology, Privacy & Data
As Demand Grows for COVID-19 Testing in Schools, So Must Our Attention to Student Privacy
The rampant omicron variant and the CDC’s new test-to-stay guidance has significantly increased the demand for COVID-19 testing as well as reporting this information to schools. The increase in testing may occur at a point in time (e.g., to return to school in-person after an extended break) or on an ongoing basis (e.g., as students have COVID exposures). While all schools have experience collecting health information related to COVID-19 (95% reported having a system in place for parents to report a child’s COVID diagnosis), the scale at which it is now being demanded is unprecedented. To keep students safe and schools open, it is important to scale testing efforts along with student privacy considerations.
In doing so, four points in the testing data collection, sharing, and reporting process warrant close attention for student privacy concerns:
Securely Collect and Maintain Information from Parents
Schools are increasingly relying on self-reporting of COVID-19 testing results from parents, especially as they expand the distribution of at-home tests. To undertake this increased data collection, some school districts have created web-based portals for parents to report test results. Parent-facing portals should be user-friendly, reliable (unfortunately, DC demonstrated what happens when they aren’t), and secure. If a portal relies on third parties (e.g., off-the-shelf survey software, web forms, or external hosting), the school district should ensure that it complies with federal and state laws and that the appropriate data sharing agreements are in place, as the portal will certainly process students’ personally identifiable information.
School districts will also need to offer a means by which to collect this information from parents that do not rely on internet access, given the well-documented digital divide (more guidance from us on that here). And in doing so, they should think through operational security (e.g., protecting systems against attacks that don’t rely on software or hardware vulnerabilities). For example, if they are collecting this information in spreadsheets, making photocopies, etc., schools should be mindful of “shoulder surfing” and leaving documents that might indicate a student’s testing status unattended.
Minimize Testing Data, Access, and Retention
To limit privacy and security risks, schools should also minimize the data they are collecting, who has access to it, and how long it is retained. For example, guidance from the CDC describes the types of information that schools could use in responding to COVID-19, namely whether a student has tested positive, the testing date, when they started experiencing symptoms, and whether they are vaccinated as the response guidance varies based on vaccination status. School districts can even incorporate this information into their web-based portal. However, given the sensitivity of this information, schools should limit access to this information to only those who need it and delete this information after it is no longer needed.
Minimize Sharing Testing Data with Third Parties
CDC guidance reinforces the need to report some of this information to health agencies, which school districts can likely do without parental consent through the health and safety exception in the Family Educational Rights and Privacy Act (FERPA), if the district determines that “COVID-19 poses a serious risk to the health or safety of an individual student” (although this disclosure must be recorded in the student’s education record). However, some health agencies can meet their needs through aggregate data, which should be reported instead whenever possible to minimize privacy and security concerns. In addition to reporting testing data to health agencies, some schools are also conducting contact tracing, which is permissible as long as the information that is shared is de-identified (although some states like Vermont are moving away from contact tracing and increasing their reliance on at-home testing and parents reporting that information).
Ensure Publicly Reported Data are De-identified
Finally, in addition to publicly reporting overall cases and positivity rates, schools are increasingly including the number of tests taken on their public-facing dashboards (like here and here). Similar to the other data elements that have been included on these dashboards, it is important to apply disclosure avoidance to testing numbers, including suppressing small n sizes and considering top and bottom coding for extreme percentages (e.g., not reporting 0% and 100% that can identify individuals even though the information being reported is aggregated). This can also be addressed by prioritizing the reporting of information for schools with the highest number of COVID-19 cases (and therefore the largest numbers and lowest privacy risk) as seen here.
As our school systems continue to grapple with the impact of COVID-19, it is important to be nimble and flexible in our responses and strategies but unwavering in our commitment to keeping students safe, including their right to privacy.