Protecting Student Privacy in the Race to Close the Homework Gap

As government leaders, policymakers, and technology companies continue to navigate the global coronavirus pandemic, CDT is actively monitoring the latest responses and working to ensure they are grounded in civil rights and liberties. Our policy teams aim to help leaders craft solutions that balance the unique needs of the moment, while still respecting and upholding individual human rights. Find more of our work at cdt.org/coronavirus.

In the 1930s, at the height of the Great Depression, Congress passed the Rural Electrification Act as part of New Deal reforms aimed at bringing electricity to farms and rural areas throughout the country. At the time, as few as 10 percent of people living in rural areas had electricity, compared to around 90 percent of their urban counterparts. Over the next decade, the number of electrified farms increased to 90 percent, and today nearly all Americans have access to electricity. Today, there is a need to craft a New Deal for the digital age—one that can use data to effectively address inequities in broadband access. However, it’s crucial that in doing so we do not inadvertently violate students’ privacy. 

The Problem

Minority and rural communities, in particular, lack broadband access compared to other areas, a disparity known as the digital divide. According to the Federal Communications Commission, only 65 percent of rural Americans have access to broadband at home, with similar rates among Black and Hispanic Americans. During the novel coronavirus pandemic, the digital divide has had an outsized impact on students, in what FCC Commissioner Jessica Rosenworcel has called the “homework gap.” One survey in 2018 showed that nearly a fifth of teens could not finish their homework due to a lack of broadband access, and now, with learning taking place entirely online, around 30 percent of students lack adequate broadband to sustain their education. While 18 percent of white students lack adequate broadband, that figure rises to 30 percent of Black students, 35 percent of Native American students, and 37 percent of rural students. Consequently, students across the country have massed into fast food restaurants offering wifi or school parking lots to connect with their lessons.

During the pandemic, schools have creatively sought to close the homework gap. Many institutions have distributed devices and hotspots to help connect students, while others deployed fleets of wifi–enabled buses to neighborhoods broadly lacking access to broadband. Others partnered with ISPs to provide low-cost broadband, and legislators of both parties have introduced bills to tackle the issue.

Some approaches to closing the homework gap are data-heavy exercises and consequently pose risks to student privacy. Many of the solutions being used or explored by schools require collecting data on students’ access to broadband, and sharing that data with other governmental entities or with private providers. For example, Boulder Valley School District in Colorado connected students through a private partnership that involved surveying families by phone and email about their broadband access. Families qualifying for free and reduced lunch throughout the district were then permitted free access to the private partner’s local wireless network. Arlington County Schools in Virginia similarly monitored students’ activity on remote learning platforms to identify students without adequate broadband access; the school district then partnered with private providers and the county government to provide those connections.

The data to connect students may involve a student-level data collection, including information like socioeconomic status, access to a broadband connection, online activity, demographic data, and home address. That data might be collected by or shared with the student’s school, local education agency, state education agency, or broadband providers. Not only is that information potentially sensitive, but may be protected from disclosure under federal and state law.

Privacy Solutions

Eight considerations may help ensure that student data is used for students’ wellbeing, while preventing privacy violations and potential misuse:

• Data minimization: The school or other entity should define the purpose of any data collection and limit collection to that purpose. Does the school wish to identify individual students without access so teachers may make informed instructional decisions? Or does the school wish to pair those students with low-cost providers? Based on that purpose, the school should define each of the data elements it needs to collect, limiting them to those necessary to achieve the data collection’s purpose. The school or other entity should consider whether certain elements need to be collected or already reside in the school’s student information system.
• Legal compliance in collection: The school should consider how it will collect the data and ensure that the collection complies with state and federal laws, such as the Protection of Pupil Rights Amendment (PPRA) or the Family Education Rights and Privacy Act (FERPA). Some data, such as online participation, may be available through a school’s learning management, single sign-on, or other systems, as was the case for Arlington schools. However, when reaching families without broadband connections, schools should consider more traditional means of contacting families, including phone calls and in-person (socially distanced) visits.
• Secure collection: Any data collection must be secure. For example, schools should take steps to protect communication by email and ensure that collections conducted through a third party are protected by adequate security practices.
• Restrictions on access: Once collected, access to the data should be limited to those persons who need it.
• Restriction on use:  No data should be used for marketing purposes, now or later, and its uses should be restricted to those necessary to fulfill the purpose of the collection. 
• Retention and deletion: Data should be retained only as long as necessary to achieve the purpose of its collection.
• Legal compliance and written agreements for sharing data: The school should consider how it may use and share the data, if at all. For example, a school wishing to share individual students’ information with instructors may likely do so pursuant to federal law; sharing that same information with external partners, such as a broadband provider or county government entity, may be more difficult. Schools should enter into a data sharing agreement with any outside partner. The agreement should limit uses of the data to the purpose for which it was collected and specify a schedule for its deletion. Schools should likewise consider if they may accomplish the same goals without sharing. For example, if the school wishes to connect students with low-cost broadband providers, it may collect data from students and providers and connect those data sets internally, rather than sharing the data with the provider at all.
• Secure transfer: Whether transferring data to a partner or within the school, data should be transferred only through secure means, such as through encrypted channels and FTP protocols.

Of course, connecting students and maintaining their privacy extends beyond these considerations — for example, communication among school, districts, state agencies, and even across state lines will be crucial. For more information on protecting student privacy, including by deleting data and establishing strong data governance practices, see CDT’s student privacy and COVID-19 training module and even more of our work here.