This 2-pager was authored by Jessica Li. PDF version here.
As schools respond to COVID-19 on their campuses, some have shared student information with state and local health agencies, often to aid in contact tracing or to provide services to students. Federal and state student privacy laws, however, do not necessarily permit that sharing, and schools should seek to protect both student health and student privacy.
How Are Schools Sharing COVID-Related Student Data?
When it comes to sharing student data, schools’ practices vary widely. For example, the New York City Department of Education provides a consent form for sharing COVID-related student data. Other schools do not have consent forms, but instead share COVID-related data as required by local or state health agencies. For instance, Orange County Public Schools in Florida assists the local health agency in contact tracing by collecting information such as students’ names and dates of birth. Some districts, such as the Dallas Independent School District in Texas, report positive cases to the county, but do not publicly specify what information is reported. Many schools, however, do not publicly disclose their collection and sharing of COVID-related student data.
How Do Current Practices Comply with FERPA’s “Health or Safety Emergency” Exception?
Student health information maintained by a school, such as a COVID-19 test result, is likely protected as personally identifiable information (PII) from education records under the Family Educational Rights and Privacy Act (FERPA). Sharing that information would require parental consent or the use of an exception to FERPA’s parental consent requirement – most likely the “health or safety emergency” exception – to share with health agencies.
The “health or safety emergency” exception requires schools to make a reasonable determination that there is an articulable and significant threat to the health or safety of a student or other individuals. However, the U.S. Department of Education has said that a state can make this determination if state regulations require schools to report cases of communicable diseases as emergencies to health agencies, such as by requiring “immediate reporting” of COVID-19 cases. Many states, including California and New York, have determined by regulation that COVID-19 requires emergency reporting to health agencies.
The exception also requires schools to disclose information only to appropriate parties, that any information disclosed be necessary to address the emergency, and that schools record the basis for disclosures. Consequently, districts that report student cases to local health agencies should ensure they share only information that is necessary for the agencies to address the outbreak. Most schools have not publicly disclosed their policies or practices for recording disclosures.
How Do Current Practices Comply with State Student Data Privacy Laws?
In addition to complying with FERPA, schools must comply with state student privacy laws. While some, such as California, have exceptions that largely parallel FERPA’s health and safety emergency exception, others may include additional restrictions. For example, schools in Louisiana cannot share PII with external entities unless it is done with written consent, for auditing or education services, or authorized by the Superintendent. Illinois requires more detailed information on disclosures to be recorded in student records than FERPA, including the name of the individual who released the information and the date of the disclosure.
Recommendations for School Administrators
Ensuring compliance with state and federal laws
- Pursuant to FERPA’s health and safety emergency exception, determine if an emergency exists and share information only with appropriate parties to address the emergency.
- Ensure compliance with your state’s student privacy laws.
- If state health regulations deem COVID-19 an emergency and require schools to immediately report cases to state or local health agencies, that determination may be sufficient for FERPA’s health or safety emergency exception.
Minimize information that is collected and shared
- Ensure information is only shared with parties that can address the emergency, such as public health agencies.
- Define the elements of information that may be shared and ensure that their disclosure is necessary for the appropriate parties to address the emergency.
- Enter into written data sharing agreements with health agency partners if possible.
- Ensure there are restrictions on permitted uses, access, and redisclosure of PII.
- Involve students and families in decision-making about how health data is collected and shared.
- Establish procedures for recording disclosures of PII in student records that describe the threat that formed the basis for disclosure and the parties to whom PII was disclosed.
This two-pager is one of a series designed to give practitioners clear, actionable guidance on how to most responsibly use technology in support of students. Find out more at cdt.org/student-privacy.