Three Lessons from COVID-19 and the Changing Landscape of Student Privacy

Today, CDT released a training module on privacy and equity issues related to COVID-19, as well as guidance around the privacy implications of learning pods. These resources discuss a few of COVID-19’s recent impacts on the student privacy landscape. As the fall semester enters its latter months and education practitioners prepare for the spring, we review these impacts and draw three key lessons for ongoing education in a pandemic-conscious world.

The emergence of COVID-19 sparked dramatic shifts in the U.S. education system last spring, forcing schools to adapt teaching and other services to the new distance learning context. One impact of this pivot to remote instruction has been an increase in student privacy incidents, driven by unprecedented reliance on education technology (EdTech) in an unfamiliar, dynamic environment. Education practitioners have made significant strides in delivering safe, effective teaching since then, but several privacy challenges persist. These challenges range from concern over contact tracing software and confusion around health data access to uncertainty around alternative learning structures and widespread inequities in digital access. This evolution of student privacy issues in the era of COVID-19 suggests three key lessons for education practitioners to consider as they prepare to conclude the fall semester and develop plans for the spring. We unpack these lessons, drawing illustrations from CDT’s recently released training module on emerging privacy and equity issues related to COVID-19, as well as our new guidance around the privacy implications of learning pods.

1: Student Privacy Protection Is Non-negotiable, But Practitioners Are Underprepared.

Teachers and education practitioners face numerous demands competing for attention even in ordinary times, and these demands have only magnified during the pandemic. In light of this, it is tempting to view student privacy protection as a “nice-to-have,” a luxury that can be expended if time and capacity are short. The frequency and severity of student privacy incidents occurring during COVID-19, however, show why privacy protection cannot be treated as an afterthought.

Highlighting the risks is the concerning trend of cyberattacks on K-12 institutions. Recent ransomware attacks and other cybersecurity breaches have crippled schools’ teaching capacity for days at a time, exposed student and staff data online, and cost districts thousands of dollars. The risks are accentuated by COVID-19, when schools rely heavily on technology for day-to-day operations. For schools and education agencies caught unprepared by a cyberattack, student privacy protection can quickly turn from an abstract exercise to a painful, urgent reality.

These risks are serious, but schools have the opportunity to prepare themselves to mitigate the risk of student privacy breaches such as cyberattacks. Strong privacy protection is partly a question of “capacity”: institution-wide privacy training, dedicated staff with specialized IT expertise, and appropriate data governance practices all increase an institution’s capacity to anticipate and avoid student privacy threats. Our new training module on COVID-responsive privacy protection discusses specific considerations for remote learning, in-person instruction, and hybrid models, and our “pods” guidance provides capacity-building recommendations for another education model emerging during COVID-19, learning pods. No matter how schools and education institutions deliver education in the fall and spring, they should invest in thoughtful cybersecurity practices and implement privacy protection training in order to prevent harmful, costly privacy incidents. 

2: Student Privacy Protection Is An Issue of Equity.

The emergence of COVID-19 has shown how student privacy protection is often intertwined with educational equity issues. When technology mediates access to educational opportunities, the accessibility—or inaccessibility—of that technology shapes the learning experience of the students who use them. Students of color, lower-income students, English Learners, students with disabilities, and other marginalized populations have all tended to face disproportionate technological access challenges during the pandemic that are amplified by pre-existing social inequities. 

One example of this is the digital divide, which existed well before the onset of COVID-19 and continues to obstruct learning opportunities for many students across the country. The digital divide maps along racial and socioeconomic lines in the U.S., raising serious equity concerns that these communities face exacerbated learning loss related to the effects of the pandemic. The digital divide is also a privacy issue. As school districts press to provide devices to students who need them, they risk exposing these students to increased privacy threats by additional data collection and disproportionate security vulnerabilities, such as those recently documented in Chicago and Rhode Island. In both of these cases, the risk of a privacy breach fell disproportionately on student populations most in need of additional school support. 

Examples like this illustrate why student privacy protection must be viewed with an equity-minded lens. Privacy issues don’t occur in a vacuum—they take place within larger social dynamics that must be accounted for in order to protect the most vulnerable students. As we discuss in our privacy and equity training module and our pods guidance, schools should build a proactive, inclusive community engagement process into their decisions on how to utilize student data and school technology, in order to ensure that these tools benefit all students and do not marginalize vulnerable populations. School decisions about using technology to adapt to COVID-19 can exacerbate existing inequities if these voices are ignored.

3: Student Privacy Protection Principles Haven’t Changed.

Part of the challenge of protecting student privacy during COVID-19 stems from operating in an educational context that can change rapidly with little warning. COVID-19 outbreaks on campus, changes to health guidance, and evolving responses to address the virus can all prompt quick pivots with privacy-relevant implications. Privacy-minded practitioners should remember, however, that the core principles of security and privacy protection have not changed. From a legal standpoint, the Family Educational Rights and Privacy Act (FERPA) remains the most important federal legislation governing schools’ obligations to protect student privacy, and it has not changed since the beginning of the pandemic. From a technical standpoint, the components of good data governance still apply to new circumstances. Hence, the task of ensuring strong privacy protection in changing educational contexts lies not in devising entirely new privacy and security principles, but rather in adapting existing principles to novel situations—a task that is much more manageable.

CDT’s recent analysis of privacy protection for the phenomenon of “learning pods” serves as a case study for adapting established practices to a new setting. The idea of learning pods first emerged during the summer as a way to combine the relative safety of remote learning with the strengths of in-person instruction. The concept, however, raises both privacy and equity concerns that require attention. In our privacy guidance for learning pods, we unpack how well-established legal and technical best practices translate to this new learning model, and how individuals new to the role of privacy protection can best protect students under their care.

Learning pods are just one instance of how COVID-19 is reshaping educational systems and raising new privacy and equity concerns. As the pandemic persists through the fall and into the spring, existing student privacy and equity issues will likely continue and new, unexpected challenges will doubtlessly arise. Schools should combat these by recognizing the seriousness of these issues, improving practitioner privacy training, building equity and inclusion considerations into their technology decisions, and leveraging their existing experience with well-established student privacy protection practices. All of these will continue to play important roles as education institutions react to the pandemic’s changing dynamics heading into this winter and spring. With thoughtful attention and the right preparation, schools can equip teachers and education practitioners to succeed, both in educating students and protecting their privacy.