As a result of the State of Wisconsin’s orders, which indefinitely closed public and private schools for purposes of pupil instruction and extracurricular activities, except for virtual learning, due to the health emergency caused by COVID-19, school districts have been forced to implement or expand virtual or remote learning programs. Such programs utilize video conferencing, email, and other online services. Because of the growing number of options available, it may be difficult to choose the right video conferencing product. This article identifies some of the legal issues school districts should consider when selecting a video conferencing service for its virtual or remote learning program.
School districts have a lot of latitude to develop and implement the virtual or remote learning program, if any, that the district will implement during the school closure period. That said, any program selected by the school district must allow the district to continue to adhere to laws that protect the confidentiality of pupil education records, such as Wisconsin’s Pupil Records law (Wis. Stat. § 118.125) and the Family Education Rights and Privacy Act (FERPA).
Both Wisconsin’s Pupil Records law and FERPA require school districts to maintain pupil education records on a confidential basis. Pupil education records are all records directly related to a student and maintained by the school district. Pupil education records include records maintained in any way including, but not limited to, computer storage media, video and audio tape, film, microfilm, and microfiche.
Both Wisconsin’s Pupil Records law and FERPA specifically prohibit school districts from disclosing personally identifiable information (PII) contained within pupil education records without written consent from an adult student or parent(s)/guardian(s), unless otherwise required or permitted by law.
In accordance with Wisconsin’s Pupil Records law and FERPA, school districts may share confidential pupil education records and the PII in those records with an individual or entity, such as a video conferencing service provider, that has been designated as a “school official” because the individual or entity is working on behalf of or with the school district, as long as the individual or entity:
• Performs an institutional service or function for which the school district would otherwise use its own employees;
• Has been determined to meet the criteria for being a school official with a legitimate educational interest in the pupil education records or PII set forth in the school district’s annual notification of rights regarding pupil education records;
• Is under the direct control of the educational agency or institution regarding the use and maintenance of the pupil education records or PII; and
• Uses the pupil education records or PII only for authorized purposes and does not re-disclose the records or PII to other parties, unless the provider has specific authorization from the school district.
State and federal laws provide additional privacy requirements for the pupil education records of children with disabilities, including individualized education programs (IEPs). IEPs and other special education records may also not be disclosed without the consent of the adult student or parent(s)/guardian(s), unless otherwise required or permitted by law. However, the Individuals with Disabilities in Education Act (IDEA) also permits a school district to provide access to such records and the PII contained therein to individuals and entities that have been designated as a school official working on behalf of or with the school district to serve the student’s needs.
1. Review Vendor Agreements and Applicable Terms of Service.
The school official exception only applies to video conference service providers if the school district exercises direct control over the provider and the provider has a legitimate educational interest in the pupil education records or PII. Often, the vendor agreement or the provider’s terms of service will establish that control. A formal, written agreement is not required, but school districts may use an agreement to clarify the issues of direct control and legitimate educational interest. The designation of a video conferencing service provider as a school official should be done in accordance with the school district’s criteria as set forth in its policies.
If the school district enters into a written agreement with the video conference service provider, including signing or otherwise indicating a willingness to abide by a terms of service agreement provided by the video conferencing provider, the following provisions should, at a minimum, be reviewed carefully by the school district:
• Data Security. A data security provision should clarify whether user data belongs to the school district or the provider and should establish the responsibilities of each party if a data breach occurs.
• Data Collection. A data collection provision should delineate the user data that may and may not be collected.
• Use, Retention, Disclosure and Destruction of Collected Data. Such provision should identify the permitted uses of data that is collected, if and with whom such data may be re-disclosed, and how such data will be retained and destroyed.
• Data Access. Such provision should clarify who may access data that is collected and how.
• Modification, Duration and Termination. Such provision should establish how long an agreement will be in place, how it may be modified and how it may be terminated.
• Notice of Modification. Such provision should establish whether the service provider may modify its terms of service without notice. School districts should opt for terms of service agreements that provide notice prior to any modifications, even if the only recourse is to discontinue use of the service when unwelcome modifications are made. Any modifications of terms of service agreements should be reviewed to ensure it meets district approval.
The U.S. Department of Education tasked its Privacy Technical Assistance Center (PTAC) with providing data privacy and security best practices.
The school district may also consider asking the school district’s legal counsel to review the written agreement offered by the video conferencing service provider and, in some cases, negotiated modifications to the agreement.
2. Determine Whether the District and/or the Video Conferencing Service Will Create a Record.
School districts should carefully consider whether video conferences used in virtual or remote learning programs will be recorded and maintained. Video conferencing service providers offer a variety of options with respect to recording and storage of recorded video conferences. Creating such recordings, however, raises a number of issues.
Under Wisconsin’s Pupil Records law and FERPA, video recordings that relate to a student and are maintained by the school district, or maintained by the video conferencing service provider on behalf of the school district are pupil education records. Such recordings are then subject to the confidentiality requirements discussed above. If video conferences are recorded, school districts should also consider whether those recordings will be maintained by the video conference service provider or by the school district. Because of the retention periods that may be required by applicable laws, school districts should evaluate the video conferencing provider’s data storage policies if the video conferencing service provider will be maintaining any recordings. If the recordings are to be maintained by the school district, the district should consider whether the transfer of the data meets its security standards and whether the district has the storage capacity in place for such recordings.
Some school districts may opt to have educators record classroom instruction sessions for students to watch. If such recordings do not include any student participation, the video recordings will not relate to an individual student, and as such, they are not likely to be considered pupil education records. Because these types of recordings will not include PII, such recordings will not be subject to the confidentiality provisions in Wisconsin’s Pupil Records law and FERPA. However, because such recordings do not allow for interaction between students and educators, school districts may determine that such a practice is less desirable for an effective virtual or remote learning program.
If an educator conducts a meeting through video conferencing and records a meeting between the educator and a student and the student’s parent(s)/guardian(s), whether the meeting is about student progress or discipline or a student’s disability, the recording will be a pupil education record under Wisconsin’s Pupil Records law and FERPA. In such case, the confidentiality requirements of Wisconsin’s Pupil Records law and FERPA will apply and the school district will have to work with the video conferencing service provider to ensure the record is maintained and reasonable security protections are in place.
Many school districts have board policies addressing when meetings may be recorded. Those Board policies apply to virtual meetings just as they would to face-to-face meetings. Educators and other staff must understand how recording instruction and meetings are subject to state and federal laws and school district policies governing pupil education records.
3. Consider How Security Risks Impact Privacy Practices.
Both Wisconsin’s Pupil Records law and FERPA prohibit the unauthorized disclosure of PII contained in pupil education records. Because user data, video recordings, and other digital data transferred through and collected by a video conferencing service provider may contain PII, school districts should consider a service provider’s data security features and vulnerabilities when deciding which products to use. Neither Wisconsin’s Pupil Records law, nor FERPA, provide specific cyber security requirements. However, FERPA’s regulations require school districts to use “reasonable methods” in safeguarding protected student information. 34 CFR § 99.31.
Hackers have demonstrated several ways of compromising the digital data that is collected, used and maintained by video conference service providers, including but not limited to:
• gaining access to passwords, photos, names, recorded videos and other information and leaking that information on public websites;
• gaining access to and control over user webcams and microphones through vulnerabilities in video conferencing software; and
• gaining access to live video conferences and disrupting those video conferences by harassing student participants or exposing student participants to graphic material.
Before selecting a video conferencing service for a school district’s virtual or remote learning program, school districts should consider the built-in security features that may help protect against those and other security issues. School districts should also consider the known vulnerabilities of any video conferencing product and weigh those risks in light of the school district’s needs.
Regardless of the video conferencing service selected, school districts can minimize data security risks by minimizing the amount of PII discussed during live video conferences, utilizing a video conference’s built-in security features, and observing general cyber security best practices. For example, school districts should email links to video conference meetings to invited attendees rather than publishing links on its webpage.
The Wisconsin Department of Public Instruction (DPI) provides additional guidance and best practices for video conferencing on its website.
4. Understand the Features and Create Clear Policies on How They Should Be Used.
School districts should carefully review the features and controls provided by different video conferencing services. School districts should understand the administrative controls available to control the different features. Some features may be unnecessary or unwanted. Other features may require school districts to create or modify policies to govern the use of certain features.
A few examples of the features and controls available include:
• Number of Participants. Video conferencing services come with a variety of options for the number of people that may participate in a live video conference. If a school district wants to have live video conferences, it’s important to review any limits on the number of participants to ensure that the service will accommodate the district’s needs.
• Screen Sharing. Some services allow the host or participants to share their screen with other users.
• Video and audio recording. Some services allow video conferences to be recorded for later use.
• Host Control. Some platforms allow the video conference host to mute and unmute participants, view video conference participants in a waiting room before admitting them to the conference and control who is allowed to enter into a video conference session. Depending on how a school district intends to use its video conferencing service, such controls could allow educators to prevent a number of possible unwanted distractions and protect students from the issues mentioned above.
• Participant Activity. Some platforms allow participants to make notes, share links, and engage in private chats.
School districts should consider which features are necessary depending upon its intended use of the service. Because of the applicable confidentiality laws school districts should be aware of the product’s features and understand the different ways those features may be used or abused. School districts should determine whether it can disable any unwanted features or otherwise control the settings for individual features.
School districts should also establish clear policies and guidance for educators and other staff governing if and how different features, such as video recording and screen sharing, may be used in the virtual or remote learning program.
5. Training, Support and Best Practices for New and Existing Online Tools.
School districts should consider the training and support available from the video conferencing service provider. School districts should be aware that educators, staff, students and parents/guardians may require training on the use of the video conferencing service. This may require school districts to prepare and disseminate training aides or provide links to the service provider’s support information. Educators and staff should also be trained on how to deal with questions from students and parents/guardians about the use of the video conference service and the available resources.
Likewise, school districts should evaluate the customer service provided with the video conferencing product. Providers with strong customer service and responsive tech support assistance will benefit the educators, staff, students and parents/guardians that use the platform by helping to create a reliable, usable product. It also ensures a more productive learning experience with fewer interruptions.
School districts may find that no single video conferencing service fulfills all its virtual or remote learning needs, especially in light of applicable laws. School districts may have communication methods, such as email and phone conferences, already in place that are better suited for discussions involving protected information. The solution may be to combine video conferencing with other communication solutions already in use. School districts might, for example, limit video conferencing to those classroom lessons that do not involve PII, and utilize email and phone conferences for other types of communication.
Consequently, it is a good time for school districts to review the district’s policies on confidentiality and acceptable use of technology.
The U.S. Department of Education provides some guidance on cyber security best practices.
Finally, some of the legal issues above also apply to the school district’s selection of a video conferencing service to allow the school board and other school district groups to meet virtually, in whole or in part, especially if the meeting will include a closed session to discuss confidential information.