Student Privacy
and Safety
In the rush to "get everything going" with video conferencing and online tools, student privacy & online safety has taken a back seat. We need to re-visit student privacy and online safety, in concert with Catholic guidelines.
⚠️ Note: There is a lot happening with student privacy and safety right now.
If there is something we've missed, please let us know.
If there is something we've missed, please let us know.
Student Safety
With virtual learning, the need for adherence to strong student safety standards and controls is paramount. Virtus and similar safety trainings are primarily geared towards in-person interactions. Following the USCCB's guidance, and with input from schools we recommend the following:
Communication with Students
Teachers and students communicate using school-provided devices and school email addresses.
Faculty/staff should not be in contact with students via personal email or social networking sites.
All teachers should be using the same video conferencing platform to communicate with students
Any IT logging or reporting that can be enabled centrally should be turned on
Faculty/Staff should exercise the utmost professionalism and good judgement when chatting or video conferencing with students.
Consider the language used when contacting students and always assume that what you write in a communication with a student will be shared with others.
The school should be aware of every tool a teacher is using that allows student / teacher interactions
Any 1:1 video interaction between a student & teacher should be recorded and archived
If schools are providing “live” lessons or daily/weekly check-ins, expect adherence to communicated norms and protocols. If possible, record these live sessions. Student participation captured in “chat” dialogue boxes is included in recordings. All chat can be copied and saved.
If possible, another teacher or an administrator should join the Zoom/Google classroom as a “co-teacher.”
Conduct & Decorum
All applicable Employee Handbook provisions for faculty remain in effect while engaged in online learning.
All expectations for professional conduct outlined in the school’s handbook or teacher contract are in effect when instruction or communication is conducted through an online platform. These expectations include the guidance from the USCCB regarding safe school environments.
Schools should establish norms/protocols for Virtual Learning and support sessions. (see CRNYC slide) Significant issues with adherence to established school norms for virtual learning/communication need to be addressed by school administration.
Faculty/staff should not have pornography, inappropriate games, gambling apps, or any personal content that is not lesson-related on their computers and should not share these materials with students. (This seems obvious but needs to be stated.)
Virtual clubs facilitated by the school need to be monitored by school personnel.
Student to Student Interactions
All applicable student handbook policies remain in effect for students
Student interactions should be respectful and in accordance with school guidelines
Students should only use school-provided accounts (email, Zoom, etc.) for interacting with teachers and other students within an academic context
All student to student (within the academic context) interactions, and student / teacher communications must take place within a school-authorized / administrated platform
Additional Considerations
Students using school-provided devices should know that the device is to be used for appropriate school activities
Parents should be notified of all student expectations
Please see below for information on:
⚠️ The school should establish a way for students (and teachers) to report inappropriate behavior. This can be done with a monitored email account or a form, but it should be:
- Communicated to students and easily accessible
- Confidential to select school administration
Technology for Counseling
Counselors/Academic Support Personnel: maintain a log of all sessions with students that includes the date/time/duration of contact and the main topic of discussion. This log should be accessible by appropriate school administration.
Counselors and academic support personnel should not be communicating with students using personal cell phones or home phones. If use of a personal cell phone is the only option for contacting students, consider the use of Google Voice or Dialpad as it provides students with a secondary call-in number that is connected to the counselor’s phone.
Note: If your school uses GSuite, Google Voice may need to be enabled by your IT Administrator
Many schools have developed a counseling newsletter that is distributed to all students and provides general recommendations for health and safety and resources for students and their families.
Additional resource that provide guidance and expectations related to virtual counseling:
Student Privacy Regulations
CIPA requires that schools have an internet safety policy that provides the following measures:
Student internet access is filtered for obscene and harmful content
Online activities of minors are monitored by the school
The school provides education to minors on appropriate online behavior and cyber-bullying
CIPA is required for schools receiving e-rate discounts / funds for categories beyond telecommunications services only. If your school ONLY receives e-rate discounts for telecommunications services, compliance is not required.
Source: CIPA Guidance from the FCC; USAC; E-Rate Policy Primer
Filtering Off-Campus
CIPA language is vague regarding whether filtering must be at the device-level or connection, but connection-level filtering at the school is standard practice, and anything beyond is typically "in addition". Whether non-erate discounted connections (like hotspots) must be filtered is also up for interpretation.
With that consideration, our guidance is:
If you are providing internet access to a student via a school-provided hotspot, that connection should be filtered if possible.
If the school provides a device (computer, iPad, etc.) to students, doing off-campus filtering is at your school's discretion.
If you are unable to filter a school-provided hotspot, provide filtering on the device (assuming it's provided by the school)
CIPA-mandated filtering is typically considered a "best-effort" requirement. Do what's reasonable to do
How can off-campus hotspots be filtered?
Your options at this point may be pretty limited if you've already given out the hotspot.
You might be able to enable pre-configured filtering through the vendor's account console
If you CAN access or otherwise adjust the device's settings:
The easiest option is to use OpenDNS' Family Shield DNS....set DNS on the hotspot to 208.67.222.123, 208.67.220.123. More info here.
Similarly, Cloudflare's 1.1.1.1 service now has a family option that blocks adult content and malware, completely pre-configured and turnkey, same as OpenDNS. Just set DNS to 1.1.1.3, 1.0.0.3.
There are other DNS filtering services, but most take some setup with dynamic IP addresses. DNSFilter, CleanBrowsing, NextDNS
Filtering Devices
If you're a 1:1 school, you might have already had something in place. But if you didn't, or if you had to break apart laptop carts to loan out, here are some options:
Both DNS-based options above are reasonable, and should be easy and quick to implement remotely.
GoGuardian is an excellent monitoring and filtering product for both Chromebooks and Windows computers....free until the end of the year....Securly is another good and simple option, and Bark.us offers some useful monitoring.
👉 Note - Students and families should be aware of any monitoring you are doing.
Sophisticated filtering and monitoring solutions can be a privacy issue in their own right. Students and parents should be aware of what the school can do and know about the student's online activities.
FERPA - Family Educational Rights and Privacy Act
"The Family Educational Rights and Privacy Act (FERPA) is a federal law that affords parents the right to have access to their children’s education records, the right to seek to have the records amended, and the right to have some control over the disclosure of personally identifiable information from the education records. When a student turns 18 years old, or enters a postsecondary institution at any age, the rights under FERPA transfer from the parents to the student (“eligible student”). The FERPA statute is found at 20 U.S.C. § 1232g and the FERPA regulations are found at 34 CFR Part 99. " - DoE Student Privacy Policy Office
Does FERPA Apply to Cristo Rey Schools?
Most Cristo Rey schools receive Title funds from the DoE, and so FERPA applies to the school. FERPA applies to any school receiving federal funds from a Federal Department of Education program. Most private schools do not receive Department of Education funds, so they are exempt from FERPA. E-Rate is administered by the Federal Communications Commission and does not trigger FERPA compliance. Source: Department of Education
FERPA and COVID-19
The Department of Education has released this FAQ covering topics such as:
Information disclosure guidance if a student is diagnosed with COVID-19
Parental Consent
Maintaining a record of information disclosures
FERPA and Virtual Learning
The Student Privacy Policy Office (of the DoE) has released the following guidance. Notable takeaways:
On students, video conferencing, and PII disclosure concerns:
"Under FERPA, the determination of who can observe a virtual classroom, similar to an in-person classroom, is a local school decision as teachers generally do not disclose personally identifiable information from a student’s education record during classroom instruction. FERPA neither requires nor prohibits individuals from observing a classroom."
Additional Guidance
The DoE has released a Powerpoint that addresses FERPA and online learning in more detail:
DoE - FERPAandVirtualLearning.pdfCOPPA applies to children younger than 13, and should not apply to any Cristo Rey schools.
HIPAA - Health Insurance Portability and Accountability Act
In most cases, HIPAA does not apply to schools for a variety of reasons. If a school is covered by FERPA, most student health information is considered an educational record, and FERPA applies, rather than HIPAA. For more information, see "Joint Guidance on the Application FERPA and HIPAA to Student Health Records" from the Department of Health & Human Services and the Dept. of Education.
Vendor-Specific Guidance
G-Suite
Google's GSuite for Education core services (including Google Meet) are FERPA-compliant.
Office 365
Microsoft Office 365 and its services (Microsoft Teams for Education) is FERPA-compliant.
Zoom
Zoom's Privacy Policy for K-12 ; Rolling Out Zoom
We've rolled up all the Zoom information into a page, since there are so many questions and issues to be aware of.
Other Vendors
Any vendor that specializes in education is likely to be FERPA compliant. If you have any concerns or want to discuss a vendor, please contact Mark Bazin.