Not only do we need to be aware of the physical restrictions and rules schools will be implementing once students go back to school, but it’s also equally important to know what our schools will be doing with the data they collect on our children regarding COVID-19.

What sensitive information will they be collecting and can they keep it safe? Because unfortunately, as we’ve written about previously, school data breaches happen more regularly than districts would like to admit.

First and foremost, student health information is typically protected by the Family Educational Rights and Privacy Act (FERPA), not the Health Insurance Portability and Accountability Act (HIPAA). Back in March, the US Department of Education published guidance on how FERPA applies to schools in the context of COVID-19:

Although educational agencies and institutions can often address threats to the health or safety of students or other individuals in a manner that does not identify a particular student, FERPA permits educational agencies and institutions to disclose, without prior written consent, PII from student education records to appropriate parties in connection with an emergency, if knowledge of that information is necessary to protect the health or safety of a student or other individuals…

…If local public health authorities determine that a public health emergency, such as COVID-19, is a significant threat to students or other individuals in the community, an educational agency or institution in that community may determine that an emergency exists as well.

Also in March, the Future of Privacy Forum (FPF) and AASA: The School Superintendents Association, released a white paper offering guidance to help K-12 and higher education administrators and educators protect student privacy during the pandemic:

Some states have mandatory reporting laws that require schools to report communicable diseases to public health agencies. Depending on the disease, the information that must be reported could be either PII or de-identified or aggregated data. As a reminder, de-identified or aggregated reporting is not covered by FERPA, and can therefore be shared at any time.

Ultimately, it’s important to know what your state laws are and ensure that your school district is abiding by them so that no unnecessary information is being released about your children.