Student data privacy is the “it” issue right now in edtech, as evidenced by a recent special Student Data Privacy Report (free registration required) issued by Education Week. Education Week prefaces the report with a fact that school leaders know all too well—while technology brings great benefits in the way of innovation, it also brings great risks, especially to the privacy of student data and other information.
The report covers a number of important student data privacy issues for schools, including:
All of these issues are of crucial importance for school leaders to understand, but in my opinion two deserve the greatest attention.
The first is the growing trend toward obtaining cyberinsurance. Cyberinsurance policies focus on protecting a school district in case of a data breach or network security failure. As the Education Week report points out, these policies were born to serve the private sector, but have evolved to help schools who fear that they may be the next to deal with costly breaches like those that rocked companies like Home Depot and Target. We are seeing more and more of our clients looking into the policies. As always, we advise that you talk with your insurance representative to understand if such a policy is a good fit for your school district.
Training on Student Data Privacy
The second key issue is the need for better training on data privacy issues. School leaders should take steps to educate administrators and educators alike on the district’s policies and procedures regarding student data privacy. What information about a student can be posted online? When can a teacher use an online service or application with students that requires registered student accounts and/or the sharing of student data? What concerns should business managers be on the lookout for relating to contracts for operational services such as student information systems and assessment systems? This is a heavily regulated area of law, so if your school leaders and employees don’t know the answers to these and other important student data privacy questions, training may be necessary to avoid the pitfalls identified in the Education Week report. (Of course, before you can train, you have to have the policies and procedures in place. We talked about this issue in a recent FR Alert that you can check out here.)
I will be talking about these and other student data privacy issues with two of my colleagues, Brian Crowley and Nicki Bazer, at the upcoming “Triple I” Joint Annual Conference of IASB/IASA/IASBO, so hope many of you will come join the conversation then. (For attorneys, I will also be speaking on student data privacy at the ICSA Seminar on School Law that same week). What’s certain is that this issue is only going to grow in importance for school leaders, and staying on top of resources such as the Education Week Report is a crucial part of school leadership in the 21st century.
Our friends over at the EdLawConnectBlog in California published a blog about a case from the Golden State that school leaders from across the country may find interesting. The case addressed whether school boards have any copyright control over video clips of public board meetings that a citizen posts on the Internet. The California court that addressed the issue suggested they do not.
The case actually involved a city council, not a school board. A longtime critic of the mayor and other city officials took video footage of city council meetings and posted them online along with criticisms. A federal trial court found that the citizen could take and post such videos without violating copyright law. Part of its decision dealt with legal issues that do not affect public schools. But part of its holding is relevant for schools as well as municipalities. Here is the EdLawConnectBlog’s description:
Specifically, the court found that even if the videos were copyrightable, [the citizen]’s use of the council meeting videos was “fair use.” The videos were “transformative” works used for the purpose of criticism and commentary on matters of public concern. Additionally, the videos were fundamentally factual and incorporated only small segments of the city council meetings. Most important, [the citizen’s] videos did not compete with the City’s own distribution of the videos because under [California’s public records law], the videos must be made available to any person upon payment of the direct costs of duplication. Thus, the City had no way to profit from distributing the videos or to recoup the costs of creating the recordings.
Although the case relied on California open meetings and public records laws, most states have similar laws on the books. The Illinois Open Meetings Act and Freedom of Information Act, for instance, have provisions quite similar to California’s laws. School leaders across the country should thus keep this case in mind and consult with counsel before preventing recording or posting of recordings of public meetings.
Recent amendments to Illinois law draw back on rights of post-secondary, secondary, and elementary schools to request or require access to student social networking accounts such as Facebook and Twitter. School districts and nonpublic schools are now essentially “locked out” of student accounts, as they can no longer request or require access to the accounts even when there is reason to believe a violation of school rules has occurred. Now, schools can only require a student to “share the content” of an account, and only when the school has received a direct report of “specific information” about activity on the account that violates school rules or policies. The removal of the right to require a student to turn over password or other account information so the school can gain access to the student’s account or profile is a significant limit on schools’ ability to effectively address off-campus, online misconduct impacting Illinois schools, including cyberbullying and sexting.
The previous version of the Right to Privacy in the School Setting Act, which was signed into law in 2013 and became effective January 1, 2014, allowed post-secondary, secondary, and elementary schools to request or require a student to provide a password or other related account information where the school had “reasonable cause” to believe that the account contained evidence that the student had violated a school disciplinary rule or policy. Elementary and secondary schools were required to provide notice to parents of this right, which we advised be provided through student handbooks and formal school or school district discipline policy.
Recent amendments to the law in Public Act 99-0460 curtailed the rights so recently granted to schools. The amended law, effective August 25, 2015, now prohibits schools from requesting or requiring student password or other social media account information in any circumstance. Instead, schools only may require a student “to cooperate” in an investigation including social networking misconduct and only if there is “specific information about activity on the student’s account” that the student violated a school disciplinary rule or policy. The student may be required to “share the content that is reported” to help the school “make a factual determination,” but schools no longer have the right to “request or require” the student to relinquish his or her password or provide the school access to general account information.
Legislative history suggests that the goal of the amendments was to address interactions between the Right to Privacy in the School Setting Act and recent cyberbullying legislation passed in Illinois (Public Act 98-0801). This “Cyberbullying Bill” amended the School Code effective January 1, 2015, to make clear that student cyberbullying in “non-school-related locations” or via a student’s own personal technology is prohibited if the cyberbullying causes a substantial disruption to the educational process or orderly operation of a school. The Cyberbullying Bill stated that this prohibition applies to cases in which a school administrator or teacher receives a report that cyberbullying occurred and that districts and schools are not required to staff or monitor non-school related activities, functions, or programs. Illinois Representative Mike Fortner, who sponsored the Bill that amended the Right to Privacy in Schools Act, explained that the law “restricts the school’s ability to access Facebook to only those specific cases of cyberbullying which are either reported to the school or were observed by school personnel.”
The law unquestionably is a significant draw back on the tools available to schools to effectively address misconduct by students on social media. Schools now essentially must rely on the word of students that they have in fact turned over all requested content, as opposed to being able to verify that all content has been obtained directly through the student’s social media account. Notably, this is not the first time that schools have been locked out of social media accounts that may have a serious impact on schools. As I discussed in an article for the Illinois School Law Journal and an FR alert, a 2012 Illinois law essentially locked school districts out of employee social media accounts under very similar circumstances to those at issue in this student law. Although an amendment to that so-called Facebook Password Law went into effect January 2, 2014, as we reported at the time that amendment did not make clear what access was allowed.
Schools can thus rely on lessons learned from the employee Facebook Password Law to address how to respond to the new limitations in the student sphere. For example, when schools learn of a cyberbullying or other online, off-campus student issue, they can use tools such as interviewing students, looking for publicly available information online, obtaining relevant documents in possession of law enforcement, and determining if another party may provide access to the social media account information. This, in addition to demanding the student turn over the content at issue, will help ensure that the school has as much information as possible when addressing an online misconduct situation. As with the employee Facebook Password Law, schools should not hide behind the amended Right to Privacy in the School Setting Act as an excuse for failing to conduct a thorough and prompt investigation into misconduct affecting the school.
The Right to Privacy in the School Setting Act continues to require that elementary and secondary schools provide notice to parents before the school can obtain the access authorized by the Act. School districts and nonpublic schools recognized by the Illinois State Board of Education thus should take steps now to provide parents the required notice. We continue to recommend that the notice language be contained in both student handbooks and the district’s and/or school’s formal discipline policy. In light of the timing of this new law, which comes just after the start of the school year when student handbooks likely have already been distributed to students, we advise that school districts and schools move forward with amendments to their discipline policies to provide the required notice at this time.
In a recent case, the Court of Appeals for the Fifth Circuit joined four other circuits in recognizing the right of school districts to discipline students for at least some off-campus, online speech if the speech reasonably leads school authorities to forecast a substantial disruption or material interference with school activities. The case is important because it recognizes that even where a student’s online speech may contain elements of social commentary, if the speech also is reasonably understood to be threatening, harassing, and intimidating in violation of school board policy, schools are within their rights to take disciplinary action.
In Bell v. Itawamba County School Board, the Fifth Circuit, which has jurisdiction over Louisiana, Mississippi, and Texas, addressed a rap song posted by a Mississippi high school senior, Taylor Bell, on his publicly accessible Facebook page and YouTube. The bulk of the song criticized two coaches at the school, who were named in the song, for allegedly engaging in improper sexual relations with female students. The song also included four references to violent acts that would be carried out against the coaches, however, presumably by Bell.
The court found that Bell threatened, harassed, and intimidated the coaches in violation of school policy by intentionally directing his rap recording at the school community. The speech was threatening, harassing, and intimidating, according to the court, despite Bell’s attempts to explain the comments as merely “foreshadowing something that might happen” by someone else or as merely “‘colorful language’ used to entice listeners and reflective of the norm among young rap artists.”
The court went on to find that because the song created a reasonable risk of a substantial disruption, discipline was justified. The speech pertained directly to events occurring at school, identified two teachers by name, and was reasonably interpreted as threatening to the teachers’ safety. Moreover, the potential consequences of the threats were serious, including potential serious injury or death to the threatened coaches. Especially in light of the numerous, recent examples of violence in schools, it was reasonable for the school to determine that there was a risk of disruption that justified discipline.
This case is another important victory for schools, which are tasked with protecting members of the school environment in a world where misconduct often occurs off-campus and online. The case is one in a growing trend of courts recognizing these realities in the current school environment.
School districts are under growing scrutiny and criticism for the lack of clear social media guidelines and policies. For instance, after a Michigan teacher reportedly was sentenced to 6 to 15 years for an inappropriate relationship with a minor student that involved numerous communications through Snapchat and text messages, a news investigation criticized the 44% of 84 school districts that had no specific social media policy on the books. In response, a state representative is now pushing legislation that would require all Michigan schools to have such a policy in place by next school year. Our friends over at LRP Publications also forwarded an interesting story about social media guidelines recently issued by Waco Independent School District in Texas, showing that many school districts are updating their social media guidelines for the coming school year. In light of these recent events, school leaders may be wondering if their school district is in need of a social media tune up. How do you know?
Although a board policy is not always necessary, it is prudent to have certain rules in writing for employees with respect to social media. This can be accomplished through handbooks or guidelines, and should cover more than just relationships between employees and students online. The following are just a few issues that should be addressed in good social media guidelines:
- Why can’t we be friends? As noted previously, what, if any, relationship employees can have with students (and parents!) via personal social media accounts is one of the most important issues addressed in social media guidelines. School districts are coming under fire for not having clear policies on this subject. The options on this issue run the gamut from full prohibitions to full permission, with outright bans being called into question as unconstitutional in at least one state. Most school districts’ guidelines fall somewhere in between. For instance, in Waco, certified staff can have personal social media connections with students with whom they have a separate social relationship, but other staff members may not. If you don’t have clear guidelines for employees on this subject, it can make it difficult to address misconduct if and when it arises. And because of the legal uncertainty in this area, legal review of any proposed guidelines is an essential step.
A lawsuit filed by a California teacher against the school district where she works puts a new spin on an old problem. As the National School Boards Association reported, the suit, filed last week by Amy Sulkis in the Los Angeles Superior Court, alleges that her school district employer failed to adequately protect her from cyberbullying and online sexual harassment by students who, among other things, created a fake Twitter account in her name and sent out inappropriate Tweets. Legal scholarship has long recognized that although liability for student-on-student and teacher-on-student harassment has led to successful lawsuits against public schools, courts have been less inclined to extend protections to teachers who allege they are harassed by students. Sulkis’s lawsuit shows how these concerns can be compounded by the use of online social media such as Twitter, and creates a new wrinkle in the question of what schools are required to do when teachers complain about online harassment by students.
According to CBS Los Angeles, Sulkis’s lawsuit reportedly alleges that the 16-year teaching veteran had an unblemished record and relationship with students until, in 2013, students created a false Twitter account in her name and sent out “disparaging and sexually suggestive statements” about her. A student who admitted to creating the account was initially given a two-day suspension, but after negotiations with the administration it was reduced to one day. Subsequently, students posted inappropriate and derogatory posts about Sulkis, but when Sulkis reported those posts to the administration she was told there was no available recourse. According to Sulkis, although she and her attorney asked for school-wide training for students on proper use of social media, that request was denied. A later post by a student allegedly included an image of Sulkis, an offensive caption, and a link to a pornographic Twitter page. Sulkis alleged that she was forced to take time off work to deal with the emotional distress and because she did not feel safe in her work environment. The lawsuit followed shortly thereafter. (more…)
With Guest Blogger Kendra Yoch
In a recent decision, Elonis v. United States, the U.S. Supreme Court held that in order to convict a man for alleged threats made against his wife on Facebook, the prosecutor must show some level of intent. It was not enough to show that a reasonable person would have believed the man’s comments to be a “true threat.” There are strong arguments that this criminal case did not change the standard for schools to address student, staff, or community member social media comments in the school environment. However, school leaders should be ready for challenges by individuals disciplined or otherwise sanctioned for such comments based on arguments similar to those raised in Elonis.
Anthony Douglas Elonis was convicted under a federal law prohibiting communication of any threat to injure the person of another. After his wife had left him and taken their children, he began posting graphically violent rap lyrics on Facebook under the pseudonym Tone Douggie. Elonis posted disclaimers that the lyrics were fictitious, therapeutic, and an exercise of is First Amendment rights. But his wife took the threats seriously and obtained a restraining order. The lyrics included a question as to whether the restraining order was “thick enough to stop a bullet,” references to smothering his wife with a pillow and dumping her body in a creek, and, perhaps the most troubling reference for school leaders, the following: (more…)
Those who follow the intersection between special education and technology know there is a dearth of administrative decisions and case law addressing what, if any, responsibility school districts have to provide or otherwise pay for technology for special education students. A recent administrative decision from Massachusetts sheds some light on this murky area. The case was unique because rather than addressing whether a device was “assistive technology” necessary to provide the student a free, appropriate public education (FAPE), it was looking at whether the district had complied with a hearing officer decision requiring it to reimburse for tuition and related expenditures for a unilateral private residential placement. Nonetheless, because the case addressed when technology might be an essential part of a special education student’s program, it’s worth a read for school leaders who deal with these issues.
The case involved a highly intelligent special education student with Asperger’s Syndrome, ADHD, and related issues. In an earlier administrative decision, a hearing officer found that the student’s school district, Barnstable Public School, was required to reimburse the student’s parents for their unilateral placement of the student at a private residential school, Franklin Academy, which the student began attending after the parents disagreed with the school district’s proposed high school placement for the student. Following that decision, Barnstable reimbursed the parents in full for tuition payments they made to Franklin Academy and expressed willingness to reimburse the parents for certain transportation expenses. The school district disputed, however, whether it was required to pay the parents for numerous “related expenses,” including certain technology expenses. Specifically, the parents asked for $11,224 for reimbursement for an Apple laptop computer, an iPad, and iPhone, audiobooks, various accessories, data plans, software, apps, phone fees, and other similar expenses. The parents argued that the items at issue were components of “special education” and/or “related services,” and, therefore, must be provided at no cost to the parent. (more…)
Readers of our FR Alerts may remember my colleague Kendra B. Yoch authored an Alert in 2013 about a set of outlier cases in the Ninth Circuit Court of Appeals, K.M. v. Tustin Unified School District and D.H. v. Poway Unified School District. The cases dealt with a request by a student with a hearing impairment for a certain technology service as an accommodation. A three-judge panel of the Court of Appeals held that a school district violated disabilities laws even though it had complied with the Individuals with Disabilities Education Act (IDEA), because compliance with the IDEA does not satisfy all claims under Section 504 of the Rehabilitation Act (Section 504) or under the Americans with Disabilities Act (ADA).
If you are outside the jurisdiction of the Ninth Circuit (Arizona, Washington, Oregon, California, Montana, Idaho, Nevada, Alaska, and Hawaii), you may rightly think “Well that’s interesting, but luckily it doesn’t apply to me.” Although normally that response is correct, the U.S. Department of Education’s Office for Civil Rights (OCR) last fall adopted the Tustin standard in a “Dear Colleague Letter” (DCL), thus applying the standard to school districts across the country. Last month, the National School Boards Association called OCR out in a letter. As NSBA reported, it argued in its letter that OCR was off base in so widely applying an inappropriate standard and one that has only been adopted by one court in one jurisdiction.
The Tustin Decision
In the Tustin case, two hearing impaired students had individualized education programs (IEPs) providing services and accommodations to address their communications. There was no question that the students were receiving a free and appropriate public education (FAPE) under the IDEA, because they were making progress and receiving meaningful educational benefits. The students’ parents wanted the schools to provide the students Communication Access Realtime Translation (CART), which is a service where a stenographer transcribes communications in real time, which are then streamed to the student’s computer in closed captioning. The Ninth Circuit held that the mere fact that the students were being properly served under the IDEA did not preclude liability under Section 504 and the ADA. (more…)