This document contains best practices in accordance with federal and state law. Local policies can be stricter than what is found in this document, so please consult your local policies as well. 

May educators use web conferencing software to hold a virtual class? In general, yes. Providing instruction and allowing students to converse with each other does not generally constitute a disclosure of education records protected by FERPA. Educators should avoid disclosing information from education records in a virtual class just the same as they would during an in-person class. As a best practice, educators should take care to ensure that access to the virtual class is secure. For example, there have been cases where educators have publicly posted the link to access the class in a public forum, like Twitter, which has allowed individuals not associated with the class to access it and even in some cases hijack the class with inappropriate content. As a best practice, directions (with hyperlinks) should be posted either to a student calendar or directly within the LMS (Canvas or Google Classroom).

Which privacy/security requirements must be met for web conferencing or other software to be approved? This question is best answered by the LEA’s data manager or IT director. In general, not every usage of an online service means information is disclosed from an education record. For example, asking students to view a video on YouTube generally would not require any information to be disclosed from education records. If Personally Identifiable Information (PII) is disclosed, but only directory information is disclosed (e.g., a login is created to access a resource library), then you may use the resource in accordance with your directory information policy. If PII is disclosed, you should also consider if it is a general audience website (i.e., not specifically intended for K – 12 audiences). If it is for general audiences, for example, a website like Zoom, then you only need to ensure that the website does not claim control/ownership over the information and that they do not redisclose the PII. If it is an educational website receiving PII, certain requirements will need to appear in the online agreement. This can be handled by having the provider sign a Data Privacy Agreement (DPA). It is also possible that they may meet the audit requirement in other ways, such as by publicly posting the results of a self-assessment of their privacy policies (e.g., if they have signed the Student Privacy Pledge or if they have been reviewed by a Children's Online Privacy Protection Act (COPPA) safe harbor (e.g., Privo, iKeepSafe, TrustArc).

How can we learn more about the specific security and privacy functions of our virtual learning software? In some cases, the company will have specific tutorials, blogs, or other resources to explain the specific functionality. For example, 

• · Zoom has the document Best Practices for Securing Your Virtual Classroom
• · Microsoft has this document Shifting to distance learning: A 5-day guide for school leaders, which relates to using Office 365, Microsoft Teams, or Flipgrid
• · Google has their Teacher’s Center, which includes the article Welcome to your first day of Google Hangouts Meet. The G Suite Admin Help section includes this article Set up Meet for distance learning

Is it an issue if the software an educator wants to use includes a lot of advertisements? Advertising is a common part of the internet, and not all advertising is based on gathering information on a student over time and building an advertising profile (also known as behavioral advertising). Some advertisements appear contextually (e.g., if you go to a website for movie reviews, you will see advertisements for movies). The mere fact that advertising appears does not mean a student’s privacy is being violated. The only way this can be determined is by reviewing the company’s privacy policy and determining what information they use to provide advertising. Another solution is to have the vendor sign the Utah Student Privacy Alliance’s Data Privacy Agreement (DPA), which includes provisions prohibiting behavioral advertising. Educators should also consider that websites that serve large numbers of pop-up ads may have other security issues. Students may be directed to update their browser settings to block pop-up ads (though note that in most modern browsers, this is the default setting). If the problem persists despite doing all of the above, then the website likely should be avoided. Districts should investigate installing adblockers on district-owned devices and if possible through their google suite for educators.

Is it an issue if parents or other individuals in the home can observe the virtual class? This is a local decision. FERPA does not relate to physical classroom observations, and the same applies to virtual classrooms. 

If educators hold a virtual class, may students appear on camera? In general, yes. Educators should recommend and encourage some best practices to parents related to web conferencing. For example, since video will be taken in the student’s home, the camera should be positioned to ensure that nothing too personal is captured in the video. Students may be interacting with the class on a smartphone or easily portable device. Students could be reminded to not take the device (or at the very least turn off the camera and mute the microphone) if going into personal spaces, such as the bathroom. Teachers should also be respectful if parents desire not to turn on the camera so as to protect their privacy. Furthermore, educators should learn how to control the functionality of the software. For example, web conferencing software can be set so that no student can enter the room before the educator (which will minimize distracting conversations). It can also be set so that cameras and microphones default to off for all participants.

May an educator record a virtual class session? In general, yes. If doing so, the educator should be transparent about it (i.e., every participant should know the session is being recorded). The educator should also be transparent about the purpose of the recording (e.g., it will be available so any students who missed the lesson may catch up) and who will be able to access the recording (e.g., if anyone else at the school, such as the principal or a supervisor, can access it). The educator should also indicate how long the recording will be maintained before it is deleted.

When may an educator have a one-on-one conversation with a student using web conferencing software? This is part of the larger question of when is it appropriate for educators to have one-on-one conversations with students in general. Before conducting one-on-one conversations, we recommend that educators review their relevant ethics policies and standards related to communicating with students. Otherwise, educators should use approved methods for communication (e.g., work email address, not a personal one, etc.). The content of the intended conversation also determines the best way to proceed. Answering content-related questions or providing one-on-one help likely does not implicate any privacy laws. If the purpose is to discuss information from education records (e.g., discussing issues with grades), extra care should be taken to ensure that the conversation is private (e.g., asking that other individuals in the home not be present). As a best practice, teachers may consider holding virtual office hours (i.e., have a specific set of hours where they will be available on the web conference to answer questions and be available to students). It is also highly recommended that educators log a record of all one-on-one conversations (e.g., when they started and finished, what was discussed) and make those available to the student and parent.

Is it a problem for educators to publicly post on social media a picture of their entire class together on a web conference (including student pictures and names in the process)? This likely constitutes a disclosure of directory information, the same as would appear in a yearbook or a class photo. Educators should consult their LEA’s directory information policy and ensure that the disclosure is permitted. They should also check to see if any students have been opted out of directory information disclosures and then ensure that those students are not included in the image. Educators could also consider simply not making the photo public, but rather just sharing with class parents (the exact same as generally occurs when sharing a class photo).

May we share student contact information with classmates so they may stay in touch during the soft closure? In general, yes, parents may request the contact information of their child’s peers, and schools may generally share it with them. In all cases, a school may disclose a student’s email address to a classmate. They may also disclose a student’s phone number unless the parent has opted out of the disclosure in accordance with the school’s directory information policy.

May we disclose student personally identifiable information to outside entities addressing the COVID-19 outbreak? Under Family Educational Rights and Privacy Act (FERPA), schools may share student information with public health officials and other outside entities in situations where there is a significant and articulable threat to the health and safety of students and others in the school community. This document FERPA and Coronavirus Disease 2019 (COVID-19) Frequently Asked Questions from the United States Department of Education discusses various scenarios and issues related to making disclosures using FERPA’s health and safety exception during the current COVID-19 outbreak.

Additional Resources

• · U.S. Department of Education Protecting Student Privacy While Using Online Educational Services: Requirements and Best Practices (Feb 2014)
• · U.S. Department of Education FERPA and Virtual Learning Related Resources (Mar 2020)
• · U.S. Department of Education FERPA & Coronavirus Disease 2019 (COVID-19) Frequently Asked Questions(Mar 2020)
• · U.S. Department of Education FERPA & Virtual Learning During COVID-19 slideshow and video recording(Mar 30, 2020)

Contact Information

If you have additional questions, please contact privacy@schools.utah.gov or call 801-538-7523 or Todd.Call@schools.utah.gov