What happens when your child’s school is not taking appropriate measures to protect his or her personal information? In one Central New Jersey school, the principal and teachers take pictures and videos of students and post them to social media pages such as Twitter. One parent’s reaction – “We were in shock when we discovered the Twitter accounts-multiple staff Twitter accounts. These accounts are personal but affiliated with the school.” The school did not provide any notice to parents that videos and photos of their children would be posted on Twitter. Parents are worried that these photos and videos “are putting the children at risk and violating their privacy–metadata, geolocation, names, ages, grades–this content is stored in [their] personal devices.”
In an age where data is currency, it is important to pay attention to one of the most vulnerable populations when it comes to cybersecurity breaches: K-12 students. Their parents should have a very valid fear of not only privacy breaches locally, but across the Internet. Once a photo or video is uploaded, removing or limiting access may become nearly impossible. Consider this instance in 2018 where a video of a toddler who was scared of the Easter Bunny went viral overnight and ended up on the Jimmy Fallon show. There are numerous instances of a teacher or student posting a video or photo that later is shared repeatedly around the world. However, it is still parents who legally are the gate keepers of their children’s data.
Every child’s school district is required to comply with Federal and State government student data privacy and online safety regulations. Student data, or Personally Identification Information (PII), is information about more than just your child’s address and age. PII includes how a school district collects, uses, and manages this information, and even includes who the school shares this information with (i.e. a guidance counselor may be able to view a student’s grades; a nurse may be able to view a student’s health records). All this information must be protected by the school which if released, could be used to identify or find a student.
Unfortunately, there are no specific Federal or NJ provisions that address student privacy data and social media; however, FERPA and NJ 18A:36-35 provide crucial guidelines for both schools and parents moving forward.
The Family Educational Rights and Privacy Act (FERPA) gives a parent or guardian (or a student over the age of 18) control over whether third parties outside of the school environment can see a student’s records. FERPA applies to the disclosure of PII from education records that are maintained by the school. FERPA does not prohibit school officials from releasing information about a student that was obtained through the school official’s personal knowledge or observation unless that information was obtained through his or her official role that directly affected or used a student’s education records. Meaning there may be some gray area with respect to postings on personal accounts as well as whether a video or photo is part of a student’s education records. Even so, FERPA defines directory information–as information in the education records of a student that Congress has deemed would not generally be considered harmful or an invasion of privacy if disclosed. But, to disclose this directory information, the school must give parents and guardians general notice and an option to opt out.
The New Jersey Department of Education in 18A:36-35 states that the board of education of each school district that established a web site, shall not disclose any PII about a student without receiving prior written consent from the student’s parent or guardian.
The central question remains whether a photo or video of a student is PII. However, a photo or video contains crucial information about their student: their age, demographic, location, grade–not to mention a creation of metadata. Regardless of whether a student is mentioned by name, it can be clear that it would not be difficult for any internet user to trace such information when it is posted by a school official such as a teacher or principal. The law then makes clear that parents and guardians must consent to such data closure, and if not at least be given the option to opt out.
The parents of this Central New Jersey school may have recourse under both federal and state law. Parents and guardians of students remain the decision-makers of who is allowed access to their student’s PII–from their student’s demographics as well to their photos. Even if photos are found to be directory information, parents have a right to opt out. In a fast-paced, social media-focused society, photos and videos can become viral overnight, exposing a student to unwanted publicity and attention. Our schools have a legal obligation to protect student’s privacy, not promote and engage in the reckless spread of student data.
Aleksandra Syniec, who wrote this post, is a second-year law student at Seton Hall University School of Law. She is also knowledgeable in landlord-tenant law and the information technology.