Listen to the article 5 min

This audio is auto-generated. Please let us know if you have feedback.

Dive Brief:

• District and school Facebook posts that include students' photos and names may violate privacy by allowing third parties to access data about the children and teens, according to a report released Wednesday by the American Educational Research Association.
• Researchers looking at publicly available school system posts from 2005 through 2020 estimated that a small percentage of Facebook messages identified students by photo and first and last names. Nonetheless, the sheer volume of those posts — nearly 726,000 out of a total 18 million — meant schools shared a large amount of students' personally identifiable information.
• School systems rely on social media along with other communications to share news, including emergency protocols and student accomplishments, with their school community and the public. The report's authors recommend steps for administrators to take in balancing the desire to engage with their school communities against safety and privacy protections.

Dive Insight:

Researchers focused on Facebook posts because it is one of the most common social media platforms used by school systems, said Joshua Rosenberg, co-author of the report and assistant professor at the University of Tennessee. Rosenberg said this is the first study to consider student privacy implications from school systems' social media posts.

Researchers analyzed schools’ and districts' public Facebook posts that contained students' photos and those that contained both photo and name, finding 4.9 million photo-only posts and 726,000 photo-and-name posts. 

The concern is that the information can be shared by anyone — including government agencies, businesses and bad actors — without the knowledge of educators, families and students, Rosenberg said.

The report’s authors recommend schools not only take a legal approach to protecting student data by using media release forms, but an ethical one where school and district leaders follow specific steps to reduce privacy risks.

"The onus is on the people who choose to share information on the web," Rosenberg said.

The report's recommendations include:

• Improve media release forms. Schools could improve media release forms — signed by parents to allow their children's information to be posted — by adding a description of how the images and information will be shared.
  
  A separate study this year co-authored by Rosenberg found only 18% of media release policies in the 50 largest districts explicitly mention social media on their release forms. That research also found the opt-in/opt-out policy was unclear for 68% of the forms.
  
  Rosenberg said opt-in/opt-out policies could be clarified, with schools giving parents the choice to opt in or out of their child’s participation in social media posts separately from other communications.
  
  "We kind of need to update those so that parents have more ways of expressing how they want their kid's information to be shared," Rosenberg said.
   
• Make communication decisions with both a legal and ethical lens. Schools should not only be complying with the Family Educational Rights and Privacy Act — which bars improper disclosure of students' personally identifiable information — but also asking themselves whether publicly posting photos and names can do more harm than good.
  
  Rosenberg said some simple adjustments could reduce privacy risks. School and district Facebook profiles can be set to private, he noted. School systems can also use only first names or no names in posts, he said. 
  
  "Given what we know about how social media data is accessed by a range of actors, we think it raises some serious questions about what's right, and that's where that ethics lens comes in," Rosenberg said. "It's not saying we should never do this." 
   
• Broaden responsibility for student privacy protection. While the report offers takeaways for schools on safeguarding student data, the authors emphasize that the broader community can play a role, too. Facebook, for example, could have a default setting for school and district profile pages that would require a district to approve anyone who wants to view their pages. 
  
  Other social media platforms could also be asked to make privacy protections easier to use and understand, the report said.
  
  Regulators, meanwhile, can help businesses comply with the Children’s Online Privacy Protection Act, or COPPA, which was last updated in 2013. Earlier this year, the Federal Trade Commission issued a policy statement emphasizing its enforcement of COPPA for ed tech companies and their limited ability to collect, use and retain children’s data, as well as the companies' responsibility for data security requirements.
  
  "The Commission intends to fully enforce these requirements — including in school and learning settings where parents may feel they lack alternatives," the FTC's policy statement said.