Privacy

CERTIFICATION WITH RESPECT TO MINORS.--A certification under this paragraph is a certification that the school, school board, local education agency, or other authority with responsibility for administration of the school--
(i) is enforcing a policy of Internet safety for minors that includes monitoring the online activities of minors...

Districts must consider how they will address the expectations of privacy that student and staff may have in the contents of their personal e-mail files or records of online activities. The CIPA requirements do not address staff use of the Internet but the system or approach chosen for monitoring may also result in monitoring of staff use. So it is best to address issues of monitoring and privacy expectations for all users.

Expectations of Privacy

People are still struggling to hold onto the right of privacy at the same time that technology seems to be removing many vestiges of this important interest. In general, people appear to have a much greater expectation that they should have a greater right to privacy in their personal e-mail files, as compared to web search logs. Any district that attempts to establish a standard that neither students nor staff have any privacy expectation whatsoever in their e-mail files and that district staff can review those files at any time for any reason, should prepare itself for a response of anger and indignation. And probably rightly so. This level of intrusiveness is generally not necessary or justifiable.

On the other hand, it is also true that the vast majority of employers, both corporate and government, are regularly and routinely monitoring employee use of the Internet, including web logs and e-mail. And for government employees, all electronic communication and web logs are considered to be public records -- thus, clearly not private.

Districts must prepare students to be successful in their future work environments. Part of this preparation certainly must be an understanding of the limitations of privacy in certain situations and the ability to govern behavior and communications in accord with the given expectations of privacy of that particular environment. Students or staff who discuss private matters in the middle of a crowded lunch room are in no position to complain about the violation of their personal privacy on the part of those who might overhear their conversation.

Legal Standards for Student and Staff Privacy

The standards for school officials in conducting a search and seizure in the school setting where there is a legitimate expectation of privacy were enunciated by the Supreme Court in the case of New Jersey v. T.L.O . These standards are:

  • Was the search "justified in its inception ?" A search is justified when there are "reasonable grounds for suspecting that the search would turn up evidence that the students has violated or is violating either the law or rules of the school .

  • Was the search "reasonably related in scope to the circumstances which justified the interference in the first place ?" A search is reasonable when "the measures adopted are reasonably related to the objectives of the search and not excessively intrusive in light of the age and sex of the student and the nature of the infraction ."

Clearly, the T.L.O. standards would apply in cases where there is an individualized search based upon reasonable suspicion of wrongdoing. The question remains whether the district can randomly investigate the contents of a student's personal e-mail files and the records of their online activity. The answer to this question depends on whether the student has a reasonable expectation of privacy .

The extent of a district's ability to investigate the personal files of staff is less clear. In O'Connor v. Ortega , the Supreme Court held that employees did have constitutionally protected privacy interests in the work environment but that the reasonableness of the employee's expectation of privacy must be determined on a case-by-case basis. The Court then applied the T.L.O. standards of reasonableness to employer intrusions of employee privacy for noninvestigatory, work-related purposes, as well as for investigations of work-related misconduct.

Electronic communications of public employees are generally considered to be discoverable under state public records laws, therefore it could be argued that employees have no expectation of privacy. On the other hand, the common practice is to treat e-mail as private. This could give rise to the reasonable expectation that unless there is a public records request, the district will respect the privacy of an employee's e-mail.


Application of Legal Standards

Clearly the first step in the application of current privacy standards is the establishment of the "expectation of privacy." Districts have essentially two options in the establishment of this expectation. The following is how these expectations might be expressed:

  • Users have no expectation of privacy when they use the district's Internet system. The district can and will monitor all use of the Internet, including personal e-mail files, web logs, and any other usage.

  • Users have a limited expectation of privacy in the contents of their personal files or record of web research activities on the district's Internet system. Routine maintenance and monitoring, utilizing both technical monitoring systems and staff monitoring, may lead to discovery that a user has violated district policy or the law. An individual search will be conducted if there is reasonable suspicion that a user has violated district policy or the law. In certain circumstances, a building administrator has the right to eliminate any expectation of privacy by providing notice to the students. Students' parents have the right to request to see the contents of their children's e-mail files. Staff are reminded that their communications are subject to public records disclosure laws.

It is strongly recommended that district opt for the second option. A limited expectation of privacy is far more respectful of the legitimate privacy interests of both students and staff. All of the district's responsibilities related to ensuring a safe and responsible school environment can be met with by establishing this limited expectation of privacy. There is absolutely no justification for a greater amount of intrusion.

Routine Maintenance and Monitoring

Routine maintenance and monitoring may be facilitated with the use of technical monitoring tools. These tools may operate in "real time," such as monitoring systems that allow an administrator to directly remotely view what is on the screen of another computer. Other tools may involve an intelligent analysis of Internet use traffic that seeks to detect communication patterns that may reveal instances of inappropriate activity. These kinds of products combine the activities of filtering and monitoring. As is discussed in Technology Protection Measures and A Matter of Local Control chapter, the products that both filter and monitor, called Filter and Report in this Planning Guide, would appear to meet the requirements of a Technology Protection Measure.

Other district may opt for staff monitoring of web logs and other usage data. This approach is feasible with a smaller district with low amounts of Internet usage. For larger districts, the staff monitoring activity may become unnecessarily time consuming and/or ineffective.


Individualized Searches

The district should establish a process by which individualized searches are approved. Any individualized search of staff e-mail files should require approval by that staff member's supervisor. A report indicating the circumstances that have raised the reasonable suspicion should be prepared and the results of the search should be recorded. This report should be filed in accord with standard district procedures related to staff discipline.

Products that Filter and Report work in a manner that clearly meets the reasonable suspicion standard. They report on suspected violations of the Internet Use Policy. Other traffic remains private.

Any individualized search of student e-mail files should be conducted only by authorized staff. Generally, the staff who are authorized to conduct an individualized searches will be the district's technology coordinator and his/her designee and any administrators in the students' school.

No Expectations of Privacy

Districts may also determine that there are certain situations where these are to be no expectations of privacy. These situations may include the following:

  • Elementary students using electronic communications should likely have no expectations of privacy. They should use group or classroom e-mail accounts. If individual e-mail accounts are established, teachers should have full and complete access to these accounts at any time for any reason.

  • The elimination of any expectation of privacy may be an appropriate disciplinary response when a student has been misusing electronic communications. As a disciplinary consequence, a student can be informed that for a period of time an administrator can and will regularly review his/her personal e-mail files or the e-mail system can be configured to have an automatic copy of any communication by the student sent to the teacher.

  • If there are significant problems emerging within a particular school related to electronic communications, the school administrator may decide that for a period of time there will be absolutely no expectation of privacy and any student's personal e-mail files may be reviewed at any time.

  • For staff, there is no expectation of privacy in the event of a public records request.

  • For students, there is no expectation of privacy in the event their parents request access to their personal files.


NOTICE

Regardless of the approach any district may take to privacy, the MOST IMPORTANT step a district must take if fully and completely informing all students and staff what they can expect in terms of privacy.

When people use the Internet, they frequently have a misperception about the degree to which their actions are recorded and can be monitored. This perception of "invisibility" can lead to a belief that misbehavior cannot and will not be detected. It sometimes is amazing how even well-educated district staff can establish such misperceptions about the degree to which their actions can be detected. School attorneys report that on a regular basis they must deal with disciplinary situations where school staff -- from relief custodians to superintendents -- have been found to have been downloading pornography on school computers.

All users of the system should be provided with absolutely clear notice about how the district will monitor Internet use. Students in secondary school and all school staff should be provided with actual monitoring records to dispel any vestiges of the perception that their actions are invisible. If any technology monitoring tools are used, secondary students and staff should be provided with records of how the system works and what evidence it can detect. Districts may want to remind students of the monitoring with a notices and examples of usage records placed in computer labs. Some districts provide information about the limitations of privacy directly on the log-on screen so that users are reminded of monitoring every time they log onto the computer.

Another advantage of providing effective notice is the preventive effect of such notice. When students and staff are fully aware of how their actions are being monitored, only the most foolish will risk engaging in misuse.