On April 7, U.S. House of Representatives member Cathy McMorris Rodgers and Senator Maria Cantwell released a draft of a bipartisan federal privacy bill, the American Privacy Rights Act of 2024. The proposed bill aims to “put people in control of their own personal data” and “eliminate the patchwork of state laws by setting one national privacy standard.”
If adopted, the APRA would supersede state privacy laws. In the interim, some states have established their own data privacy laws, most recently being Florida, Oregon, and Texas. The Florida Digital Bill of Rights (FDBR), the Oregon Consumer Privacy Act (OCPA), and the Texas Data Security and Privacy Act (TDPSA), which all went into effect July 1, largely apply to those who conduct business in those states or produce a product or service used by residents in those states, and who also process or sell personal data.
Other states that have enacted similar privacy regulations include California, Connecticut, Colorado, Virginia, and Utah.
RELATED: How Is Your Organization Protecting Video Privacy?
Both K-12 and colleges process and store student personal data, such as addresses, birthdays, and disciplinary records. Most also store footage from security cameras that contain personally identifiable information such as student faces, which comes with unique privacy challenges.
To help Campus Safety to comply with these varying state laws, particularly as it relates to video privacy, we conducted a Q&A with Simon Randall, CEO and co-founder of Pimloc, a security and privacy company that specializes in helping educational institutions implement effective privacy solutions.
Q&A: Video Surveillance and Student Privacy
Campus Safety: Why is video privacy a critical issue for educational institutions today?
Simon Randall: There is a growing volume of video now being captured in educational settings including schools, universities, and daycares. This covers footage from CCTV for security and video captured for classroom training and monitoring, along with images and video captured to document student developments and for marketing purposes.
Many schools are also beginning to experiment with video analytics and other biometric technologies to help save time and increase school efficiency. Educational institutions need scalable privacy solutions that allow for the management of permissions and usage of images and video for data compliance and child safeguarding, and to allow for responsible data sharing to aid learning and analysis.
As we know, schools are particularly vulnerable environments. Protecting all students of all ages and needs – from both a safeguarding perspective and when considering personal data captured – is vital. This includes personal and medical records and visual data from video – all of which, in the context of children, are considered extremely sensitive and need to be kept secure and private.
Yet, CCTV footage may be requested from an incident in the form of an education record under the Family Educational Rights and Privacy Act (FERPA). In an educational setting, such requests can be made by parents or students, making it essential for institutions to ensure that any released footage protects the privacy of other individuals featured in the footage.
Removing Personally Identifiable Information in School Video Footage
CS: Can you share the best practices for protecting personally identifiable information (PII) in video footage captured by educational institutions?
SR: When handling video footage, especially in response to a formal request, it is crucial to adhere to best practices to protect the PII of all individuals involved. Often, schools may invite parents or the relevant authority to the premises and show them the footage in-house, believing that’s sufficient. Others may send a cut-down clip of an incident without further editing, leaving the faces of other parties visible. Both practices are incorrect and can lead to a breach of data privacy for those individuals captured in the video.
The first step is to inform internal HR about the request and log it accordingly. Second, verify the identity of the student making the request. If the request is made on behalf of a student, ensure there is proof that the child has consented to the request or that they are not competent to do so themselves.
Once the request is validated, locate the video footage from the relevant incident or time period. Upload the video to an automatic redaction platform that applies redaction boxes to personal data. It is important to review these redaction boxes within the platform before downloading the final redacted video to ensure all PII is properly obscured.
CS: What are some strategies that can be employed to redact or anonymize video footage without compromising the security systems in place for students and faculty?
SR: An hour of CCTV footage can contain over two million faces. Manually redacting personal data from every frame is a time-consuming, tedious task that demands considerable attention to detail. Compliance managers may need days or even weeks to redact just a few minutes of video. By protecting all personal data in video by default, educational institutions can remain compliant while sharing video content internally or with third parties.
Today, there are AI-powered privacy solutions available specifically designed for CCTV footage that can automatically identify and track PII in both visual and audio streams, allowing for quick redaction of all except the person or people of interest.
These solutions are developed to handle security footage specifically to ensure that educational institutions can still capture all of the necessary footage to maintain a safe learning environment – all while safely anonymizing all personal data in live or captured video for data compliance, child safeguarding, wider sharing, marketing, and video analytics.
New Data Privacy Laws and Its Impacts on Schools
CS: How will the new data privacy laws in Texas, Florida, and Oregon impact educational institutions’ handling of video footage?
SR: The new data privacy laws in Texas, Florida, and Oregon will impact educational institutions’ handling of video footage in various ways. Although these laws generally do not apply to data governed by FERPA, it’s crucial that educational institutions still adopt these practices sooner rather than later to ensure compliance.
Oregon’s law explicitly requires the de-identification of data, meaning schools must anonymize video footage before sharing it to protect individuals’ identities. In Texas, the emphasis on consumer rights, such as access, correction, and deletion, means that schools must be prepared to handle requests from students, parents, and staff. They will need tools to redact or anonymize third-party information in footage and implement security measures like encryption and access controls.
In Florida, while the law primarily targets Big Tech, it’s crucial for educational institutions to protect sensitive video footage, especially from areas like classrooms and hallways, through data minimization and transparency. Schools should provide clear notices about how footage is used and limit the collection to what is necessary.
Additionally, schools using external EdTech vendors should ensure these companies have proper measures in place for handling personal data, as they may fall under the law’s scope.