UW Privacy Office

Privacy Guidelines for Engaging Youth Virtually

Table of contents

  1. Purpose
  2. Minimize Data Collection and Recordings
  3. Create Transparency
  4. Use Photographs, Video Recordings, Audio Recordings, and Content Created by Participants Appropriately
  5. Use Appropriate Resources for the Constituents’ Personal Data and the Given Environment/Activity
  6. Protect Your Own and Other Individuals’ Privacy
  7. Learn about Laws and Regulations Related to Youth’s Personal Data
  8. Additional Resources

 

1.     Purpose

The purpose of these guidelines is to assist UW workforce members (i.e., employees, trainees, students, volunteers, and other entities or persons who perform work for the University) in safeguarding the privacy of youth when engaging with youth online or in virtual programs. For the purposes of this document, youth are defined as individuals under the age of 18 who are not enrolled students of the University.

These guidelines are the parameters that need to be taken into account when planning to engage youth virtually. These guidelines and the corresponding “Engaging Youth Virtually” FAQs may be updated as necessary to address privacy requirements and best practices.

2.     Minimize Data Collection and Recordings

When designing online activities that involve youth and their personal data, limit data collection and data processing to the minimum required to fulfill the purpose of the activity. UW workforce members should not turn on video or audio recording features while interacting with youth virtually unless there is a clear purpose for the video or audio recording, and the data collection and data processing is consistent with the UW Privacy Policy for Youth Programs.

3.     Create Transparency

Before engaging youth virtually, the parent or guardian must be notified about the data collection and data processing activities through a privacy notice and/or must provide consent.

If the activity is not related to IRB-approved research or UW Medicine patients, follow the UW Privacy Policy for UW Youth Programs, including use of the provided Privacy Notice and Privacy Consent forms.

If the activity is related to:

Washington law requires two-party consent for lawful audio recording of private conversations. These laws may pertain recording certain online or virtual interactions.  More information about providing privacy notices and soliciting consent is available in the UW Privacy Office’s Website for Youth Programs.

Note: If a UW student is doing a practicum at a school, the host school is likely responsible for providing proper notice or soliciting consent from the parent or guardian.

4.     Use Photographs, Video Recordings, Audio Recordings, and Content Created by Participants Appropriately

Before engaging youth virtually, the intended use of specific features (e.g., real-time audio of youth participants, real-time video of youth participants, and recording) must be consistent with the below requirements from the UW Privacy Policy for Youth Programs.

Photographs, video recordings, audio recordings, and content created by participants (ex. essays, stories, notes, artwork, etc.), referred to as “Identifying Content”, may be processed internally in a UW Youth Program without prior consent to:

  • Achieve the educational, experiential, or similar objectives pursued within a UW Youth Program; and/or
  • Measure and/or document a UW Youth Program’s effectiveness.

However, prior consent is required when Identifying Content is:

  • Published in the promotional materials (such as brochures, online content, videos) of a UW Youth Program and/or the UW;
  • Showcased on a UW Youth Program website, bulletin board, blog or through a similar publicly-accessible medium; and/or
  • Shared with a third-party (such as a funding partner) for reporting that is optional for a UW Youth Program.

If the activity is related to IRB approved research, see the Video Conferencing and Privacy Considerations provided by Office of Research.

5.     Use Appropriate Resources for the Constituents’ Personal Data and the Given Environment/Activity

UW resources, including IT resources, may only be used for purposes consistent with the University’s educational mission and programs.

University employees may not use state resources (including any person, money, or property) under their control or direction or in their custody, for personal benefit or gain of any other individuals or outside organizations. For more information see:

UW students’ use of UW computing resources, network, and UWNetID credentials must be consistent with the:

a.     Engaging Youth at an External/Non-UW Entity

When engaging youth in a business, transactional, educational, or professional activity other than UW research at an external/non-UW entity (e.g., experiential learning, internships, or outside work), the personal data processed at an external/non-UW entity may be:

  • Governed by laws or regulations with specific requirements about how the data are processed, used, and/or stored by the external/non-UW entity;
  • Subject to UW policies; and/or
  • Subject to the external/non-UW entity’s privacy and data protection policies.

Consult with the external/non-UW entity to identify an appropriate technology solution, which may or may not be UW-provided technology.

b.    Engaging Youth at a UW Department

UW workforce members may use UW provided technology appropriate for use with youth, when engaging youth through experiential learning or internships that take place within a UW department/unit.  See Youth FAQs for more information.

c.     Engaging Youth Virtually in UW Research

When designing a study that will engage youth virtually, the personal data processed by UW researchers may be:

  • Governed by laws or regulations with specific requirements about how the data are processed, used, and/or stored;
  • Subject to UW policies; and/or
  • Subject to an external/non-UW entity’s privacy and data protection policies if the research individuals at an external/non-UW entity (e.g., in a K-12 school or a healthcare facility).

Note: Youth participants or human subjects are often not eligible to receive an account to UW-IT technology resources. The technology agreements may not include a) privacy protections for youth; and/or b) use of the technology by external/non-UW entities or individuals who are not UW workforce members or enrolled students.  

Researchers may use certain UW provided technology for their portion of the interaction.

For more information about UW-IT provided technology see the FAQs and IT Connect or contact help@uw.edu.

d.    Engaging Youth in Telehealth Services for UW Healthcare Components, UW Medicine, and UW Medicine Affiliated Covered Entity

When engaging youth as patients at UW Medicine and UW Healthcare Components, follow the patient information privacy policies provided by UW Medicine Compliance or contact comply@uw.edu.

If the telehealth services relate human subjects, see the IRB Guidance on Involvement of Children in Research.

6.     Protect Your Own and Other Individuals’ Privacy

If you are in an online conferencing session with real-time audio, real-time video and/or recording, consider the best practices below for protecting your own privacy and the privacy of those around you.

  • Find a private space with a neutral background that:
    • Does not reveal any identifying or sensitive information about yourself or other individuals
    • Is age appropriate for youth
  • Utilize any features offered by a recording or online conferencing solution to blur your background or replace your actual background with a static image (e.g., a virtual background available through Zoom).
  • Mute your device and/or switch off your camera if there is no added value or expectation from your organizer or other invitees to appear on-screen or be heard.
  • Make sure others in your surroundings do not appear on-screen and cannot be heard.

7.     Learn about Laws and Regulations Related to Youth’s Personal Data 

The following laws and regulations may relate to the data collection and processing of youth’s personal data. This is not an exhaustive list.

It is the workforce member’s responsibility to ensure that the regulatory requirements are met if the regulation applies to the data collection and data processing activity.

a.     Family Educational Rights and Privacy Act (FERPA)

FERPA (20 U.S.C. § 1232g; 34 CFR Part 99) is a Federal law that protects the privacy of student education records.

FERPA regulates the disclosure of Personally Identifiable Information from youth education records in all public elementary and secondary schools, school districts, intermediate education agencies, state education agencies, and any public or private agency or institution that uses funds from the U.S. Education Department.

FERPA and IRB requirements are usually met if a parent (or “Eligible Student” as defined in § 99.3) signs a consent form to participate in a research study and authorizes the release of his/her child’s Education Records for research purposes.

FERPA regulations specify that a parent or Eligible Student must provide a signed and dated written consent in accordance with the requirements of §99.30 before Personally Identifiable Information from Education Records is disclosed, unless the disclosure falls within one of the exceptions set forth in §99.30

FERPA’s consent provisions require a specification of 1) the records that may be disclosed; 2) the purpose of the disclosure; and 3) the identity of the party or class of parties to whom the records may be disclosed.

FERPA allows an educational agency or institution to disclose personally identifiable information from an Educational Record of a student without consent if the disclosure is to organizations conducting studies for, or on behalf of, educational agencies or institutions to:

  • Develop, validate, or administer predictive tests
  • Administer student aid programs
  • Improve instruction (34 CFR §99.31)

A school district or postsecondary institution that uses this exception is required to enter into a written agreement with the organization or researcher conducting the research that specifies:

  • The determination of the exception
  • The purpose, scope, and duration of the study
  • The information to be disclosed
  • That information from education records may only be used to meet the purposes of the study stated in the written agreement and must contain the current requirements in 34 CFR §99.31 (a)(6) on re-disclosure and destruction of information.
  • That the study will be conducted in a manner that does not permit personal identification of parents and students by anyone other than the representatives of the organization with legitimate interests
  • That the organization is required to destroy or return all personally identifiable information when no longer needed for the purposes of the study.
  • The time period during which the organization must either destroy or return the information

b.    Protection of Pupil Rights Amendment (PPRA)

The PPRA (sometimes also called the Hatch Amendment, the Grassley Amendment, or the Tiahrt Amendment) and the No Child Left Behind Act are federal regulations that require schools (and researchers who perform these activities at or in connection with the schools) to: 1) Notify parents of the activities, in advance; 2) Make the survey, analysis, or evaluation materials available for inspection by the parents, upon request, before the materials are administered or distributed to students; 3) Obtain consent from a parent for his/her minor child’s participation or allow the parent to opt the child out of participation. This parental consent specific to these circumstances cannot be waived.

PPRA is applicable when research involves students (below age 18) participating in a survey, analysis, or evaluation that reveals information concerning:

  • Political affiliations or beliefs of the student or the student’s parent
  • Mental or psychological problems of the student or the student’s family
  • Sex behavior or attitudes
  • Illegal, anti-social, self-incriminating, or demeaning behavior
  • Critical appraisals of other individuals with whom the students have close family relationships
  • Legally recognized privileged or analogous relationships, such as those of lawyers, physicians, and ministers
  • Religious practices, affiliations, or beliefs of the student or student’s parent or
  • Income (other than that required by law to determine eligibility for participation in a program or for receiving financial assistance under such program) 

c.     Children’s Online Privacy Protection Act (COPPA)

The federal COPPA (Children’s Online Privacy Protection Act) applies if a workforce member is: 1) Operating a website or an online service directed toward children; 2) Actively collecting or maintaining personal information from or about the users of or visitors to that website or online service; and 3) The users or visitors are likely to include children under the age of 13.

COPPA requires the workforce member to:

  • Obtain verifiable parent permission for the collection, use, or disclosure of the personal information;
  • Provide notice on the website of what information is collected, how it will be used, and disclosure practices;
  • Provide to a parent, upon request, a description of the specific type of personal information collected from the parent’s child and the opportunity to refuse to permit your further use or maintenance in retrievable form the child’s personal information.

d.    European Union General Data Protection Regulation (GDPR)

GDPR broadly applies to data about persons who reside in the European Union (EU). GDPR limits when and how organizations worldwide can collect, store, process, and use personal data. It also provides individuals with certain rights related to their personal data, including notice or consent, rights of access, and in some cases, requests for deletion.

The GDPR applies to any and all areas of the UW that collect or process (for example analyzing, storing, and deleting) personal data about persons who reside in the EU. Personal data is defined as any information relating to an identified or identifiable natural person who can be identified, directly or indirectly, by reference to: 1) Any identifier, such as name, ID, location data, online identifier; or 2) Factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. 

For more information see UW Privacy Policy for EU GDPR

8.     Additional Resources

For definition of terms, see UW Privacy Office’s Glossary of Terms.

For policy information, see  UW Privacy Policy for UW Youth Programs

For program and resource information, see UW Privacy’s webpage on Youth Programs.

For examples and use cases, see frequently asked questions for engaging youth virtually.

For more information about  youth program requirements, see Administrative Policy Statement 10.13 Requirements for University and Third Party Lead Youth Programs and Guidance for Virtual Youth Programs.