Student Privacy, FERPA and its weakening by the US Department of Education
The Family Educational Rights and Privacy Act (FERPA) was a strong privacy law when originally enacted by Congress in 1974. It forbid any educational agency, institution or school from disclosing personally identifiable information (PII) from a student’s educational records to any non-school official — even other governmental agencies — without parental notification or consent. Up to this point, many schools were denying parents access to their child’s records – which often contained erroneous or damaging information — while at the same time granting access to numerous third parties, including in some cases, the police or other governmental officials without parental knowledge or consent.
FERPA was intended to address these concerns by requiring that any educational institution or agency that receives federal funds must grant parents (or students if 18 or older) access to their educational records, and allow them to amend them if the information it contains is factually incorrect. The law also withheld federal funds from any school that released personally identifiable information (PII) contained in educational records to third parties, unless the parent or adult student consented. FERPA applies to any educational institution that receives federal funding, which includes all public schools and many private educational institutions as well.
But in 2008 and again in 2011, FERPA was radically revised by the US Department of Education – without any vote or authorization from Congress.
In 2008, the regulations were rewritten to allow states, districts and/or schools to share PII data from student records without parental notice or consent with any third party or company designated as a “school official,” including “contractors, consultants, volunteers, and other parties to whom an educational agency or institution has outsourced institutional services or functions it would otherwise use employees to perform.”
Then, in 2011, the regulations were revised to allow for the disclosure of PII, without parent consent, with organizations for the purpose of conducting conduct studies or audits of the effectiveness of an education program, allowing non-governmental actors to be defined as “authorized representatives” so they could access to student personal data. Previously, “authorized representatives” were entities over which educational authorities had “direct control,” such as an employee or a contractor. Now, an authorized representative could be nearly any individual or organization to whom an education agency wanted to assign that term.
The new regulations also redefined “education programs” to encompass programs not only focused on improving academic outcomes but also those related to behavioral improvements, regardless of whether the program was administered by an educational agency or institution.
In addition, in 2009, the Obama administration pushed through legislation in 2009 to require states receiving stimulus funds to develop longitudinal student data systems. These systems would collect a wealth of personal information on public-school kids – not just from their K12 educational records but linked to their higher education records, as well as highly sensitive data held by other state agencies, including health and medical information, family income, criminal justice and child services records – to essentially track their data throughout their lives “cradle to the grave”. The federal grant program enacted in 2010 known as “Race to the Top” further incentivized the creation of these state data systems, and encouraged states to collect even more detailed and highly sensitive data, and share the data more widely within and outside of schools. Multi-state databases were also beginning to be established, in which personally identifiable student information would be shared across state lines, which would have been illegal before FERPA was revised.
In fact, the sponsor of FERPA, NY Sen. James Buckley, said that the law was designed, in part, to prevent linking academic data to non-academic data; to act as a safeguard against “the dangers of ill-trained persons trying to remediate the alleged personal behavior or values of students,” which include “poorly regulated testing, inadequate provisions for the safeguarding of personal information, and ill-devised or administered behavior modification programs.”
Further weakening FERPA was a 2002 decision in which the Supreme Court held that students or their parents cannot sue an educational institution for damages if the school improperly discloses the student’s protected information. Instead, schools that failed to comply with FERPA could lose their federal funding – but to this day the US Dept. of Education has never imposed a financial penalty on any agency or institution for violating FERPA.
On February 29, 2012, the Electronic Privacy Information Center, or EPIC, sued the US Department of Education in federal court, arguing that it had rewritten the FERPA regulations in a manner exceeding the agency’s statutory authority, and contrary to the intent of the law. On September 26, 2013, the Court dismissed EPIC’s lawsuit, holding that neither EPIC nor any of its Board of Director co-plaintiffs had legal standing to bring the complaint. The Court did not address the substantive claims in the lawsuit.
Mark Rotenberg and Khaliah Barnes, Amassing Student Data and Dissipating Privacy Rights http://www.educause.edu/ero/article/amassing-student-data-and-dissipating-privacy-rights
Student Press Law Center, FERPA and Access to Public Records http://cdn.spl.s3.amazonaws.com/pdf/ferpa_wp.pdf
US Dept. of Education, Legislative History of Major FERPA Provisions http://www2.ed.gov/policy/gen/guid/fpco/ferpa/leg-history.html
Electronic Privacy Information Center, EPIC v. The U.S. Department of Education: Challenging the Dept. of Education’s Family Educational Rights and Privacy Act (FERPA) 2011 Regulations http://epic.org/apa/ferpa/default.html#background
Daniel J. Solove, Huffington Post Education, Student Privacy in Peril: Massive Data Gathering With Inadequate Privacy and Security, December 2011 http://www.huffingtonpost.com/daniel-j-solove/student-privacy-in-peril-_b_1156907.html
Achieve, Race to the Top: P-20 Longitudinal Data Systems http://www.achieve.org/files/RTTT-P20LongitudinalData.pdf
American Association of Collegiate Registrars and Admissions Officers (AACRAO), Comments to the US Department of Education about proposed revisions to FERPA, May 2011 http://www.nacua.org/documents/FERPA_AACRAOLetterMay2011.pdf
National School Boards Association, Comments to the US Department of Education about proposed revisions to FERPA, May 2011 http://www.nsba.org/SchoolLaw/
Electronic Privacy Information Center (EPIC), Comments to the US Department of Education about proposed revisions to FERPA, May 2011 http://epic.org/privacy/
National Association of Independent Colleges and Universities, Comments to the US Department of Education about proposed revisions to FERPA, May 2011 http://www.nacua.org/
American Council on Education, Comments to the US Department of Education about proposed revisions to FERPA, May 2011 http://www.acenet.edu/AM/
American Civil Liberties Union (ACLU), Comments to the US Department of Education about proposed revisions to FERPA, 2011 http://www.aclu.org/files/