FERPA, the most widely used federal education law, has not kept pace with changing times.
FERPA — the Family Educational Rights and Privacy Act — is one of the most commonly encountered education laws in the U.S. Any educational institution that receives federal funds must follow FERPA mandates, so the law touches almost every institution of higher and K-12 education in the country.
FERPA protects student privacy by laying out when and how “education records” that are maintained by the school can be used within and outside the school district, and when student records can be released. FERPA’s goal is to prevent unauthorized disclosure of students’ personally identifiable information. School employees and school attorneys handle student records and data according to FERPA every day. But the law was enacted in 1974 before digital recordkeeping, big data, texts, email, the internet, and easy digital transmission of information, which means that much about FERPA is now outdated.
In 2015, both houses of Congress tried to revise the law, but negotiations got bogged down and didn’t get far. Thus, while FERPA is the federal education law we rely on most often, it is also the most antiquated.
The statute’s terminology has become obsolete. The original law defines “education records” as “records, files, documents, and other materials,” which reflected the hardcopy recordkeeping of that time. Regulations broadened records to include “information recorded in any way, including, but not limited to, handwriting, print, computer media, video, audio tape, film, microfilm, and microfiche.” Nowadays, though, educators work with data, not “records.” Whether the data that’s collected and used today falls into this definition is not clear (and the wording is more quaint than useful). Today, educators must think of the full range of student data that’s collected and used in various forms. School personnel must use data wisely to serve student learning while assuring an individual’s privacy.
Student data are stored in ways not envisioned in 1974. The statute and regulations refer to education records “maintained” by the school, and the language suggests that this means hard copy files stored in paper folders and metal filing cabinets. But, of course, schools now store digital data on servers and in the cloud, which has led to conflicting legal judgments as to whether schools can truly be said to be “maintaining” those records at all. S.A. v. Tulare County Office of Education, 2009 WL 3296653 (E.D. Cal. 2009), concerned a school district in California that had failed to produce emails that referenced a specific student and which the parents of that student had sought. Since those emails had not been printed and placed in the student’s file, the court held, there was no FERPA violation. But in State Ex Rel. ESPN v. Ohio State Univ., 970 N.E. 2d 939 (Ohio 2012), the Ohio Supreme Court found that FERPA applied to a school district’s emails even though they were kept digitally on a central server.
Students blend high school and college enrollments more frequently. According to FERPA, students control their own privacy rights when they attend a postsecondary institution — university students must affirmatively provide their parents access to their records. Today, though, many young people start taking college courses while still enrolled in high school. For most purposes, these students are not college students. But it is unclear whether they have the FERPA privacy rights of postsecondary students.
In 1974, videotapes were uncommon; today, digital video recordings are ubiquitous. Schools often use video surveillance in school buses and on school grounds, but FERPA application to videos is not clear. For example, most schools freely post video of student musical or theatrical performances on their web sites, Facebook pages, and YouTube channels. However, few schools would consider these to be FERPA-protected records, which could not be released without parental permission for all the students involved. The issue becomes especially complicated when two students are captured on a video together, one a possible victim of some offense at the hands of the other, usually a fight. Often, when one set of parents asks for a copy of the video, the school will refuse to provide it without the consent of the other student. To further complicate the situation, some courts have held that FERPA does not cover video surveillance tapes at all because the tapes are not educational records (Rome City School District v. Grifasi, 806 N.Y.S. Sup. Ct. 2005; Lindeman v. Kilso School District, 172 P.2d. 329, Wash. 2007).
Student data are now used in ways never envisioned in 1974. In the 1970s, student information was used in disciplinary records, transcripts, and rosters. Today, data are used in statewide longitudinal data systems, test development, school audits, personnel assessment, and school accountability. Even where data are not personally identifiable (i.e., they have been de-identified and aggregated), many people, especially parents, have concerns about their security and use.
The definition of “school officials” has changed over time. FERPA allows for the release of student data without prior parental consent to “school officials” with a “legitimate educational interest.” In 1974, however, schools did not usually contract with outside vendors to provide instructional and assessment products. Today, schools, teachers, and other school employees do so regularly, transmitting large amounts of student data to private vendors working in technology, instruction, testing, and data management, and these outside contractors may be considered “school officials” if they perform functions that school employees would serve and if their authority to release student information remains under the school’s control. Increasingly, online educational services also collect large amounts of student data. When that information is converted into contextual or transactional metadata, which have been stripped of all direct and indirect identifiers, they are not FERPA-protected. However, schools must negotiate and ensure FERPA compliance when they collect such data or enter into such contracts.
Protecting student privacy
With the aging of FERPA, many states have stepped in to ensure modern data privacy protection for students. Since 2013, according to the Data Quality Campaign (www.dataqualitycampaign.org/resource/2016-student-data-privacy-legislation), most states have passed statutes that address both data privacy and data security in schools. Further, the U.S. Department of Education’s Privacy Technical Assistance Center (http://ptac.ed.gov) has issued guidance documents and offered training on student data privacy and security. If Congress does not pass a thorough update of FERPA soon, this patchwork of state law and federal guidance will effectively replace it. However, draft revisions to FERPA began circulating in 2015, so keep your eye out for new federal action.
JULIE UNDERWOOD (Julie.Underwood@wisc.edu) is the Susan Engeleiter Professor of Education Law, Policy, and Practice at the University of Wisconsin-Madison.
Originally published in May 2017 Phi Delta Kappan 98 (8), 74-75. © 2017 Phi Delta Kappa International. All rights reserved.