The Family Educational Rights and Privacy Act (FERPA) is a surprisingly interesting law. The act was passed in 1974 in the wake of Watergate and President Nixon’s resignation from office. There was no congressional committee discussion about FERPA. It was added to the General Education Provisions Act as an amendment without much excitement or fan fair (Stone & Stoner, 2002).
Despite its quiet adoption, FERPA did address a very real problem in the education system. Schools made large amounts of notes related to the development of young students which were often unnecessarily verbose, subjectively judgmental, and deeply personal. These notes were utilized to make educational decisions about a child’s placement. They were also available to anyone in the government for any reason. Their accuracy or correctness could not be challenged by parents, and their use and disclosure were often not communicated to parents (Stone & Stoner, 2002).
The intent of FERPA was to curb these abuses and provide transparency to parents. It is a law very much related to antiquated notions of the school filing cabinet. It is focused on giving parents the right to understand and be involved in educational decisions made about their child. Although the focus was clearly on minors and those related issues, Higher Education was also included in the legislation (Stone & Stoner, 2002).
In today’s highly digitized world, FERPA’s notion of an education record, how records are managed, who maintains those records and who can access them is incredibly challenging (Stone & Stoner, 2002). FERPA defines an education record as any information “directly related to a student” which is “maintained by an educational agency or institution or by a party acting for the agency or institution” (ECFR, 2023). And it provides exceptions for “records that are kept in the sole possession of the maker…and [that] are not accessible or revealed to any other person except a temporary substitute for the maker of the record” (ECFR, 2023). These seem like clear definitions until we hold them to the reality of today’s world.
For example, if a teacher uses a personal Dropbox (or iCloud, etc.) account to store information related to students, is it still in their sole possession? Is the collection of device information and activity from students related to facilities utilization considered an education record? Is the collection of information from students related to application use by third parties a disclosure of education record information? The very nature of most of our technologies involves data collection and sharing at a level that was unimaginable in 1974. Even as I write this article, I can’t help but wonder what information is being collected by Microsoft related to my typing session and how it is being used. Sharing of information is inherent in almost every modern connected technology.
The difficulty of enacting FERPA’s intent in modern times can be seen most clearly in its enforcement. The Student Privacy Policy Office (SPPO) is the office within the Department of Education responsible for the enforcement of FERPA. The SPPO does not audit educational institutions to ensure that they are complying with FERPA’s provisions. Instead, they rely almost exclusively on parents and students to file complaints about privacy violations (Bruce, 2022). The SPPO has had severe complaint backlogs of more than two years because they lacked sufficient resources to process all the complaints they received in a timely manner. When given the opportunity to apply more resources to this problem, the SPPO decided to resolve other issues unrelated to complaint processing (Bruce, 2019). We present this not necessarily to make judgement on the capabilities of the SPPO, but to identify that significant numbers of privacy complaints are being made and that they are difficult to address under FERPA.
FERPA itself contains many shortcomings which are understandable considering its history. While traditional disclosures are most clearly addressed by the Act, many modern problems are not. One major issue is the threat of data breach. The theft of data has the same potential negative impact as disclosure without consent. An institution may administratively prevent the release of information, but criminals are proving they can just take the information anyway. Once that stolen information is released it is often considered public and can be used for any purpose.
FERPA does not mandate the protection of digital student information from theft, or mandate that a basic set of protection standards be applied (Federal Register, 2011). On the topic of mandating prevention of data breaches, the Department of Education and FERPA itself, have been relatively silent. The Department of Education encourages good practices, but encouragement is far from sufficient for many institutions. Encouragement alone does not justify data protection measures for organizations who rely on clear and authoritative guidance before committing time and resources to a problem.
The effect of clearer mandates can be observed in the most recent update to the Gramm-Leach-Bliley Act (GLBA). GLBA is a consumer privacy protection law enforced by the Federal Trade Commission (FTC) and aimed at the financial services industry (How to Comply, n.d.). Higher Education is designated as a financial institution by the law due to its role in facilitating student loan borrowing (Federal Register, 2001). Due to the broad definition of education records, GLBA’s definition of consumer records and FERPA overlap in many areas.
On December 9, 2021, FTC added a requirement for financial institutions to protect consumer data with a baseline of cybersecurity protections. As an agency which must also comply, the Federal Student Aid (FSA) office must also adopt these protections into their own agency and related processes. This led them to put out additional guidance related to GLBA reminding institutions of the need to comply with the new provisions (Updates to the GLBA, 2023).
Unlike FERPA, which requires no audit, GLBA requires some proof of compliance. In FSA’s annual report for 2022, they highlight their performance of these audits with 282 Institutions of Higher Education (IHEs). They contacted each of those IHEs and established Corrective Action Plans (CAPs) to ensure that compliance requirements were achieved (Cardona et al., 2022). Under GLBA the FSA was required to proactively ensure the protection of consumer information. In contrast under FERPA the SPPO was not required to do the same.
Where does this leave us with FERPA? Should we accept the challenge of evaluating the importance of privacy to our campus community members beyond the limitations of the enforcement mechanisms available to the judicial system and regulatory agencies? Or should we operate with a “catch me if you can” methodology which eschews the complexities of acting lawfully and instead favors operating within the clarity of clear and immediate punishment? Should we strive to logically extend our concept of FERPA beyond a school’s digital “filing cabinet” (the School Information System and the Learning Management System), to all the locations where education records are collected and stored?
Even if we decline to take on the challenges of ensuring data privacy under FERPA, much like the FSA we will be forced to confront these challenges under GLBA within the context of student financial aid. Ideally the lessons we will learn under GLBA can also improve our ability to meet the spirit of FERPA. FERPA is currently not sufficient to compel institutions of higher education to protect student privacy. Institutions must instead understand privacy issues and strive to be responsible in this area on their own, often without the heavy hand of immediate legal and regulatory consequences.
References
Bruce, S. (2022). Semiannual Report to Congress, No. 85. Office of Inspector General. https://oig.ed.gov/sites/default/files/reports/2023-07/EDOIGSAR85.pdf
Cardona, M., Cordray, R., & Lucas, R. (2023). FY 2022 Annual Report. Federal Student Aid. https://www.oversight.gov/sites/default/files/oig-reports/ED/FY-2022-FSA-Financial-Statement-Audit.pdf
eCFR :: 34 CFR Part 99 -- Family Educational Rights and Privacy. (2023, July 6). https://www.ecfr.gov/current/title-34/subtitle-A/part-99?toc=1
Federal Register :: Privacy of Consumer Financial Information. (2001, July 1). https://www.federalregister.gov/documents/2000/05/24/00-12755/privacy-of-consumer-financial-information
Federal Register :: Family Educational Rights and Privacy. (2011, December 2). https://www.federalregister.gov/documents/2011/12/02/2011-30683/family-educational-rights-and-privacy
How To Comply with the Privacy of Consumer Financial Information Rule of the Gramm-Leach-Bliley Act | Federal Trade Commission. (n.d.). Retrieved July 1, 2023, from https://www.ftc.gov/business-guidance/resources/how-comply-privacy-consumer-financial-information-rule-gramm-leach-bliley-act
Stone, K. J., & Stoner, E. (2002). STETSON UNIVERSITY COLLEGE OF LAW 23RD ANNUAL NATIONAL CONFERENCE ON LAW AND HIGHER EDUCATION. Stetson University College of Law. https://www.stetson.edu/law/academics/highered/home/media/2002/Revisiting_the_Purpose_of_FERPA.pdf
Updates to the Gramm-Leach-Bliley Act Cybersecurity Requirements | Knowledge Center. (2023, February 9). https://fsapartners.ed.gov/knowledge-center/library/electronic-announcements/2023-02-09/updates-gramm-leach-bliley-act-cybersecurity-requirements