Prepared by the Parent Coalition for Student Privacy (www.studentprivacymatters.org)
The Family Educational Rights and Privacy Act (FERPA) was a strong privacy law when originally enacted by Congress in 1974. It forbid any educational agency or school from disclosing personally identifiable information (PII) from a student’s educational records to any non-school official — even other governmental agencies — without parental notification or consent. The background to this law was that many schools were denying parents access to their child’s records – which often contained erroneous or damaging information — while at the same time granting access to the police or other officials without parental knowledge or consent.
FERPA was intended to address these concerns by requiring that any educational institution or agency that received federal funds must grant parents (and students 18 or older) access to their own educational records, and allows them to amend it if the information is factually incorrect. The law also withholds federal funds from any school that released “personally identifiable information” contained in educational records to third parties, unless the adult student or parent has consented. It applies to any educational institution that receives any federal funding, which includes all public schools and most private institutions.
But in 2008 and again in 2011, FERPA was radically revised by the US Dept of Education – without any vote of Congress.
In 2008 the regulations were rewritten to allow schools and districts to share PII data from student records without parental notice or consent with any third party or company they designated as a “school official,” including “contractors, consultants, volunteers, and other parties to whom an educational agency or institution has outsourced institutional services or functions it would otherwise use employees to perform.”
Then, in 2011, they allowed for the disclosure of PII, without parent consent, with organizations that would conduct studies or audits of the effectiveness of an education program, allowing non-governmental actors to be defined as “authorized representatives” so they could get increased access to student personal data. Previously, “authorized representatives” were entities over which educational authorities had “direct control,” such as an employee or a contractor. Now, an authorized representative could be nearly anyone that an education agency wanted to assign that term to.
The new regulations also redefined “education programs” to encompass programs not only focused on improving academic outcomes but also those related to behavioral improvements, regardless of whether the program was administered by an educational agency or institution.
In addition, the Obama administration pushed through legislation in 2009 that required states receiving stimulus funds to develop longitudinal student data systems that would collect a wealth of personal information on public-school kids – not just from their educational records but also obtained by other state agencies, including health and medical information, family income, criminal justice and child services records – to essentially track their lives “cradle to grave.” Race to the Top also incentivized the creation of these state data systems, and encouraged states to collect more and more detailed and highly sensitive data, to be shared among state agencies, all of which would have been illegal under the original interpretation of FERPA.
In fact, the original sponsor of FERPA, New York Sen. James Buckley, said that it was designed to prevent linking academic data to non-academic data; to act as a safeguard against “the dangers of ill-trained persons trying to remediate the alleged personal behavior or values of students,” which include “poorly regulated testing, inadequate provisions for the safeguarding of personal information, and ill-devised or administered behavior modification programs.”
Further weakening FERPA was a 2002 decision in which the Supreme Court held that students or their parents cannot sue an educational institution for damages if the school improperly discloses the student’s protected information. Instead, schools that failed to comply with FERPA could lose their federal funding – but to this day the Dept. of Education has never imposed a financial penalty on any agency or institution for violating FERPA.
On February 29, 2012, the Electronic Privacy Information Center, or EPIC, sued the US Dept of Education, arguing that it had rewritten FERPA regulations in a manner exceeding the agency’s statutory authority, and contrary to law. On September 26, 2013, the Court dismissed EPIC’s lawsuit, holding that neither EPIC nor any of its Board of Director co-plaintiffs had legal standing to bring the complaint. The Court did not address the substantive claims in the lawsuit.