CPW 2013: When FERPA Fails to Make the Grade, States Ratchet up Student Privacy Laws

This is the third in a series of guest commentaries written in observance of Choose Privacy Week by noted privacy experts and advocates. Today’s post is written by Khaliah Barnes, administrative law counsel for the Electronic Privacy Information Center (EPIC).

 When FERPA Fails to Make the Grade, States Ratchet up Student Privacy Laws

Students are currently subject to more forms of tracking and monitoring than ever before, including physical, behavioral, and social media monitoring:

  • Physical monitoring — Gone are the days of announcing “Here” or Present” during roll call at the beginning of class. Today, more schools are opting to track student attendance using  radio frequency identification (RFID) tags. Some schools even use a  hybrid of RFID and GPS technology  to monitor when students board or exit their school bus and when they enter classrooms. This hybrid technology can send text message alerts to inform parents when their child has arrived to school. It can even inform parents when their child has arrived in a particular classroom. Like other student tracking technologies, RFID tags and GPS technology in the classroom raise many concerns among students and parents. Many object to student RFID tagging on First Amendment expressive association and religious freedom grounds. Others have aptly noted that RFID tags can be monitored not only on campus, but also off campus by malefactors, including stalkers.
  • Behavioral monitoring — Forgot your lunch money? No worries, certain schools now use  biometric palm scanners in the cafeteria checkout line. Palm scanner technology reads vein patterns and links this unique biometric with a student account number. Other schools promote the use of  heart rate monitors to determine physical exertion, and more importantly, physical education grades. Palm scanners and heart monitors unveil more information than just student account status or step-per-minute; they reveal student behavior and can create student profiles based on this behavior. This type of data collection can (inaccurately) profile a student as overweight and lethargic, or underweight with eating disorder. As with student RFID tracking, many schools collect palm prints and corresponding data without affirmative parental or student consent, and instead have required parents and students to opt out of this sensitive data collection.
  • Social media monitoring — “R” and “X” – rated statuses need not apply. Schools are increasingly interested in not only what students are doing on campus, but also how students occupy themselves outside of the classroom and on social media. For example, colleges routinely use third-party social media monitoring services  to spy on college athletes. Tweets and posts containing prohibited content can subject students to disciplinary actions.

And although schools (and the private companies to which schools outsource school functions) are collecting troves of student data, there has been a sea change in student privacy safeguards. The Family Educational Rights and Privacy Act (“FERPA”) is a federal student privacy and confidentiality statute that: (1) grants students certain rights—such as access to and amendment of their education records; and (2) details how schools and other entities entrusted with student records must protect that information from unauthorized disclosure. FERPA rights vest with parents until their child turns 18 or attends college.  FERPA requires educational agencies and institutions obtain student written consent before releasing education records.  FERPA does, however, provide various exceptions under which educational agencies and institutions may disclose education records without first obtaining student consent. For example, schools may release education records to outside contractors, consultants, volunteers, and other parties performing a school function or service that the school would otherwise perform itself. Many private companies offering school email service  and other technology services are school officials, and therefore have access to sensitive student information.

Schools may also release education records without first obtaining student consent for a variety of other reasons, including in connection with an emergency if the information is “necessary to protect the health or safety of the student or other persons,” in response to a Federal grand jury subpoena, or to an authorized representative of the Comptroller General, Education Secretary, or State educational authorities in connection with an audit or evaluation of a Federally-supported education program.

Recent changes to FERPA and FERPA regulations have loosened limitations under which education agencies and institutions may disclose education records without first obtaining student consent. In 2008, the Education Department issued regulations that permit schools to identify outside private companies performing a school function as “schools officials.” Again, in 2011, the Education Department further expanded the exceptions under which individuals could access student information. Specifically, the agency issued regulations that define broadly the circumstances under which authorized representatives may access student information while evaluating or auditing education programs.

The practical implication of these recent changes is that more individuals and entities outside of an academic setting have access to student data. And more entities hosting and accessing student information increases the risk of security breaches. In response to the 2011 regulations, EPIC sued the Education Department, arguing that the agency exceeded its statutory authority by amending FERPA to permit more access to, and less oversight of, student records. The decision in EPIC v. U.S. Department of Education is pending in federal court.

Numerous states have taken initiatives to combat diminishing student privacy rights amid expansive student data collection. Indeed, many state laws are experiencing the “ratcheting up” or the California effect on student privacy laws, in which states place higher standards on student privacy and confidentiality, in an effort to combat more relaxed national standards.
Arizona, for example, has proposed a bill implementing state penalties for FERPA violations.  Under this bill, if the State Board of Education or Superintendant of Public Instruction determines that a school has violated FERPA and fails to voluntarily comply within 60 days of the State Board’s notice, the State Board or Superintendant may direct the Education Department to withhold no more than 10 percent of state aid designated to the school district. If the State Board determines that the school has “corrected the violation” and complies with FERPA, the Education Department will remit the full amount of state aid to the district.

Three Texas bills  seek to either curtail or out right ban the use of RFID student trackers. And Delaware, amid a host of other states including  California, Michigan, and New Jersey, prohibits colleges and universities from requiring students and prospective students to provide access to student social media accounts.  Student social media privacy protection is essential in a world where schools clamor for all types of student information. To the extent that schools collect and maintain personal student social media information, that information is arguably an “education record” under FERPA.

So, how can schools “choose privacy” and help protect student data?  By adhering to Fair Information Practices when collecting student data.  Additionally, schools should:

  1. Refrain from mandating surveillance technologies like RFID trackers.
  2. Promote transparency and student access to information that the school maintains. Students should have the right to know what information about them is being collected and how it is being used.
  3. Be more cautious about collecting student data. Simply put, if you can’t protect it, don’t collect it.
  4.  Limit disclosure of personally identifiable student information to third parties.

Khaliah Barnes is Administrative Law Counsel at the Electronic Privacy Information Center (EPIC). In this role, Khaliah researches proposed federal agency privacy regulations that pertain to government collection, retention, and dissemination of personal information. Khaliah also leads EPIC’s Student Privacy Project and has discussed student privacy issues in local and national media.