Revised FERPA Sacrifices Students Privacy

Department of Education SealWhen the FERPA privacy going gets tough, the tough get the privacy laws changed. Or so it seems from reviewing the Revised FERPA rules. What ever happened to the ethos “if it saves one child _______”. Yet, at the very time of heightened campus safety and online bullying the very law that protects student privacy rights is being weakened for the sake of administrative convenience, tradition and questionable state agendas.

Revised FERPA

The Revised FERPA federal law promulgates changes to student privacy protections as part of a broader initiative by the US Department of Education efforts to “Safeguard Student Privacy“. I put that in quotes because I find it to be a bit dubious the DOE brands an initiative to change federal law using language that is opposite of the effect it will have.

Although the Revised FERPA does expand applicability to certain recipients of student data, the main focus of the changes to the federal law center on:

  • Allowing for the adoption of policies for limited directory information access which also expand the exemptions.
  • Allow sharing of personally identifiable information in order to support the creation of longitudinal student information systems.

So rather than strengthening FERPA with tougher civil penalties for individuals and institutions so there is an actual deterrent effect for violations, the law expands access and removes parental and student controls.

DOE also missed an opportunity to establish some specificity for the required controls as exist in other regulated industries like banking and healthcare. Instead they continue to leave the requirements at “best practices for reasonable methods”. Is that based on FISMA or HIPAA or GLBA or simply what the district decides it can afford.

Directory Information Exceptions

With regard to the provision for limited directory access the changes weaken the power of opt-out and allows for greater sharing of students personally identifiable information under new exemptions.

DOE should be ashamed for citing yearbooks as the rationale for why this change was needed. I mean seriously, is it really more important that administrators be able to have a complete yearbook than to honor a student’s right for privacy and opt-out?

So I suppose cap and gown vendors, class rings, dorm supply catalog companies, student health insurance carriers, and other similarly situated traditional relationships will continue to go on unchecked by FERPA on the basis of some ‘greater good’. This one change will make it increasingly easier for administrators to put the students privacy rights secondary to the commercial interests of businesses and other third parties including foundations.

For me, I don’t see this as being any different than schools selling out on student’s health to the vending machine industry so they can have a few dollars in unrestricted accounts.

Effectiveness of Publicly Funded Programs

Student privacy rights was the final barrier for state longitudinal data systems which has been removed by the Revised FERPA changes. Just as HIPAA was weakened so that health information exchanges could be created to reduce cost and improve outcomes. So too has FERPA been changed ostensibly “to ensure our limited public resources are invested wisely”.

And what was the driver? High schools can already see a students feeder school just as colleges can. Some states already operate data systems using de-identified data and where centralized university systems are used this is a non-issue. So what will be gained by this change in terms of actual results?

Why not add some teeth for producing actual results. Conditional permission could have been granted to create SLDS such that districts and states that fail to enact accountability measures would not only loose federal funding, their data sharing rights would also be revoked.

The DOE could have also added a data sharing revocation provision as a mandatory penalty for FERPA violations. First offense brings a mandatory one year penalty, second offense five years. The absence of any sanctions or performance penalties demonstrates the real intent is not for results.

The Students

So what about the students? Who is there advocate in the decision to change the federal law that safeguards student privacy? Are we really going to hide behind the argument of privacy at what cost? Doing what’s right is often hard and we should not cower from the challenge.

I do see the arguments behind the changes and find there to be some very credible cases that can be made. But I know better than to take it on its face. That without any real penalties in the federal law or specific performance requirements the net effect is simply the weakening of FERPA and an increased risk students personally identifiable information will be released.

This entry was posted in IT Risk Management, Privacy and tagged , , , . Bookmark the permalink.