While FERPA is commonly viewed by education administrators and private entities seeking educational data as an onerous and burdensome law that requires significant compliance efforts, the fact is that the ultimate federal penalty for FERPA violation has never been levied; no educational agency has ever had its Federal funding suspended because of a FERPA violation.

Lawmakers in Arizona are promoting a new state law that would change this landscape. Arizona Senate Bill 1450 would impose state sanctions for FERPA violations.

The bill, sponsored by State Senator Kimberly Yee provides that:

ANY PERSON WHO SUSPECTS THAT A SCHOOL DISTRICT OR CHARTER SCHOOL HAS VIOLATED THE FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT MAY NOTIFY THE PRINCIPAL OF THE CHARTER SCHOOL OR THE SUPERINTENDENT OF THE SCHOOL DISTRICT. IF THE MATTER IS NOT SATISFACTORILY RESOLVED WITHIN SIXTY DAYS AFTER THE NOTICE, THE PERSON MAY FILE A COMPLAINT WITH THE STATE BOARD OF EDUCATION OR THE SUPERINTENDENT OF PUBLIC INSTRUCTION.,,.IF THE STATE BOARD OF EDUCATION OR THE SUPERINTENDENT OF PUBLIC INSTRUCTION DETERMINES THAT THE SCHOOL DISTRICT OR CHARTER SCHOOL HAS FAILED TO CORRECT THE VIOLATION WITHIN SIXTY DAYS AFTER A NOTICE HAS BEEN ISSUED PURSUANT TO THIS SUBSECTION, THE STATE BOARD OR SUPERINTENDENT MAY DIRECT THE DEPARTMENT OF EDUCATION TO WITHHOLD UP TO TEN PER CENT OF THE MONTHLY APPORTIONMENT OF STATE AID THAT WOULD OTHERWISE BE DUE THE SCHOOL DISTRICT OR CHARTER SCHOOL.

While the mechanism for enforcement is analogous to the Federal enforcement mechanism, the penalty is more realistic (ten percent in the AZ version versus all funding in the Federal law), and might be more often applied. AZ SB 1450 might also provide a more effective mechanism for Arizona parents and students to seek redress for privacy violations then the Federal office charged with investigations of FERPA violations provides. If passed, the new bill would also provide another avenue for those who would otherwise sue but for the United States Supreme Court’s 2002 Gonzaga v. Doe decision that held that FERPA provides for no private right of action.

Depending on how things go in AZ, SB 1450 it might serve as a model for other states. What do you think?

The Electronic Privacy Information Center has filed a lawsuit against the United States Department of Education.

EPIC’s lawsuit argues that the agency’s December 2011 regulations amending the Family Educational Rights and Privacy Act exceed the agency’s statutory authority, and are contrary to law.

See Press Release

In addition, the lawsuit contends that

Contrary to the agency’s contentions, Congress itself articulated specific reasons for precluding non-educational state agencies from accessing, altering, or storing records containing the personally identifiable information of students. The law’s chief sponsor Senator James L. Buckley specifically intended that FERPA would prevent linking academic data to non-academic data for the purpose of measuring schools’ impact. Senator Buckley’s statement in the Congressional Record describes FERPA as a safeguard against “the dangers of ill-trained persons trying to remediate the alleged personal behavior or values of students,” which include “poorly regulated testing, inadequate provisions for the safeguarding of personal information, and ill-devised or administered behavior modification programs.”40 In support of his concern, Senator Buckley entered into the Congressional Record a Parade magazine article decrying “welfare and health department workers” accessing student records that included “soft data” such as “family, . . . psychological, social and academic development . . . personality rating profile, reports on interviews with parents and ‘high security’ psychological, disciplinary and delinquency reports. Congress has yet to alter its stance on FERPA legislative safeguards, a prerequisite for the agency’s tracking of ‘soft data’ and other non-academic characteristics, charting them with SLDS, and sharing the results with non-academic institutions. Still, the agency asserts that the most cursory mention of SLDS in the ARRA constitutes “intent . . . to have States link data…”

Download EPIC’s complaint

The latest round of revisions to the regulations enforcing FERPA were promulgated in the aftermath of the release of billions of dollars of funding for new State Longitudinal Data Systems (SLDSs). SLDSs are seen as a necessary tool for education improvement—they provide administrators, researchers, and policy makers with reliable, actionable data on the educational and labor-market outcomes of all students in a state. Without the loosening of the restrictions in the FERPA regulations, many data elements in the SLDSs will not be feasible.

If EPIC’s suit is successful, it may spell doom for some States’ SLDSs, especially those constructed and managed by private vendors.

What do you think? Has the Department of Education overstepped its authority, or is this a legitimate exercise of the authority granted by FERPA?

Online educational opportunities are exploding. The launch of Massive Online Open Courses (MOOCs) on platforms like edX and Coursera, has transformed the way higher education can be accessed. It is highly likely that we’ll see these same changes trickle down to secondary education.

However, secondary educational administrators seeking to employ online or digital education technologies must conform their choices and activities to those in compliance with FERPA. As digital education tools become more and more commonplace, and methods of education evolve alongside technology, the privacy considerations also change. There are two practical methods for FERPA compliance in an online education model.

Option 1

Option 1 requires schools or districts to contract with a vendor to act as the agent of the district or school, and therefore be authorized to access educational records under the “school official” exception to FERPA.

This approach requires that the vendor’s product meet the same security and privacy controls as the district or school’s student information system, or generally any system that is FERPA compliant. This might include

  1. Hosting the site in a secure data center
  2. Encrypting the application and database
  3. Limiting access to the servers
  4. Establishing a information security policy, and providing training to staff
  5. Subjecting site administrators to background screening

Because the school official exception to FERPA keeps the disclosing agency responsible for unauthorized disclosure by the disclosing agency’s agents, this approach may be time consuming to implement. A standard agreement could be drafted, but negotiations would be necessary with each separate district or school.

Option 2

This option is premised on the idea that all information in the vendor’s online education environment is disclosed to a third party with the consent of the student’s parents. Prior written parental consent for a student’s participation is required before a student can access the online education environment.

In addition to the vendor, any third parties with access to the servers on which the online education environment is hosted would need to be included in the consent form. The form would need to detail exactly how any why the information is going to be used.

Note: FERPA currently permits districts or schools to share what is considered “directory information” publicly, unless a student’s parent has opted out of this data sharing. Students whose parents have opted out are called “FERPA blocked.” This is a very small group of students.