FERPA amendment would establish ‘safeguards’ for student data privacy
With the rise of ed-tech companies, Sens. Markey and Hatch proposed a bill to track how student data is being used. Following outrage from open government advocates, however, language that would have broadened secrecy was removed.
Since lawmakers passed a rule 40 years ago that prevents schools from releasing certain records about their students, open records advocates, journalists and educators have debated just how far the statute should reach.
Now, as the prevalence of student data collection in educational institutions increases, the federal Family Educational Rights and Privacy Act’s use is once again in question. Attempts to change FERPA are of concern to journalists who often seek information from schools when reporting. And while the proposed changes may not further restrict journalists’ access records, they also don’t alleviate any challenges.
In 1974 President Gerald Ford approved FERPA, which prohibits any federally funded K-12 school or college from releasing confidential “education records” to anyone other than the student or the student’s parents if he or she is less than 18 years old.
In July, Sens. Edward Markey, D-Mass., and Orrin Hatch, R-Utah, released a bill to amend FERPA that would establish “security safeguards to ensure greater transparency and access to stored information for students and parents,” Hatch said in news release in July.
The bill sets in place a number of “safeguards” for student data privacy. Under the bill, the commercial use of personally identifiable information would be permitted. It would also require institutions to disclose which outside companies it uses to collect student data.
The bill, known as the Protecting Student Privacy Act, is not the first piece of legislation lawmakers have proposed to address privacy questions in regard to student data. Student privacy bills addressing school data collection have been proposed and passed in various state legislatures.
Oklahoma passed the first of such bills last year that, like the bill proposed by Markey and Hatch, creates safeguards for student data and requires the state board of education to list what data is collected and why it is being collected.
The American Legislative Exchange Council provided a model bill template, which closely resembles the Oklahoma bill, to state legislators around the country.
The proposed FERPA amendment is part of an effort to update student-privacy laws for the 21st century, said Giselle Barry, a spokeswoman for Markey, who has worked on student-privacy issues for more than a decade.
“The senator believes now is the time for Congress to act before sensitive student data becomes compromised,” Barry said in an email.
Nearly 25 percent of school districts with cloud computing services informed parents of the services and 20 percent didn’t have policies to govern the use of online services, according to the study by Fordham Law School’s Center on Law and Information Policy. The study, released in 2013, was part of what sparked the bill, Hatch spokesman Matthew Harakal said.
Markey is now working to advance the bill with bipartisan support, Barry said in an email.
Changes focus on ed-tech companies
While data collection in schools isn’t new, it’s only now coming into the forefront of conversation, said Paige Kowalski, director of state policy and advocacy at Data Quality Campaign, an organization that promotes effective use of data in education.
For some educators and parents, sufficient enough information about data and its purposes was not available, Kowalski said, and it caused confusion and concern.
“Naturally they have a lot of questions,” Kowalski said. “I think we’ve all dropped the ball on thinking about how to communicate all this to them.”
Much of the concern isn’t necessarily data collection itself, but the institutions’ use of education technology, or “ed-tech,” companies to store or analyze student data, said Kaliah Barnes, director of the Electronic Privacy Information Center’s Student Privacy Initiative. In its current form, FERPA does not specify how information given to these companies is regulated, she said. In some cases, companies like Google have used student data for some kind of commercial purpose, such as personalized advertisements or marketing, Barnes said.
“Now we’re in the current environment where more individuals outside of the school compact have access to student records,” Barnes said. “Student records should not be used for advertising purposes for monetary gain.”
Barnes said schools should use techniques like data minimization, where institutions and boards of education only keep vital data and even delete student information after a period of time, which is also addressed in the Markey-Hatch bill.
However, much of the concern with data privacy are knee-jerk reactions to recent data breaches or problems with a few institutions and ed-tech companies, said Tom Murray, the state and district digital learning policy and advocacy director with the Alliance for Excellence in Education, a Washington, D.C.-based national policy and advocacy organization.
Murray cited the data breach at Target last year, where hackers accessed credit card information from customers.
“The solution is not to ban credit cards across the nation,” Murray said. “The solution is to have high levels of standards for everybody to make sure that everybody follows the law. Not to say, ‘sorry somebody breached the data so no one can ever use credit cards again.’”
Murray said the the Target breach is comparable to schools. Instead of overarching bills that could hinder good uses for data collection, schools could use common sense solutions, such as encryption, limiting who has access to data, and better train educators on how to safeguard data, he said.
Earlier this year, both Indiana University and the University of Maryland experienced data breaches within the same week. The data breaches exposed student information such as names, addresses and Social Security numbers.
Changes concern journalism advocates
As legislators and privacy advocates examine data collection and how to better protect student data, the possible effect these policies could have on journalists are usually not part of the conversation.
Institutions often struggle to determine what ‘education records’ are exempt from public records laws under FERPA, which often hinders journalists’ access to crucial information, said Emily Grannis, a legal fellow at the Reporters Committee for Freedom of the Press.
“There’s no issue or question that there should be protection for certain types of student records,” Grannis said. “The problem is, schools are expanding this way beyond student records, beyond grades. It has taken on a life of its own.”
When Markey and Hatch released a discussion draft of their bill in May, journalism and open-government advocates worried language in the bill could have widened the definition of education records under FERPA, further limiting the information institutions could release.
Currently, confidential records include education records or personally identifiable information within those records. Under the draft bill, however, institutions would have been prohibited from releasing information regardless of whether it was contained within an education record.
While the legislation may have been well-intentioned as written in the draft, the bill could give school officials additional leverage to shield access to public information, said Kevin Goldberg, legal counsel for the American Society of News Editors.
“People are somewhat unaware as to how difficult it is to get information from colleges and high schools,” Goldberg said.
In June, the Student Press Law Center, ASNE, RCFP, the Society of Professional Journalists, OpenTheGovernment.org and Californians Aware sent a letter to Markey and Hatch detailing concerns with the bill. When Markey and Hatch introduced the legislation on July 30, the bill’s provision to widen the definition of education records was changed.
“It was really nice to see that the senators’ staffs had obviously listened,” Grannis said. “The fear was that suddenly everything would be considered an education record. Now, we’re at least maintaining the status quo, which is not great but we definitely didn’t want to expand the definition.”
Additionally, the bill states that schools must “require each outside party to whom personally identifiable information from education records is disclosed” must comply with the same FERPA regulations that the institutions follow.
The wording in that paragraph could pose problems as well, since “any outside party” is vague, said Mark Goodman, a media-law professor at Kent State University and a former SPLC executive director. While it seems that the intention was to protect against companies the school contracts, the language could encompass more, he said.
In his interpretation, Goodman said anybody who gets access to an education record, “independent of how they got access to it, even if they got it from someone other than the institution itself — that somehow they are bound by these regulations as well.”
Other changes still necessary
Along with expressing concern with the language in the bill, the letter the journalism advocates sent Markey and Hatch also proposed ideas on how FERPA should be amended. While over-sharing information could potentially harm students, Goodman said, so can too much secrecy.
He said legislators thinking of amending the law need to consider the conflict created between the current practice of FERPA and freedom of information rights.
“If they don’t take into account that conflict, then they’re really missing the boat,” Goodman said. “One of the biggest problems with FERPA that I have seen in its history is it is definitely used to thwart public oversight of educational institutions. That was not the intention behind the law but that is the way that schools have been able to use it.”
Some student data privacy advocates as well as open government advocates agree that changes to FERPA are necessary, Murray said. One area where both privacy and open government advocates can find common ground is that the enforcement of FERPA is flawed.
In its current form, schools that violate FERPA risk losing all federal funding. However, the punishment, sometimes called the “nuclear option,” has never been used to punish an institution since the law was created.
“We would prefer some type of private right of action but you don’t have a private right of action,” Barnes said. “That would be something that could make the law stronger, although that would be hard to implement.”
Barnes said some other options could also help, such as the education department disclosing the names of schools or other agencies that have violated FERPA.
However, Grannis said legislators should encourage correct application of the law instead of scaring institutions into hiding too much information.
“The concept of losing every penny of your federal funding is a death sentence,” Grannis said. “There should be some incentive to share information with the public and messing up once, particularly in a small way, should not mean a death sentence.”
Grannis said the U.S. Department of Education could solve some of the confusion with FERPA’s application even without new legislation. For example, the DOE could release guidelines that explain a few types of records that would not fall under federal law, she said.
Any opening to try and discuss changes to FERPA is important since there are so few efforts to change the law, Goldberg said.
“FERPA, while it may not be as sexy as the shield law, is a really important issue, especially for local reporters,” Goldberg said. “FERPA is often being used to prevent access to information.”
Even within the journalism community, it can be difficult to a coordinated effort to make changes to FERPA, Grannis said, because public records requests often come from student journalists or reporters in small media markets.
Edward Markey, Fall 2014, Family Educational Rights and Privacy Act, FERPA, news, Orrin Hatch, Protecting Student Privacy Act, recent-news, reports