As a parent, I want to know that my children’s information is kept private. I tell them not to put their birthdates on any Web pages that ask for them, I keep their names out of this blog, and I have filled out FERPA opt-out forms to prohibit disclosure of student information.
But there are some things I can’t control, and information given away by my child’s school to the private sector is one of them. That’s because of recent changes to the federal privacy law (FERPA). These changes were made right around the time that it became possible to build massive databases of student data — databases that can be shared across states and over the life of my child, from cradle to grave. Let’s take a quick look at the law, to see where the weaknesses are.
A summary of the FERPA law is available here. It tells when schools need permission to disclose information, and when they don’t.
Generally, schools must have written permission from the parent or eligible student in order to release any information from a student’s education record. However, FERPA allows schools to disclose those records, without consent, to the following parties or under the following conditions (34 CFR § 99.31):
- School officials with legitimate educational interest;
- Other schools to which a student is transferring;
- Specified officials for audit or evaluation purposes;
- Appropriate parties in connection with financial aid to a student;
- Organizations conducting certain studies for or on behalf of the school;
- Accrediting organizations;
- To comply with a judicial order or lawfully issued subpoena;
- Appropriate officials in cases of health and safety emergencies; and
- State and local authorities, within a juvenile justice system, pursuant to specific State law.
Schools may disclose, without consent, “directory” information such as a student’s name, address, telephone number, date and place of birth, honors and awards, and dates of attendance. However, schools must tell parents and eligible students about directory information and allow parents and eligible students a reasonable amount of time to request that the school not disclose directory information about them. Schools must notify parents and eligible students annually of their rights under FERPA. The actual means of notification (special letter, inclusion in a PTA bulletin, student handbook, or newspaper article) is left to the discretion of each school.
Note that organizations conducting studies on behalf of the school can get access to this data, and it’s nonconsensual — meaning that parents can’t opt out.
There’s also a little something in there that’s extremely misleading. School officials can get access. That’s reasonable, right? But wait — how are “school officials” defined?
For that, we have to check out the actual text of the law (20 U.S.C. § 1232g; 34 CFR Part 99). Under paragraph 99.31, it says, “A contractor, consultant, volunteer, or other party to whom an agency or institution has outsourced institutional services or functions may be considered a school official under this paragraph provided that the outside party—”
(It goes on to list the specific conditions that have to be met.)
That’s awfully misleading.
There are also conditions under which this information can be redisclosed by “school officials” to other parties. That gets tricky and complicated.
Paragraph 99.33(a)(1) says:
An educational agency or institution may disclose personally identifiable information from an education record only on the condition that the party to whom the information is disclosed will not disclose the information to any other party without the prior consent of the parent or eligible student.
That makes it safe, right?
Oops, no. Paragraph 99.33(b)(1) says:
Paragraph (a) of this section does not prevent an educational agency or institution from disclosing personally identifiable information with the understanding that the party receiving the information may make further disclosures of the information on behalf of the educational agency or institution if—
To make a long story short, there are times where a school can disclose personally identifiable information, such as social security numbers, to third parties in the private sector, and then those third parties can then disclose this information to somebody else. And this can be done without parental consent.
Even worse: if you dig into some other privacy laws, such as those protecting medical information and those protecting students with disabilities, you’ll find that they all point back to the FERPA law. This means that information can be shared to third parties as well.
Now we know this can be done. But is it?
The long answer is a subject for another post. But the short answer is “yes.” There have been different releases for different regions of the U.S. In the Puget Sound region (Washington State), this data has been released to a nonprofit called the Community Center for Education Results for all students attending in public schools residing in these areas:
If you live in any of the affected areas and want to know more, post a comment and I’ll get back to you.