Privacy Rights Clearinghouse
Comments of the Privacy Rights Clearinghouse
Department of Education
Family Educational Rights and Privacy Act
Notice of Proposed Rulemaking
Submitted May 23, 2011
The Privacy Rights Clearinghouse (PRC) respectfully submits the following comments to the Department of Education (Department) for its consideration with respect to the call for public comment in its Notice of Proposed Rulemaking (NPRM) regarding the Family Educational Rights and Privacy Act of 1974 (FERPA).
The PRC is a nonprofit organization, established in 1992 and located in San Diego, California. Our mission is two-part: consumer education and consumer advocacy. We have published more than 50 Fact Sheets that provide practical information consumers may employ to safeguard their personal information, and we invite individuals to contact the organization with their privacy-related questions, concerns and complaints.
The Department proposes to amend the regulations implementing FERPA with the goal of providing states with flexibility in sharing data in statewide longitudinal data systems (SLDS) to enhance their effectiveness. In doing so, the Department proposes extensively widening the scope of nonconsensual disclosure of student data to third parties. Unfortunately and notwithstanding the new safeguards the Department proposes, the proposed amendments do not adequately address data privacy concerns when it comes to disclosing sensitive student information.
The purpose of FERPA is to protect the privacy of student education records that are maintained by educational agencies or institutions who receive funds from the Department. This is accomplished in-part by restricting disclosure of personally identifiable information (PII) absent written consent of either a parent or eligible student except in very limited circumstances. However, by compiling increased amounts of student data and allowing greater access to this data, the potential for misuse and security breach increases. These databases will also hold extreme value not only for those intending to use the data to improve the education system (as the NPRM contemplates), but also for parties who seek to profit from the data and hackers seeking to use it for nefarious purposes such as committing identity theft.
As the Department is aware, education records can include much more than test scores and class standing. They may include health information, description of physical appearance, family economic circumstances, ethnic background, political and religious affiliations, psychological test results, financial information, etc. The information may be fact, such as birth date or Social Security number, or it may be opinion teachers have expressed about the student. As such, it is exceedingly important to limit access to this data goldmine and to allow parents and eligible students as much control as possible over when, to what extent, and to whom the data is disclosed.
The PRC believes that the Department’s proposed amendments to its regulations implementing FERPA in large part counteract the general purpose of FERPA. However, regardless of its authority to amend its regulations as such, we are concerned that the proposed amendments pose potential data privacy problems, do not adequately address necessary privacy protections, and lack meaningful mechanisms to promote accountability.
The NPRM proposes to define “authorized representative” as “any entity or individual designated by a State or local educational authority or agency headed by an official listed in Section 99.31(a)(3) to conduct—with respect to Federal or State supported education programs—any audit, evaluation, or compliance or enforcement activity in connection with Federal legal requirements that relate to those programs.”
Parental or eligible student consent is not required to disclose information to authorized representatives of the Comptroller General of the United States, the Attorney General of the United States, the Secretary, or State and local educational authorities. “Authorized representative” is currently undefined, but since 2003 has been interpreted as a party under the direct control of an educational authority. However, due to the fact that the Department believes the current interpretation is unnecessarily restrictive, the proposed definition if enacted will widen the scope of what constitutes an “authorized representative” considerably.
Allowing non-educational agencies access to students’ PII without requiring parental or eligible student consent may further the Department’s goal of SLDS efficiency, however, nothing in the proposed definition of “authorized representative” actually limits who may be considered as such. Not only does this seem to counteract the intent of FERPA to protect student privacy, but it also allows accountability of State or local educational authorities or agencies (and their authorized representatives) to the Department to become greatly attenuated.
We urge the Department to consider how and whether a parent or eligible student may seek legal action against or recovery from an “authorized representative” to whom they did not explicitly permit their data to be disclosed. We also express concern with the general effectiveness of the Department’s limited enforcement ability under FERPA when it comes to expanded nonconsensual disclosure of education record data, because the proposed standards are very limited and there is no reporting mechanism when it comes to the proposed mandatory written agreements between authorized representatives and a State or local educational authority.
The NPRM proposes amending § 99.35 of the regulations to require written agreements between a State or local educational authority or agency and its authorized representative, other than an employee, to whom it will disclose PII from education records without consent. While requiring an agreement would open up the potential for enforcement in the event that an authorized representative violates a term, the Department has not articulated how and to whom a breach of such an agreement would be reported. The Department should consider how this written agreement requirement may help parents and eligible students recover if they are adversely affected by such a contractual breach, especially since FERPA does not provide a private right of action.
The proposed regulations require agreements to contain certain general provisions. However, the standards are quite vague and only address establishing policies/procedures to protect the PII from further disclosure and unauthorized use. As proposed, these agreements are not necessarily required to include data security measures, data breach notification, need for independent third party audit, and reasonable data destruction and/or return practices. We suggest that the Department amend the proposed rules to create a floor for the requirements in written agreements with authorized representatives that includes the above so that there is a tangible way in which to hold authorized representatives accountable.
The NPRM proposes requiring a State or local educational authority or agency to use reasonable methods to ensure that any entity designated as its authorized representative remains compliant with FERPA. The Department is stating that it will not propose to define “reasonable methods” to provide flexibility, but seeks comment on what may be considered a reasonable method.
By providing no binding guidance on reasonable methods, State or local educational authorities or agencies will not realistically be held accountable to any meaningful standards, nor will they be able to “ensure” anything. This also raises the question of whether the State or local educational authorities or agencies will be subject to outside audits to determine whether they employ such reasonable methods or whether this will only be determined after FERPA is violated or a complaint is filed and Department has initiated enforcement proceedings.
The NPRM states that if the Department’s Family Policy Compliance Office finds that a state or local authority or agency, or authorized rep, improperly rediscloses PII in violation of FERPA the educational agency or institution from which the PII originated will be prohibited from permitting the entity responsible from accessing the PII for at least five years. The PRC agrees with the Department that five years is an appropriate time period for such a violation.
However, “redisclosure” is the only action that is punishable by this language. Other violations such as those concerning amendment, accuracy, inspection and review, especially by authorized representatives, should also be subject to a similar prohibition. Also, we encourage the Department to consider its ability to prevent any educational agency or institution, rather than limiting it to the agency or institution whose PII was improperly redisclosed, from allowing the party in violation access to the education record data. Parties in violation should be on a single list accessible to all state or local authorities or agencies and the general public.
Under the current regulations, “Authorized representatives of the officials or agencies listed in § 99.31(a)(3) may have access to education records in connection with an audit or evaluation of Federal or State supported education programs….” The NPRM proposes defining “education program” as “any program that is principally engaged in the provision of education, including, but not limited to, early childhood education, elementary and secondary education, postsecondary education, special education, job training, career and technical education, and adult education, regardless of whether the program is administered by an educational authority.”
The proposed definition of “education program,” in conjunction with the current regulations, creates expansive access to education records that again goes against any intent of FERPA to safeguard the privacy of education records and allow for nonconsensual disclosure of PII only in extremely limited circumstances.
The Department should clarify not only to what extent an education program must be Federal or State supported, but also narrow its proposed definition of “education program.” For example, it is very vague to what extent a program must be engaged in the provision of education in order to be “principally engaged.” Also, the language “but not limited to” seems to unnecessarily leave the definition open. Because the proposed definition is so expansive, it could lead to the compilation of an unnecessarily rich compilation of data concerning an individual over which both the individual and the Department have very little control or access to remedy or enforcement mechanisms.
The NPRM proposes disallowing a parent or eligible student from opting out of wearing, publicly displaying, or disclosing a student ID card or badge that exhibits information designated as directory information. The PRC does not necessarily oppose this proposed amendment to the regulations. However, we urge the Department to consider how this would affect students who are the victims of stalking, for example. This is likely to have the greatest effect on students at postsecondary institutions where the size of the institution may make it more difficult to restrict access.
The NPRM proposes allowing educational agencies and institutions to specify in their annual public notices to parents and students that disclosures of directory information may be limited to specific parties and for specific purposes. We support this proposed amendment, and believe that it will make student information less likely to be released for marketing purposes, while providing educational agencies and institutions with more certainty and control in using directory information for their own purposes. The suggestion that the agencies and institutions consider non-disclosure agreements with third parties is also valid, and the PRC would like to see this become common practice.
The current regulations do not authorize the Family Policy Compliance Office to investigate, review and process an alleged violation of FERPA that is committed by recipients of Department funds under a program in which students do not attend. If the Department is going to expand access to and disclosure of student data to facilitate efficiency of SLDS, this provisions seems necessary. However, the Department should evaluate its ability to expand its enforcement capabilities under both the existing enforcement mechanisms and FERPA in general.
While increasing access to data in SLDS will be beneficial to evaluate and improve education in general, it will also significantly increase the chance that data in education records is mishandled or breached. In conclusion we are concerned that the Department has expanded nonconsensual disclosure exceptions under FERPA to the point where it counteracts FERPA’s intended purpose. We are further unconvinced that the enhanced enforcement provisions will increase or maintain accountability when it comes to data security and privacy protection measures.
Beth Givens, Director
Meghan Bohn, Staff Attorney
Privacy Rights Clearinghouse
Family Educational Rights and Privacy, Notice of Proposed Rulemaking, 76 Fed Reg. 19726 (proposed Apr. 8, 2011) , RIN 1880-AA86 [ Docket ID ED-2011-OM-0002], available at http://www.federalregister.gov/articles/2011/04/08/2011-8205/family-educational-rights-and-privacy  [hereinafter NPRM].
 See Family Educational Rights and Privacy Act, 20 U.S.C. 1232g (1974), available at http://www.law.cornell.edu/uscode/html/uscode20/usc_sec_20_00001232---g000-.html .
See Privacy Rights Clearinghouse, Fact Sheet 29, Privacy in Education: Guide for Parents and Adult-Age Students, http://www.privacyrights.org/fs/fs29-education.htm  (last visited May 19, 2011). See 34 C.F.R. § 99.
 NPRM, supra note 1, at 19727.
 34 C.F.R. § 99.31(a)(3).
 See 73 FR 74806 (2008) (incorporating Memorandum from William D. Hansen, Deputy Sec’y of Educ. to the Chief State Sch. Officials (Jan. 30, 2003), available at http://www2.ed.gov/policy/gen/guid/secletter/030130.html ).
 NPRM, supra note 1, at 19728.
 See generally Gonzaga Univ. v Doe, 563 U.S. 273 (2002).
 NPRM, supra note 1, at 19728.
 34 C.F.R. § 99.35 (emphasis added).
 NPRM, supra note 1, at 19729.
 Id. at 19731.
 Id. at 19732.