Focusing public attention on emerging privacy and civil liberties issues

Student Privacy

Introduction

Students do not shed all of their rights at the schoolhouse gate, including the right to privacy. Although recent Supreme Court decisions have diminished this right, there are substantial federal and state protections for the privacy of students' educational records. The most prominent of the federal protections for student privacy is the Family Educational Rights and Privacy Act (FERPA), also known as the "Buckley Amendment," FERPA protects the confidentiality of student records to some extent, while also giving students the right to review their own records.

Students' personal information is often collected through in-school surveys, sometimes for commercial use. Congress most recently addressed such surveys in the No Child Left Behind Act, a broad federal educational act. The Act provides parents and students the right to be notified of, and consent to, the collection of student information. However, the Act includes many exceptions to this right.

Congress does not always expand privacy when it addresses the collection of student information. Another provision of No Child Left Behind mandates that high schools turn over student contact information to military recruiters, unless parents or students explicitly opt out of such disclosure. And in 2002, Congress amended FERPA, via the USA PATRIOT Act, to require schools to transmit information about immigrant students to the INS. Under this program, the Student and Exchange Visitor Information System, schools had to begin in 2003 reporting immigrants' academic information, such as disciplinary actions or changes in programs of study.

For more information on Student Privacy see:

Top News

  • Senators Markey and Hatch Introduce Student Privacy Legislation: Today, Senators Edward Markey (D-MA) and Orrin Hatch (R-UT) introduced legislation to require privacy safeguards for education records and prohibit the use of student information for advertising purposes. The "Protecting Student Privacy Act of 2014" would give students the right to access and amend their records that are held by private companies. The bill also requires schools to minimize the amount of personally identifiable information transferred to private companies. The bill requires companies to destroy student information "when the information is no longer needed for the specified purpose." The bill incorporates many of the proposals EPIC set out in the Student Privacy Bill of Rights. Senator Markey announced plans to introduce student privacy legislation earlier this year at EPIC's public panel on student privacy. For more information, see EPIC: Student Privacy. (Jul. 30, 2014)
  • EPIC Uncovers Complaints from Education Department about Misuse of Education Records: EPIC has obtained documents from the Department of Education detailing parent and student complaints about the misuse of educational records. The Department released the documents in response to an EPIC Freedom of Information Act request. The documents reveal that schools and districts have disclosed students' personal records without consent, possibly in violation of the Family Educational Rights and Privacy Act. The documents also reveal that the Department failed to investigate many FERPA complaints. EPIC is expecting to receive more documents about the agency’s enforcement of the federal student privacy law. For more information, see EPIC: Student Privacy and EPIC: Open Government. (Jul. 18, 2014)
  • Federal Trade Commission Urges Court to Protect Student Privacy: The Federal Trade Commission is opposing the sale of student data in a bankruptcy proceeding for ConnectEDU. The company privacy policy promises it will give students "reasonable notice and an opportunity to remove personally identifiable information" from its website. The FTC said that the sale of student information "without reasonable notice to users and an opportunity to remove personal information would contradict the privacy statements originally made to users." The FTC letter also cites consent agreements with Snapchat, Google, and Facebook. Each of these consent orders was a result of an EPIC FTC complaint. Last year, EPIC filed an extensive complaint concerning Scholarships.com's business practices. The company encourages students to divulge sensitive medical, sexual, and religious information to obtain financial aid information. For more information, see EPIC: Student Privacy, EPIC: In re Google Buzz, EPIC: In re Facebook, and EPIC: Federal Trade Commission. (May. 29, 2014)
  • EPIC Testifies on Student Privacy before California State Assembly: EPIC's Student Privacy Project Director Khaliah Barnes testified before the California State Assembly Education Committee and Select Committee on Privacy, on "Ensuring Student Privacy in the Digital Age." EPIC's testimony: (1) explained how the U.S. Education Department’s regulations encourage mass collection of student data; (2) described the privacy risks that students today face; (3) underscored the need for data security safeguards for states, schools, and private companies accessing student information; and (4) recommended that California adopt EPIC's Student Privacy Bill of Rights. Earlier this week, Senators Markey and Hatch proposed bipartisan student privacy legislation. For more information, see EPIC: Student Privacy. (May. 16, 2014)
  • Senators Markey and Hatch Propose Student Privacy Legislation: Senator Edward Markey (D-Mass) and Senator Orrin Hatch (R-Utah) have proposed a "Protecting Student Privacy Act." The draft bill would "(1) requires that data security safeguards be put in place to protect sensitive student data that is held by private companies; (2) prohibits the use of students' personally identifiable information to advertise or market a product or service; (3) provides parents with the right to access the personal information about their children - and amend that information if it"s incorrect — that is held by private companies just as they would if the data were held by the school itself; (4) makes transparent the name of companies that have access to student information by directing school districts to maintain a record of all outside companies with which the school contracts; (5) minimizes the amount of personally identifiable information that is transferred from schools to private companies; [and] (6) ensures private companies cannot maintain dossiers on students in perpetuity by requiring the companies to later delete personally identifiable information." The legislation highlights many of the protections EPIC endorsed in its Student Privacy Bill of Rights. Senator Markey announced plans to introduce student privacy legislation earlier this year at EPIC's public panel on student privacy. For more information, see EPIC: Student Privacy. (May. 15, 2014)
  • Google Stops Scanning Student Emails, Ends Data Collection for Advertising: Google has announced it will stop scanning student emails for advertising purposes. Google has also stated that it will no longer display new advertisements in its Apps for Education. Google's announcement follows the demise of inBloom, a private company that acquired student data from school districts across the country. Amid public backlash, inBloom announced it was shutting down. Google and inBloom gained access to student data pursuant to the Education Department's revised regulations that significantly weakened the Family Educational Rights and Privacy Act, a federal student privacy law. EPIC had previously sued the Education Department for weakening the privacy law that protects student data. Earlier this year, EPIC called for a Student Privacy Bill of Rights, an enforceable student privacy and data security framework. For more information, see EPIC: Student Privacy. (Apr. 30, 2014)
  • Amid Privacy Backlash, Student Data Firm Dissolves: inBloom, a private company that acquired student information from school districts across the country, has shut down. The company said its work "has been stalled because of generalized public concerns about data misuse..." inBloom and other companies, including Google, acquired student data following revisions to the Family Educational Rights and Privacy Act by the Department of Education that significantly weakened the student privacy law. In 2012, EPIC sued the Education Department for removing student privacy protections. Last year, EPIC testified before the Colorado State Board of Education on student privacy issues concerning inBloom. Early this year, EPIC called for a Student Privacy Bill of Rights, an enforceable student privacy and data security framework. For more information, see EPIC: Student Privacy. (Apr. 21, 2014)
  • Google Admits to Data-Mining Student Emails: In a sworn statement filed with a federal court, Google has admitted to scanning student emails to serve students targeted advertisements. Although Google does not display ads in Apps for Education, Google "does scan [student] email" to "compile keywords for advertising" on Google sites. Google has gained access to student emails pursuant to the Education Department's recently revised regulations, which significantly weakened the Family Educational Rights and Privacy Act, a federal student privacy law. Still, Google's practices appear to contravene the Education Department's "best practices" for online educational service providers. EPIC had earlier sued the Education Department for weakening the privacy law that protects student data. For more information, see: EPIC Student Privacy and EPIC: EPIC v. Dep't of Education. (Mar. 19, 2014)
  • After Weakening Privacy Law, Education Department Proposes "Best Practices" for Student Data: The Education Department has issued recommendations for schools that transfer student records to online educational service providers. Following the Department's changes to a federal student privacy law, private companies and government agencies have access to student records without obtaining student consent. In the recommendations, the agency explained that the current regulations do not require written agreements for schools to disclose student information to private companies. The Education Department recommended that schools establish policies for approving online educational services, create written contracts with private companies for the use of student data, and explain to parents and students how schools collect, use, and disclose student information. The agency warned that student data held by private companies may not be protected under federal privacy laws. EPIC had earlier sued the Education Department for weakening the privacy rule that prevented companies from getting access to student data. On March 13, 2014, the Education Department will hold a webinar on its student privacy best practices. For more information, see: EPIC: Student Privacy and EPIC: EPIC v. Dept. of Education. (Mar. 7, 2014)
  • Senator Markey Outlines New Student Privacy Legislation at EPIC Event: At a briefing on Capitol Hill hosted by EPIC, Senator Ed Markey announced plans to introduce legislation protecting student data. Senator Markey set out four principles his bill would cover: (1) student information may never be used to market products to children; (2) parents must have the right to access and amend student information held by private companies; (3) schools and private companies must safeguard student information; and (4) companies must delete student information after it is no longer needed for educational purposes. Senator Markey made the remarks at EPIC event "Failing Grade: Education Records and Student Privacy," which included leading experts in technology, student privacy, and the Chief Privacy Officer at the Department of Education. Last year, Senator Markey sent a letter to the Education Department, requesting information on the "impact of increased collection and distribution of student data" on privacy. The Education Department provided a response, suggesting that when schools outsource to private companies, they should ensure that the companies protect student data. For more information, see EPIC: Student Privacy. (Jan. 14, 2014)
  • Company Adds Encryption to Website After EPIC Files Complaint: Following EPIC's complaint to the Federal Trade Commission about Scholarships.com, the company has improved security on its website. Scholarships.com encourages students to divulge sensitive medical, sexual, and religious information to obtain financial aid information. The company claims that it uses this information to locate scholarships and financial aid. In fact, the company transfers the data to a business affiliate American Student Marketing, which in turn sells the data for general marketing purposes. EPIC's complaint to the FTC alleged that Scholarships.com’s failure to use reasonable security practices is an unfair trade practice. The company has since implemented HTTPS. For more information, see EPIC: Student Privacy. (Dec. 19, 2013)
  • EPIC Files Privacy Complaint to Protect Student Data: EPIC has filed an extensive complaint with the Federal Trade Commission concerning the business practices of Scholarships.com. The company encourages students to divulge sensitive medical, sexual, and religious information to obtain financial aid information. The company claims that it uses this information to locate scholarships and financial aid. Scholarships.com, however, transfers the data to a business affiliate American Student Marketing, which in turn sells the data for general marketing purposes. EPIC alleges that this is an unfair and deceptive trade practice. EPIC’s complaint also alleges that Scholarships.com’s failure to use reasonable security practices is an unfair trade practices. EPIC has asked the FTC to require the company to change its business practices. Earlier this year, EPIC urged Congress to restore privacy protections for student data following recent changes to the Family Educational Rights and Privacy Act. For more information, see: EPIC: Student Privacy. (Dec. 12, 2013)
  • EPIC FOIA - EPIC Uncovers Information About Debt Collector Practices from Education Dept.: Pursuant to a Freedom of Information Act lawsuit against the Education Department, EPIC has obtained documents which reveal that many private debt collection agencies maintain incomplete and insufficient quality control reports. As government contractors, debt collectors are required to follow the Privacy Act, a federal law that protects personal information. The Education Department also requires student debt collectors to submit quality control reports indicating whether the companies maintain accurate student loan information. The documents obtained by EPIC in this FOIA lawsuit reveal that many companies provide small sample sizes to conceal possible violations of the Act. The documents also show that many companies do not submit required information about Privacy Act compliance to the Education Department. EPIC has recently settled the case and obtained attorneys fees for making this information available to the public. For more information, see EPIC v. Education Department - Private Debt Collector Privacy Act Compliance. (Nov. 1, 2013)
  • Senator Markey Investigates Student Data Disclosures: Senator Edward Markey has sent a letter to the Education Department, requesting information on the "impact of increased collection and distribution of student data" on student privacy rights. Among other questions, Senator Markey asks why the Department made changes to the Family Educational Rights and Privacy Act, a federal student privacy law; whether the Department "performed an assessment of the types of information" that schools disclose to third party vendors; and whether students and their families can obtain their information held by private companies. The letter states, "By collecting detailed personal information about students' test results and learning abilities, educators may find better ways to educate their students. However, putting the sensitive information of students in private hands raises a number of important questions about the privacy rights of parents and their children." EPIC has sent a letter to the Senate and House Committees on Education, urging Congress to restore privacy protections for student data. For more information, see EPIC: Student Privacy and EPIC: EPIC v. The Deptartment of Education. (Oct. 24, 2013)
  • EPIC Urges Congress to Protect Student Privacy: In a letter to the Senate and House Committees on Education, EPIC has asked Congress to restore privacy protections for student data. EPIC's letter follows a court opinion concerning recent changes to the Family Educational Rights and Privacy Act. EPIC has warned that the changes in the student privacy law allow the release of student records for non-academic purposes and undercut parental and student consent provisions. EPIC has urged Congress to investigate the impact of the revised regulations. "Students and families are losing control over sensitive information," EPIC wrote, "and private companies are becoming the repositories of student data and even the data maintained by the schools is far more extensive than ever before." For more information, see EPIC: Student Privacy. (Oct. 10, 2013)
  • Judge Rules that EPIC Lacks Standing to Challenge Education Department's Unlawful Regulations: A federal court dismissed EPIC's lawsuit against the Education Department. EPIC has challenged the agency's 2011 changes to the Family Educational Rights and Privacy Act (FERPA) which allow the release of student records for non-academic purposes and undercut parental and student consent provisions. The court held that neither EPIC nor any of its Board of Director co-plaintiffs "have standing to bring the claims asserted in the complaint." The judge did not reach EPIC's substantive claims asserted in the complaint. EPIC argued that the Education Department exceeded its authority with the changes and that the revised regulations violate the federal student privacy law. Before initiating the lawsuit, EPIC submitted extensive comments to the Education Department, opposing the unlawful regulations. EPIC intends to take further steps to safeguard student privacy. For more information, see EPIC: EPIC v. The U.S. Department of Education and EPIC: Student Privacy. (Oct. 1, 2013)
  • EPIC to Defend Student Privacy Rights in Federal Court: On July 24, EPIC President Marc Rotenberg and EPIC Administrative Law Counsel Khaliah Barnes will present arguments in federal district court in Washington, DC in support of student privacy. In EPIC v. Dept. of Education, No. 12-327, EPIC is challenging recent changes to the Family Educational Rights and Privacy Act (FERPA) that allow the release of student records for non-academic purposes and undercut parental consent provisions. In 2011, EPIC submitted extensive comments to the agency opposing the changes. After the Education Department failed to modify the proposed regulation, EPIC filed a lawsuit and argued that the agency exceeded its authority with the changes, and also that the revised regulations are not in accordance with the 1974 privacy law. EPIC is joined in the lawsuit by members of the EPIC Board of Directors Grayson Barber, Pablo Garcia Molina, Peter Neumann, and Deborah Peel. For more information, see EPIC: EPIC v. The U.S. Department of Education and EPIC: Student Privacy. (Jul. 23, 2013)
  • EPIC Testifies Before Colorado Board on Student Privacy: EPIC Administrative Law Counsel Khaliah Barnes testified before the Colorado State Board of Education on privacy issues concerning inBloom and other companies that acquire student information. In response to public outcry over a pilot program which grants these companies access to sensitive student data, the Colorado Board of Education hosted a public session. Representatives from inBloom, the Colorado Attorney General's Office, a local school district, and EPIC participated. EPIC recommended that Colorado ensure that students and parents have access to education records maintained by third party providers, and that students and their parents should be able to limit disclosure to third parties. In 2012, EPIC sued the Education Department for issuing regulations that failed to safeguard student privacy. For more information, see EPIC: EPIC v. The U.S. Department of Education and EPIC: Student Privacy. (May. 21, 2013)
  • EPIC Sues Education Department, Seeks Documents about Debt Collectors and Student Privacy: EPIC has filed a Freedom of Information Act lawsuit against the Education Department, following the agency's failure to release documents about private debt collection and compliance with federal privacy law. The Department has contracts with at least twenty-three private debt collectors who obtain sensitive personal information, including contact information, loan status, income, Social Security number, and credit history. The Department is expected to publish a procedures manual that instructs debt collectors on privacy safeguards. The Department is also supposed to require debt collectors to submit compliance reports to the agency. EPIC's sought release of the procedures manual and compliance reports for the last three years. After the Department failed to disclose any records in response to the FOIA request, EPIC sued. For more information, see EPIC: Open Government and EPIC: Student Privacy. (Mar. 18, 2013)
  • In Federal Court EPIC Defends Student Privacy: In documents filed with a federal court in Washington, DC, EPIC is challenging changes to the Family Educational Rights and Privacy Act (FERPA). The revised regulations, issued by the Education Department, allow the release of student records for non-academic purposes and undercut parental consent provisions. The rule change also promotes the public use of student IDs that enable access to private educational records. In 2011, EPIC submitted extensive comments to the agency, opposing the changes and arguing for the need to safeguard privacy. After the Education Department failed to make necessary changes, EPIC filed a lawsuit and argued that the agency exceeded its authority with the changes, and also that the revised regulations are not in accordance with the 1974 privacy law. EPIC is joined in the lawsuit by members of the EPIC Board of Directors and Advisory Board Grayson Barber, Pablo Garcia Molina, Peter Neumann, and Deborah Peel. For more information, see EPIC: EPIC v. The U.S. Department of Education and EPIC: Student Privacy. (Jan. 22, 2013)
  • EPIC Supports Moratorium on RFID Student Tracking : EPIC, along with Consumers Against Supermarket Privacy Invasion and Numbering (CASPIAN) and other leading privacy and civil liberties organizations, issued a Position Paper on the Use of RFID in Schools. Radio Frequency Identification is an identification tracking technology "designed to monitor physical objects," such as commercial products, vehicles, and animals. Some school districts are proposing to use RFID ID tags to monitor students, teachers, and staff. The report warns of significant privacy and security risks. If RFID techniques are adopted, the groups urge that schools adopt robust privacy safeguards. In 2006 and 2007, EPIC submitted comments to federal agencies recommending against the use of RFID technology to track air travelers. The State Department subsequently made changes to the "e-Passport," to address privacy and security concerns. For more information, see EPIC: Radio Frequency Identification (RFID) Systems and EPIC: Student Privacy. (Aug. 21, 2012)
  • EPIC Urges Education Department to Protect Student Privacy: EPIC has submitted comments to the Education Department, recommending the agency collect only "relevant and necessary" student information when it undertakes educational studies. The agency's Institute of Education Sciences has proposed a "Study of Promising Features of Teacher Preparation Programs" to help assess teacher effectiveness. The new database will contain records on "approximately 5,000 students and 360 teachers." EPIC urged the agency to only collect student data germane to teacher effectiveness, such as test scores, and opposed the agency's collection of detailed student information such as actual name and "disciplinary incidences." Earlier this year, EPIC sued the Education Department for issuing regulations that failed to safeguard student privacy. For more information, see EPIC: EPIC v. The U.S. Department of Education and EPIC: Student Privacy. (Jul. 31, 2012)
  • EPIC Sues to Block Changes to Education Privacy Rules: EPIC has filed a lawsuit under the Administrative Procedure Act against the Department of Education. EPIC's lawsuit argues that the agency's December 2011 regulations amending the Family Educational Rights and Privacy Act exceed the agency's statutory authority, and are contrary to law. In 2011, the Education Department requested public comments regarding the proposed changes. In response, EPIC submitted extensive comments, addressing the student privacy risks and the agency's lack of legal authority to make changes to the privacy law without explicit Congressional intent. The agency issued the revised regulations despite the fact that "numerous commenters . . . believe the Department lacks the statutory authority to promulgate the proposed regulations." EPIC is joined in the lawsuit by co-plaintiffs Grayson Barber, Pablo Molina, Peter G. Neumman, and Dr. Deborah Peel. The case is EPIC v. US Department of Education, No. 12-00327. For more information, see EPIC: Student Privacy. (Feb. 29, 2012)
  • Department of Education Issues Unlawful Regulations that Harm Student Privacy: The Department of Education has released final regulations concerning the Family Educational Rights and Privacy Act (FERPA). These regulations exceed the agency's legal authority and expose students to new privacy risks. The new rules permit educational institutions to release student records to non-governmental agencies without first obtaining parents' written consent. The new rules also broaden the permissible purposes for which third parties can access students records without first notifying parents. The agency rules also fail to appropriately safeguard students from the risk of re-identification. In response to the Department of Education's request for public comments, EPIC submitted extensive comments to the agency in May 2011, addressing the student privacy risks and the agency's lack of legal authority to make changes to FERPA without explicit Congressional intent. For more information, see EPIC: Student Privacy. (Dec. 5, 2011)
  • Seventh Circuit Court Hears Oral Argument in Students' Privacy Case: The US Court of Appeals for the Seventh Circuit heard oral arguments today in Chicago Tribune v. University of Illinois. EPIC filed a "friend of the court" brief in the case, which concerns student privacy rights protected by the Family Educational Rights and Privacy Act ("FERPA"). EPIC's brief argued that Congress intended to protect student records, including admissions files, from unauthorized release and that Illinois' open government law must yield to the federal privacy law. In this case, the Tribune requested documents from the University of Illinois, under Illinois' open government law, while investigating alleged corruption in the admissions practices of the University. The University denied the Tribune's request, stating that the requested documents contained the personally identifiable information of students and were thereby protected by federal law. A lower federal court found that Illinois law required the documents to be released. The Depart of Justice also filed a brief in support of student privacy in the case. For more information, see EPIC: Chicago Tribune v. University of Illinois and EPIC: Student Privacy. (Sep. 30, 2011)
  • EPIC Urges Seventh Circuit to Protect Students' Privacy Rights: EPIC filed a "friend of the court" brief in Chicago Tribune v. University of Illinois, a case involving student privacy rights protected by the Family Educational Rights and Privacy Act ("FERPA"). EPIC's brief argues that Congress intended to protect student records, including admissions files, from unauthorized release and that Illinois' open government law must yield to the federal privacy law. While investigating alleged corruption in the admissions practices of the University of Illinois, the Tribune sought documents from the University under Illinois' open government law. The University denied the Tribune's request, stating that the requested documents contain the personally identifiable information of students and are thereby protected by federal law. A lower federal court found that Illinois law required the documents to be released.The Depart of Justice has also filed a brief in support of student privacy in the case. For more information, see EPIC: Chicago Tribune v. University of Illinois and EPIC: Student Privacy. (Jul. 21, 2011)
  • EPIC Calls Proposed Student Privacy Exemptions "Unlawful": EPIC submitted a detailed statement to the Department of Education in response to a request for public comment on a proposal to expand exemptions in a law that protects the privacy of student information. The Family Educational Rights and Privacy Act limits the release of students' educational records. However, the Department of Education has proposed to relax privacy safeguards to permit widespread disclosure of student data, including unique students identification numbers, across federal and state agencies. EPIC said that the agency lacks the legal authority to establish the exemptions and that proposal would result in an "Unprecedented and Unlawful Release of Confidential Student Information." Individuals can submit their own comments on the Regulations.gov website. For more information, see EPIC: Student Privacy. (May. 23, 2011)
  • Department of Education Plans to Disclose Confidential Student Data: The Department of Education has proposed new regulations to transfer student data from schools to state agencies. The regulations will revise key provisions of the Federal Educational Rights and Privacy Act, which was enacted to protect privacy, security, and confidentiality of student data. The proposal is part of a new federal program that requires schools to disclose student data, including enrollment information, degree of success transitioning from secondary to post-secondary institutions, and demographic data, to states to receive federal funding. The student information will be compiled into large databases and used to track and analyze student's progress through the education system. The Department is accepting comments on the proposed regulations. Deadline for comment is May 23, 2011. For More Information, see EPIC: Student Privacy. (Apr. 8, 2011)
  • Report Says School Officials At Fault in High School Spycam Episode: An independent report finds the Lower Merion School District at fault for the remote monitoring of laptop computers that the District issued to high school students. The report followed a complaint filed by Blake J. Robbins, a student at Harriton High School, alleging that school officials used the laptops to spy on students. The report concluded that 30,564 webcam photographs and 27,428 screen shot images were captured because of "the District's failure to implement policies, procedures, and record-keeping requirements and the overzealous and questionable use of technology" by personnel "without any apparent regard for privacy considerations or sufficient consultation with administrators." EPIC has extensively documented students' privacy rights, see EPIC: Student Privacy. (May. 14, 2010)
  • Supreme Court: Strip-Search of Teenager Violated Constitutional Rights : The Supreme Court delivered a 8-1 opinion ruling that a strip-search of a thirteen-year-old girl by school officials looking for an ibuprofen tablet violated the Fourth Amendment. Justice Souter writing for the Court held that the search was unreasonable and that school searches are permissible when they are "not excessively intrusive in light of the age and sex of the student and the nature of the infraction." But a majority of the Justices also said that the school officials were not liable for damages because it had not been "clearly established" that the search was unlawful. Justices Stevens and Ginsburg disagreed and said that a previous Supreme Court case made clear that the search was "excessively intrusive." Justice Thomas wrote in dissent that the search was permissible. See also EPIC's page on Student Privacy. (Jun. 25, 2009)
  • Supreme Court Hears Case on Strip-Search of Young Student by Schools Officials Looking for Advil: The Supreme Court heard a case involving a traumatic strip-search of a thirteen-year-old girl by school officials looking for an ibuprofen tablet. The search was conducted based on allegation by another student, who had been caught with drugs. A federal appelate court held that the search of the student was unreasonable and that a school official could be liable for violating the girl's Fourth Amendment rights. The school appealed to the Supreme Court and argued that the search was reasonable and the school official had qualified immunity. The respondent student replied that the search was highly invasive and the official should be held responsible. See also EPIC's page on Student Privacy. (Apr. 21, 2009)
  • EPIC and Over 100 Groups Seek End to DOD Recruiting Database. The Electronic Privacy Information Center (EPIC) and more than 100 local, state, and national organizations today urged Secretary of Defense Donald Rumsfeld to end the "Joint Advertising and Market Research Studies" Recruiting Database. The groups cited the broad exemptions to federal privacy laws that would allow the Defense Department to disclose personal information to others without an individual's consent or knowledge. The database would include name, date of birth, gender, address, telephone, e-mail address, Social Security Number, ethnicity, high school, education level, college, and intended field of study for more than 30 million Americans who are 16-25 years old. For more information, see EPIC's page on the DOD Recruitment Database Page. (Oct. 18, 2005)
  • Spotlight: Database Tracks Foreign Students, Visitors in United States. September's "Spotlight on Surveillance" scrutinizes the Student and Exchange Visitor Information System (SEVIS), a Homeland Security program that monitors and tracks students and exchange visitors at all times. SEVIS is also a part of the controversial US-VISIT program. Through SEVIS, the federal government is accumulating a massive amount of data on foreign students and exchange visitors and their dependents, including biographical, academic, and employment information. The stated goals of SEVIS concern immigration and education, but the database is also available to other federal, local, state, tribal and foreign agencies. For more information, see EPIC's Spotlight on Surveillance and US-VISIT pages. (Sept. 9, 2005)
  • EPIC Releases Memorandum on DOD Recruiting Database, Privacy Act Violations. EPIC has drafted a memorandum (pdf) describing the Department of Defense (DOD) recruiting database. The memorandum discusses the sources of the data and the Privacy Act violations in the creation of the database. Of particular concern is the use of commercial data brokers and Social Security Numbers. EPIC concludes with specific recommendations. Pending resolution of these issues, it is the view of EPIC that the use of the database should be immediately suspended. For more information, see EPIC's page on the DOD Recruiting Database Page. (Jul. 27, 2005)
  • Recruiting Database Established in Violation of Privacy Act. In a media roundtable Department of Defense officials admitted to consolidating a massive database of student information for recruiting in 2003, however the agency did not list this database in the Federal Register until May 2005. The Privacy Act requires that new systems of records be published in the Federal Register before they become operational. Last week, EPIC urged the agency to scrap the database, as it collected unnecessary information, offered no opt-out rights, and was to be housed at a private-sector direct marketing company. For more information, see EPIC's DOD Recruiting Database Page. (Jun. 27, 2005)
  • Groups: DOD Should Scrap Massive Database. In comments to the Department of Defense, EPIC and 8 privacy and consumer groups objected to the creation of a massive database for military recruitment purposes. The database would contain the Social Security Numbers, race, and educational information on up to 25 million people as young as 16 years old. The database would be operated by a commercial data marketing company, and individuals would not be able to opt-out. The groups called upon the Department of Defense to terminate the database program, as the database is fundamentally incompatible with the government's responsibilities under the Privacy Act. For more information, see EPIC's DOD Recruiting Database Page. (Jun. 21, 2005)
  • EPIC Objects to Student Data Matching. A coalition of groups has objected to data sharing between the Selective Service System (SSS) and the Department of Education to determine whether students have registered for the draft. In a letter to the SSS, EPIC argued that a data matching arrangement does not comply with the Privacy Act, and that it should be suspended immediately. (Dec. 21, 2004)

Resources

Cases

  • Gonzaga Univ. v. Doe, 122 S. Ct. 2268 (2002). In Gonzaga, the Supreme Court held that a student could not privately enforce rights conferred under FERPA by bringing a § 1983 civil rights action against a private university because the Act's nondisclosure provisions did not create any enforceable rights.
  • Owasso Indep. Sch. Dist. No. I-011 v. Falvo, 534 U.S. 426 (2002). In Owasso, the Supreme Court determined that grades on peer-graded papers do not qualify as education records, and thus are not protected by FERPA.
  • In Board of Ed. of Independent School Dist. No. 92 of Pottawatomie Cty. v. Earls, 536 U.S. 822, (2002), the Court ruled that students who voluntarily participate in extracurricular activities have a limited expectation of privacy because they voluntarily subject themselves to intrusions on their privacy, such as "occasional off-campus travel and communal undress." Furthermore, the Court found that requiring students to submit urine samples (by urinating in a bathroom stall while the teacher stood outside the stall listening "for the normal sounds of urination in order to guard against tampered specimens and to insure an accurate chain of custody") was "minimally intrusive" and a "not significant" invasion of students' privacy. In a concurring opinion, Justice Breyer compared student drug testing to other responsibilities that schools must bear, such as providing school lunches. Schools "prepare pupils for citizenship in the Republic [and] inculcate the habits and manners of civility as values in themselves conductive to happiness and as indispensable to the practice of self-government in the community and the nation," Breyer said.
  • United States v. Miami Univ., 294 F. 3d 797 (6th Cir. 2002). In Miami, the Sixth Circuit held that a newspaper does not have unrestricted access to unredacted student disciplinary records because such records are "education records" within the meaning of FERPA.
  • Jensen v. Reeves, 3 Fed. Appx. 905 (10th Cir. 2001). In Jensen, the Tenth Circuit determined that limited disclosure to interested parties about a child's misbehavior in school is legitimate under FERPA.
  • Vernonia School Dist. 47J v. Acton, 515 U.S. 646 (1995). Upheld the random, suspicionless drug testing of student athletes. The Court said that athletes had a diminished expectation of privacy in relation to other students, noting that athletes were required to undergo physical exams before being allowed to join a team and undress and shower in communal locker rooms.
  • Bauer v. Kincaid, 759 F. Supp 575 (WD Mo. 1991). In Bauer, a district court held that a public university student newspaper may obtain and publish criminal investigation and incident reports prepared by a campus security department because such documents are not "education records" under FERPA.
  • Red and Black Publ'g Co. v. Bd. of Regents, 427 S.E.2d 257 (Ga. 1993). In a suit filed by the University of Georgia's student newspaper after it was denied access to campus court records and proceedings about hazing charges against two fraternities, the Georgia Supreme Court held that student court records were subject to the state open-records law and that disciplinary proceedings were subject to the state open-meetings statute.
  • In New Jersey v. T.L.O., 469 U.S. 325 (1985), the Supreme Court held that the Fourth Amendment's prohibition on unreasonable searches and seizures applies to searches conducted by public school officials, who are not exempt from the Amendment's dictates by virtue of the special nature of their authority over schoolchildren. However, the Court said that school officials do not have to obtain a warrant before searching a student who is under their authority if the officials have reasonable grounds for suspecting that the search will turn up evidence that the student has violated the law or the rules of the school. The court held that searches of students' belongings are permissible if the measures adopted are reasonably related to the objectives of the search and not excessively intrusive in light of the student's age and sex and the nature of the infraction.
  • Planned Parenthood of Cent. Mo. V. Danforth, 428 U.S. 52 (1976). If a student confides in school personnel about pregnancy or birth control issues, case law establishing minors' reproductive rights probably limits schools' ability to disclose this information to the student's parents without his or her consent.

Student Profiling and Student Surveys

American Student List Information BrokerageAmerican Student List (ASL) sells databases of children's names in grades K-12 overlaid with data on sex, age, whether they own a telephone, income, religion, and their race or ethnicity. This information is often gleaned from surveys that are administered while children are in school under the pretense of college admissions and other education-related purposes. Students and parents do not know that their personal information is being used for the secondary purpose of marketing. The data is used for hawking credit cards, catalog items, magazines, student "recognition" products, and job recruitment. This image of ASL data comes from the SRDS Direct Marketing List Manual, a list of marketing lists. It is not available online, but one can often find it in a library.

Student "recognition" products, such as "Who's Who Among American High School Students" and the "National Dean's List" have a strong marketing function. Information collected in composing both directories is used for marketing a wide variety of products wholly unrelated to education. And, although teachers and administrators are encouraged to nominate students and transfer data to the company, the reality is that a growing number of employers and colleges don't consider such recognition directories as meritorious.

In October 2002, the Federal Trade Commission (FTC) settled cases against ASL and the National Research Center for College and University Admissions (NRCCUA) for collecting personal information from children using deceptive practices. The FTC complaint alleged that the companies operated a scheme to cull marketing data from student through surveys administered under the pretense of college admissions and scholarship opportunities.

NRCCUA sent letters to schools asking teachers to dedicate classroom time to administering detailed surveys for college admissions and financial aid purposes. These "Post-Secondary Planning" surveys elicited detailed personal information from students, including their religious affiliation, personal interests, and social attitudes. The surveys did have a privacy notice, but the language implied that the information was for educational purposes only. NRCCUA marketed the information collected to higher education institutions, but also shared the information with ASL, which used the data for direct marketing.

In August 2002, the New York Attorney General filed suit against Student Marketing Group (SMG), a company that collected information from students for direct marketing. The company was alleged to have formed a non-profit subsidiary, Educational Research Center of America (ERCA) which sent millions of surveys to high schools to collect information for college financial aid and scholarship opportunities. ERCA, without notice to the schools or students, was also using the information for direct marketing of magazines, credit cards, and other items. In January 2003, SMG and ERCA settled the New York Attorney General's case, and a separate investigation brought by the Federal Trade Commission.

Student profiling does not end with grade school. Profilers collect and use information from students in higher education as well. College students are targeted for magazine subscriptions, student "recognition" programs, credit cards, insurance solicitations, long distance plans, toys, cell phone plans, mail-order food, and other products. Often, college students' personal information is obtained through the institution itself. Institutions may reveal students' contact and activities (club membership) information through student directories, joint marketing agreements, or through state open records acts that require the release of enrollment lists.

State Laws

As of September 2002, thirty-five states have passed laws supplementing the protection of education records provided by FERPA. The states that offer the most protection include:

California: College and university students have a right to privacy under the state Constitution. Parents have a right to inspect children's records in both public and private schools. (Cal. Educ. Code §§ 49060-49083.)

Louisiana: A 1974 Louisiana Attorney General's opinion states that children have a right to privacy in schools. Their records are considered confidential.

Nebraska: Academic and disciplinary records are to be kept separate. Disciplinary records are destroyed at the time of the student's graduation if authorized by the state records board. (Neb. Rev. Stat. § 79-4,157.)

Ohio: Schools are forbidden to release education records for any profit-making activity. (Ohio Rev. Code § 3319.321.)

Oklahoma: It is a misdemeanor for a teacher to reveal any information about a child obtained in the teacher's professional capacity, except as required by fulfillment of contractual obligations or as requested by a parent. (Okla. Stat. Ann. 7-6-115.)

Texas: Education records are considered confidential and can be released only upon request of school personnel, a student, parent, or spouse. (Tex. Gov. Code § 552.114).

Related Student Privacy Issues

Military Access to Students and Student Information

Two laws were passed in 2001 which make it easier for military recruiters to access high school students' contact information. The laws changed schools' previous ability, under the Family Educational Rights and Privacy Act (FERPA), to choose to whom they would release such information.For more information about this issue, see EPIC's DOD Recruiting Database page.

Tracking and Managing Student Information

Although the No Child Left Behind Act explicitly prohibits the creation of a nationwide student database, the Act does set up requirements for collecting information from students that may encourage school districts and states to develop new ways to track students. The NCLB requires each state to create procedures for "facilitating the transfer of disciplinary records" to any school in which a student enrolls or seeks to enroll. (20 U.S.C.S. § 7165). NCLB also includes vast guidelines and requirements for monitoring student achievement. Schools, districts and states will link test scores to, for instance, information like race and socioeconomic status. Some states have created unique identifiers for all students that can carry many pieces of information, and some of these systems have raised the concern of groups like the ACLU.

Federal Substance Abuse Records Laws: If a state law gives older minors the right to get treatment or counseling for substance abuse problems without parental consent, and school-based persons operate a program to provide that assistance, the federal laws require that any record in the student's file relating to the assistance be kept confidential—even from the minor's parents—unless the minor consents to a release.

Student and Exchange Visitor Information System (SEVIS)

In January 2002, FERPA was amended to permit the Attorney General to obtain a court order to collect education records from schools for the purposes of investigating or prosecuting terrorism. The Immigration and Naturalization Services (INS), in conjunction with a number of other federal agencies, is currently in the initial stages of implementing the Student and Exchange Visitor Information System (SEVIS).

SEVIS is an Internet-based system that allows schools to transmit student information to the INS for purposes of tracking and monitoring non-immigrant and exchange students. Accessible information includes a student's personally identifiable information, admission at port of entry, disciplinary information, and academic information, such as changes in program of study. Schools will be required to transmit such information to the INS for the duration of a student's stay in the United States. The USA PATRIOT Act requires that SEVIS be fully implemented by January 1, 2003.

Campus Identification Cards

Many colleges and universities are employing identification cards that are used to access every facility or service on the campus. The goal of these cards is to create a seamless system where students can purchase items or access services with just one card.

These systems of identification pose new risks to privacy and autonomy. First, such systems can create a log of students' movements, which later can be accessed by police or other authorities. There is also the problem of malicious student or employee access, caused in part by institutional hiring of students for positions where they can access the personal data of other students. With ubiquitous campus identification schemes, student employees or others may use the data to stalk or harass other students and employees.

Second, it creates an infrastructure that allows dataveillance. Such systems can allow secondary use of location or consumption data, much like supermarket-shopping cards are used now to profile what individuals purchase at stores. These cards eliminate cash transactions, and in doing so, may tie identity to every transaction. For instance, Blackboard's student identification system notes that it:

"Provide you [sic] users with identification cards and track user data. All user profiles are stored in a central database, and user data can be imported from a variety of commercial Student Information Systems (SIS)".

NuVision Networks, Corp. markets their student identification system as one that can accommodate a number of campus activities, including student voting:

"Voting We've taken all the work out of college voting. With Campus Center it's easy to manage complex voting situations involving an unlimited number of specialized groups. Votes can be multiple choice or Yes/No, and since the actual tally is constantly displayed for each vote, there is really no need to post results. Student can watch the voting as it happens from any network computer.

One cannot take "all the work out" of voting. Electronic voting is an extremely complex topic that implicates risks to the secret ballot, and inference with the vote. Bryn Mawr Professor Rebecca Mercuri, a leading authority in electronic voting notes:

Fully electronic systems do not provide any way that the voter can truly verify that the ballot cast corresponds to that being recorded, transmitted, or tabulated. Any programmer can write code that displays one thing on a screen, records something else, and prints yet another result. There is no known way to ensure that this is not happening inside of a voting system.

Another service offered by Blackboard, "Bb One," allows off-campus use of campus identity cards. This system specifically allows direct marketing based on the identification system:

Bb One™ is a transaction-based outsourcing solution that enables the acceptance of the university ID card as a form of payment off-campus. Bb One provides students with a cashless, safe, and secure way to transact on and around campus while offering parents the assurance that their funds will be spent within a university-approved network. Blackboard develops a comprehensive off-campus merchant network on behalf of each university and manages every aspect of the program from merchant acquisition to merchant support. Participating merchants also benefit from access to a university-endorsed spending program and direct-to-student and parent marketing programs.

The security of these identification systems is also questionable. Most of the systems operate on Windows platforms, which are particularly vulnerable to malicious cracking. Furthermore, Blackboard Inc. has employed the Digital Millennium Copyright Act to stop two students from delivering a lecture on the security vulnerabilities of the cards.

Third, and most importantly, pervasive identification systems acclimatize students to the custom of carrying an identity card and using it for routine purposes. We do not live in a society where individuals are required to carry identification, but these systems essentially force students to do so. Campuses that employ these systems are likely to breed a generation of students who don't see the fundamental privacy risks that flow from eliminating anonymous systems, and from requiring individuals to carry credentials.

Campus Credit Card Marketing

Financial institutions are very aggressive in attracting student customers. New students generally have no debt, and little understanding of how credit cards and compound interest work. Many financial institutions actually have exclusive credit card marketing agreements on certain campuses, where the school profits from the issuance of credit cards to students. The pursuit of students after graduation is also privacy invasive, as alumni associations receive payment for selling personal information to the credit card companies.

News