Focusing public attention on emerging privacy and civil liberties issues

Student Privacy

Top News

  • Google Admits to Data-Mining Student Emails: In a sworn statement filed with a federal court, Google has admitted to scanning student emails to serve students targeted advertisements. Although Google does not display ads in Apps for Education, Google "does scan [student] email" to "compile keywords for advertising" on Google sites. Google has gained access to student emails pursuant to the Education Department's recently revised regulations, which significantly weakened the Family Educational Rights and Privacy Act, a federal student privacy law. Still, Google's practices appear to contravene the Education Department's "best practices" for online educational service providers. EPIC had earlier sued the Education Department for weakening the privacy law that protects student data. For more information, see: EPIC Student Privacy and EPIC: EPIC v. Dep't of Education. (Mar. 19, 2014)
  • After Weakening Privacy Law, Education Department Proposes "Best Practices" for Student Data: The Education Department has issued recommendations for schools that transfer student records to online educational service providers. Following the Department's changes to a federal student privacy law, private companies and government agencies have access to student records without obtaining student consent. In the recommendations, the agency explained that the current regulations do not require written agreements for schools to disclose student information to private companies. The Education Department recommended that schools establish policies for approving online educational services, create written contracts with private companies for the use of student data, and explain to parents and students how schools collect, use, and disclose student information. The agency warned that student data held by private companies may not be protected under federal privacy laws. EPIC had earlier sued the Education Department for weakening the privacy rule that prevented companies from getting access to student data. On March 13, 2014, the Education Department will hold a webinar on its student privacy best practices. For more information, see: EPIC: Student Privacy and EPIC: EPIC v. Dept. of Education. (Mar. 7, 2014)
  • Senator Markey Outlines New Student Privacy Legislation at EPIC Event: At a briefing on Capitol Hill hosted by EPIC, Senator Ed Markey announced plans to introduce legislation protecting student data. Senator Markey set out four principles his bill would cover: (1) student information may never be used to market products to children; (2) parents must have the right to access and amend student information held by private companies; (3) schools and private companies must safeguard student information; and (4) companies must delete student information after it is no longer needed for educational purposes. Senator Markey made the remarks at EPIC event "Failing Grade: Education Records and Student Privacy," which included leading experts in technology, student privacy, and the Chief Privacy Officer at the Department of Education. Last year, Senator Markey sent a letter to the Education Department, requesting information on the "impact of increased collection and distribution of student data" on privacy. The Education Department provided a response, suggesting that when schools outsource to private companies, they should ensure that the companies protect student data. For more information, see EPIC: Student Privacy. (Jan. 14, 2014)
  • Company Adds Encryption to Website After EPIC Files Complaint: Following EPIC's complaint to the Federal Trade Commission about Scholarships.com, the company has improved security on its website. Scholarships.com encourages students to divulge sensitive medical, sexual, and religious information to obtain financial aid information. The company claims that it uses this information to locate scholarships and financial aid. In fact, the company transfers the data to a business affiliate American Student Marketing, which in turn sells the data for general marketing purposes. EPIC's complaint to the FTC alleged that Scholarships.com’s failure to use reasonable security practices is an unfair trade practice. The company has since implemented HTTPS. For more information, see EPIC: Student Privacy. (Dec. 19, 2013)
  • EPIC Files Privacy Complaint to Protect Student Data: EPIC has filed an extensive complaint with the Federal Trade Commission concerning the business practices of Scholarships.com. The company encourages students to divulge sensitive medical, sexual, and religious information to obtain financial aid information. The company claims that it uses this information to locate scholarships and financial aid. Scholarships.com, however, transfers the data to a business affiliate American Student Marketing, which in turn sells the data for general marketing purposes. EPIC alleges that this is an unfair and deceptive trade practice. EPIC’s complaint also alleges that Scholarships.com’s failure to use reasonable security practices is an unfair trade practices. EPIC has asked the FTC to require the company to change its business practices. Earlier this year, EPIC urged Congress to restore privacy protections for student data following recent changes to the Family Educational Rights and Privacy Act. For more information, see: EPIC: Student Privacy. (Dec. 12, 2013)
  • EPIC FOIA - EPIC Uncovers Information About Debt Collector Practices from Education Dept.: Pursuant to a Freedom of Information Act lawsuit against the Education Department, EPIC has obtained documents which reveal that many private debt collection agencies maintain incomplete and insufficient quality control reports. As government contractors, debt collectors are required to follow the Privacy Act, a federal law that protects personal information. The Education Department also requires student debt collectors to submit quality control reports indicating whether the companies maintain accurate student loan information. The documents obtained by EPIC in this FOIA lawsuit reveal that many companies provide small sample sizes to conceal possible violations of the Act. The documents also show that many companies do not submit required information about Privacy Act compliance to the Education Department. EPIC has recently settled the case and obtained attorneys fees for making this information available to the public. For more information, see EPIC v. Education Department - Private Debt Collector Privacy Act Compliance. (Nov. 1, 2013)
  • Senator Markey Investigates Student Data Disclosures: Senator Edward Markey has sent a letter to the Education Department, requesting information on the "impact of increased collection and distribution of student data" on student privacy rights. Among other questions, Senator Markey asks why the Department made changes to the Family Educational Rights and Privacy Act, a federal student privacy law; whether the Department "performed an assessment of the types of information" that schools disclose to third party vendors; and whether students and their families can obtain their information held by private companies. The letter states, "By collecting detailed personal information about students' test results and learning abilities, educators may find better ways to educate their students. However, putting the sensitive information of students in private hands raises a number of important questions about the privacy rights of parents and their children." EPIC has sent a letter to the Senate and House Committees on Education, urging Congress to restore privacy protections for student data. For more information, see EPIC: Student Privacy and EPIC: EPIC v. The Deptartment of Education. (Oct. 24, 2013)
  • EPIC Urges Congress to Protect Student Privacy: In a letter to the Senate and House Committees on Education, EPIC has asked Congress to restore privacy protections for student data. EPIC's letter follows a court opinion concerning recent changes to the Family Educational Rights and Privacy Act. EPIC has warned that the changes in the student privacy law allow the release of student records for non-academic purposes and undercut parental and student consent provisions. EPIC has urged Congress to investigate the impact of the revised regulations. "Students and families are losing control over sensitive information," EPIC wrote, "and private companies are becoming the repositories of student data and even the data maintained by the schools is far more extensive than ever before." For more information, see EPIC: Student Privacy. (Oct. 10, 2013)
  • Judge Rules that EPIC Lacks Standing to Challenge Education Department's Unlawful Regulations: A federal court dismissed EPIC's lawsuit against the Education Department. EPIC has challenged the agency's 2011 changes to the Family Educational Rights and Privacy Act (FERPA) which allow the release of student records for non-academic purposes and undercut parental and student consent provisions. The court held that neither EPIC nor any of its Board of Director co-plaintiffs "have standing to bring the claims asserted in the complaint." The judge did not reach EPIC's substantive claims asserted in the complaint. EPIC argued that the Education Department exceeded its authority with the changes and that the revised regulations violate the federal student privacy law. Before initiating the lawsuit, EPIC submitted extensive comments to the Education Department, opposing the unlawful regulations. EPIC intends to take further steps to safeguard student privacy. For more information, see EPIC: EPIC v. The U.S. Department of Education and EPIC: Student Privacy. (Oct. 1, 2013)
  • EPIC to Defend Student Privacy Rights in Federal Court: On July 24, EPIC President Marc Rotenberg and EPIC Administrative Law Counsel Khaliah Barnes will present arguments in federal district court in Washington, DC in support of student privacy. In EPIC v. Dept. of Education, No. 12-327, EPIC is challenging recent changes to the Family Educational Rights and Privacy Act (FERPA) that allow the release of student records for non-academic purposes and undercut parental consent provisions. In 2011, EPIC submitted extensive comments to the agency opposing the changes. After the Education Department failed to modify the proposed regulation, EPIC filed a lawsuit and argued that the agency exceeded its authority with the changes, and also that the revised regulations are not in accordance with the 1974 privacy law. EPIC is joined in the lawsuit by members of the EPIC Board of Directors Grayson Barber, Pablo Garcia Molina, Peter Neumann, and Deborah Peel. For more information, see EPIC: EPIC v. The U.S. Department of Education and EPIC: Student Privacy. (Jul. 23, 2013)
  • EPIC Testifies Before Colorado Board on Student Privacy: EPIC Administrative Law Counsel Khaliah Barnes testified before the Colorado State Board of Education on privacy issues concerning inBloom and other companies that acquire student information. In response to public outcry over a pilot program which grants these companies access to sensitive student data, the Colorado Board of Education hosted a public session. Representatives from inBloom, the Colorado Attorney General's Office, a local school district, and EPIC participated. EPIC recommended that Colorado ensure that students and parents have access to education records maintained by third party providers, and that students and their parents should be able to limit disclosure to third parties. In 2012, EPIC sued the Education Department for issuing regulations that failed to safeguard student privacy. For more information, see EPIC: EPIC v. The U.S. Department of Education and EPIC: Student Privacy. (May. 21, 2013)
  • EPIC Sues Education Department, Seeks Documents about Debt Collectors and Student Privacy: EPIC has filed a Freedom of Information Act lawsuit against the Education Department, following the agency's failure to release documents about private debt collection and compliance with federal privacy law. The Department has contracts with at least twenty-three private debt collectors who obtain sensitive personal information, including contact information, loan status, income, Social Security number, and credit history. The Department is expected to publish a procedures manual that instructs debt collectors on privacy safeguards. The Department is also supposed to require debt collectors to submit compliance reports to the agency. EPIC's sought release of the procedures manual and compliance reports for the last three years. After the Department failed to disclose any records in response to the FOIA request, EPIC sued. For more information, see EPIC: Open Government and EPIC: Student Privacy. (Mar. 18, 2013)
  • In Federal Court EPIC Defends Student Privacy: In documents filed with a federal court in Washington, DC, EPIC is challenging changes to the Family Educational Rights and Privacy Act (FERPA). The revised regulations, issued by the Education Department, allow the release of student records for non-academic purposes and undercut parental consent provisions. The rule change also promotes the public use of student IDs that enable access to private educational records. In 2011, EPIC submitted extensive comments to the agency, opposing the changes and arguing for the need to safeguard privacy. After the Education Department failed to make necessary changes, EPIC filed a lawsuit and argued that the agency exceeded its authority with the changes, and also that the revised regulations are not in accordance with the 1974 privacy law. EPIC is joined in the lawsuit by members of the EPIC Board of Directors and Advisory Board Grayson Barber, Pablo Garcia Molina, Peter Neumann, and Deborah Peel. For more information, see EPIC: EPIC v. The U.S. Department of Education and EPIC: Student Privacy. (Jan. 22, 2013)
  • EPIC Supports Moratorium on RFID Student Tracking : EPIC, along with Consumers Against Supermarket Privacy Invasion and Numbering (CASPIAN) and other leading privacy and civl liberties organizations, issued a Position Paper on the Use of RFID in Schools. Radio Frequency Identification is an identification tracking technology "designed to monitor physical objects," such as commercial products, vehicles, and animals. Some school districts are proposing to use RFID ID tags to monitor students, teachers, and staff. The report warns of significant privacy and security risks. If RFID techniques are adopted, the groups urge that schools adopt robust privacy safeguards. In 2006 and 2007, EPIC submitted comments to federal agencies recommending against the use of RFID technology to track air travelers. The State Department subsequently made changes to the "e-Passport," to address privacy and security concerns. For more information, see EPIC: Radio Frequency Identification (RFID) Systems and EPIC: Student Privacy. (Aug. 21, 2012)
  • EPIC Urges Education Department to Protect Student Privacy: EPIC has submitted comments to the Education Department, recommending the agency collect only "relevant and necessary" student information when it undertakes educational studies. The agency's Institute of Education Sciences has proposed a "Study of Promising Features of Teacher Preparation Programs" to help assess teacher effectiveness. The new database will contain records on "approximately 5,000 students and 360 teachers." EPIC urged the agency to only collect student data germane to teacher effectiveness, such as test scores, and opposed the agency's collection of detailed student information such as actual name and "disciplinary incidences." Earlier this year, EPIC sued the Education Department for issuing regulations that failed to safeguard student privacy. For more information, see EPIC: EPIC v. The U.S. Department of Education and EPIC: Student Privacy. (Jul. 31, 2012)
  • EPIC Sues to Block Changes to Education Privacy Rules: EPIC has filed a lawsuit under the Administrative Procedure Act against the Department of Education. EPIC's lawsuit argues that the agency's December 2011 regulations amending the Family Educational Rights and Privacy Act exceed the agency's statutory authority, and are contrary to law. In 2011, the Education Department requested public comments regarding the proposed changes. In response, EPIC submitted extensive comments, addressing the student privacy risks and the agency's lack of legal authority to make changes to the privacy law without explicit Congressional intent. The agency issued the revised regulations despite the fact that "numerous commenters . . . believe the Department lacks the statutory authority to promulgate the proposed regulations." EPIC is joined in the lawsuit by co-plaintiffs Grayson Barber, Pablo Molina, Peter G. Neumman, and Dr. Deborah Peel. The case is EPIC v. US Department of Education, No. 12-00327. For more information, see EPIC: Student Privacy. (Feb. 29, 2012)
  • Department of Education Issues Unlawful Regulations that Harm Student Privacy: The Department of Education has released final regulations concerning the Family Educational Rights and Privacy Act (FERPA). These regulations exceed the agency's legal authority and expose students to new privacy risks. The new rules permit educational institutions to release student records to non-governmental agencies without first obtaining parents' written consent. The new rules also broaden the permissible purposes for which third parties can access students records without first notifying parents. The agency rules also fail to appropriately safeguard students from the risk of re-identification. In response to the Department of Education's request for public comments, EPIC submitted extensive comments to the agency in May 2011, addressing the student privacy risks and the agency's lack of legal authority to make changes to FERPA without explicit Congressional intent. For more information, see EPIC: Student Privacy. (Dec. 5, 2011)
  • Seventh Circuit Court Hears Oral Argument in Students' Privacy Case: The US Court of Appeals for the Seventh Circuit heard oral arguments today in Chicago Tribune v. University of Illinois. EPIC filed a "friend of the court" brief in the case, which concerns student privacy rights protected by the Family Educational Rights and Privacy Act ("FERPA"). EPIC's brief argued that Congress intended to protect student records, including admissions files, from unauthorized release and that Illinois' open government law must yield to the federal privacy law. In this case, the Tribune requested documents from the University of Illinois, under Illinois' open government law, while investigating alleged corruption in the admissions practices of the University. The University denied the Tribune's request, stating that the requested documents contained the personally identifiable information of students and were thereby protected by federal law. A lower federal court found that Illinois law required the documents to be released. The Depart of Justice also filed a brief in support of student privacy in the case. For more information, see EPIC: Chicago Tribune v. University of Illinois and EPIC: Student Privacy. (Sep. 30, 2011)
  • EPIC Urges Seventh Circuit to Protect Students' Privacy Rights: EPIC filed a "friend of the court" brief in Chicago Tribune v. University of Illinois, a case involving student privacy rights protected by the Family Educational Rights and Privacy Act ("FERPA"). EPIC's brief argues that Congress intended to protect student records, including admissions files, from unauthorized release and that Illinois' open government law must yield to the federal privacy law. While investigating alleged corruption in the admissions practices of the University of Illinois, the Tribune sought documents from the University under Illinois' open government law. The University denied the Tribune's request, stating that the requested documents contain the personally identifiable information of students and are thereby protected by federal law. A lower federal court found that Illinois law required the documents to be released.The Depart of Justice has also filed a brief in support of student privacy in the case. For more information, see EPIC: Chicago Tribune v. University of Illinois and EPIC: Student Privacy. (Jul. 21, 2011)
  • EPIC Calls Proposed Student Privacy Exemptions "Unlawful": EPIC submitted a detailed statement to the Department of Education in response to a request for public comment on a proposal to expand exemptions in a law that protects the privacy of student information. The Family Educational Rights and Privacy Act limits the release of students' educational records. However, the Department of Education has proposed to relax privacy safeguards to permit widespread disclosure of student data, including unique students identification numbers, across federal and state agencies. EPIC said that the agency lacks the legal authority to establish the exemptions and that proposal would result in an "Unprecedented and Unlawful Release of Confidential Student Information." Individuals can submit their own comments on the Regulations.gov website. For more information, see EPIC: Student Privacy. (May. 23, 2011)
  • Department of Education Plans to Disclose Confidential Student Data: The Department of Education has proposed new regulations to transfer student data from schools to state agencies. The regulations will revise key provisions of the Federal Educational Rights and Privacy Act, which was enacted to protect privacy, security, and confidentiality of student data. The proposal is part of a new federal program that requires schools to disclose student data, including enrollment information, degree of success transitioning from secondary to post-secondary institutions, and demographic data, to states to receive federal funding. The student information will be compiled into large databases and used to track and analyze student's progress through the education system. The Department is accepting comments on the proposed regulations. Deadline for comment is May 23, 2011. For More Information, see EPIC: Student Privacy. (Apr. 8, 2011)
  • Report Says School Officials At Fault in High School Spycam Episode: An independent report finds the Lower Merion School District at fault for the remote monitoring of laptop computers that the District issued to high school students. The report followed a complaint filed by Blake J. Robbins, a student at Harriton High School, alleging that school officials used the laptops to spy on students. The report concluded that 30,564 webcam photographs and 27,428 screen shot images were captured because of "the District's failure to implement policies, procedures, and record-keeping requirements and the overzealous and questionable use of technology" by personnel "without any apparent regard for privacy considerations or sufficient consultation with administrators." EPIC has extensively documented students' privacy rights, see EPIC: Student Privacy. (May. 14, 2010)
  • Supreme Court: Strip-Search of Teenager Violated Constitutional Rights : The Supreme Court delivered a 8-1 opinion ruling that a strip-search of a thirteen-year-old girl by school officials looking for an ibuprofen tablet violated the Fourth Amendment. Justice Souter writing for the Court held that the search was unreasonable and that school searches are permissible when they are "not excessively intrusive in light of the age and sex of the student and the nature of the infraction." But a majority of the Justices also said that the school officials were not liable for damages because it had not been "clearly established" that the search was unlawful. Justices Stevens and Ginsburg disagreed and said that a previous Supreme Court case made clear that the search was "excessively intrusive." Justice Thomas wrote in dissent that the search was permissible. See also EPIC's page on Student Privacy. (Jun. 25, 2009)
  • Supreme Court Hears Case on Strip-Search of Young Student by Schools Officials Looking for Advil: The Supreme Court heard a case involving a traumatic strip-search of a thirteen-year-old girl by school officials looking for an ibuprofen tablet. The search was conducted based on allegation by another student, who had been caught with drugs. A federal appelate court held that the search of the student was unreasonable and that a school official could be liable for violating the girl's Fourth Amendment rights. The school appealed to the Supreme Court and argued that the search was reasonable and the school official had qualified immunity. The respondent student replied that the search was highly invasive and the official should be held responsible. See also EPIC's page on Student Privacy. (Apr. 21, 2009)
  • EPIC and Over 100 Groups Seek End to DOD Recruiting Database. The Electronic Privacy Information Center (EPIC) and more than 100 local, state, and national organizations today urged Secretary of Defense Donald Rumsfeld to end the "Joint Advertising and Market Research Studies" Recruiting Database. The groups cited the broad exemptions to federal privacy laws that would allow the Defense Department to disclose personal information to others without an individual's consent or knowledge. The database would include name, date of birth, gender, address, telephone, e-mail address, Social Security Number, ethnicity, high school, education level, college, and intended field of study for more than 30 million Americans who are 16-25 years old. For more information, see EPIC's page on the DOD Recruitment Database Page. (Oct. 18, 2005)
  • Spotlight: Database Tracks Foreign Students, Visitors in United States. September's "Spotlight on Surveillance" scrutinizes the Student and Exchange Visitor Information System (SEVIS), a Homeland Security program that monitors and tracks students and exchange visitors at all times. SEVIS is also a part of the controversial US-VISIT program. Through SEVIS, the federal government is accumulating a massive amount of data on foreign students and exchange visitors and their dependents, including biographical, academic, and employment information. The stated goals of SEVIS concern immigration and education, but the database is also available to other federal, local, state, tribal and foreign agencies. For more information, see EPIC's Spotlight on Surveillance and US-VISIT pages. (Sept. 9, 2005)
  • EPIC Releases Memorandum on DOD Recruiting Database, Privacy Act Violations. EPIC has drafted a memorandum (pdf) describing the Department of Defense (DOD) recruiting database. The memorandum discusses the sources of the data and the Privacy Act violations in the creation of the database. Of particular concern is the use of commercial data brokers and Social Security Numbers. EPIC concludes with specific recommendations. Pending resolution of these issues, it is the view of EPIC that the use of the database should be immediately suspended. For more information, see EPIC's page on the DOD Recruiting Database Page. (Jul. 27, 2005)
  • Recruiting Database Established in Violation of Privacy Act. In a media roundtable Department of Defense officials admitted to consolidating a massive database of student information for recruiting in 2003, however the agency did not list this database in the Federal Register until May 2005. The Privacy Act requires that new systems of records be published in the Federal Register before they become operational. Last week, EPIC urged the agency to scrap the database, as it collected unnecessary information, offered no opt-out rights, and was to be housed at a private-sector direct marketing company. For more information, see EPIC's DOD Recruiting Database Page. (Jun. 27, 2005)
  • Groups: DOD Should Scrap Massive Database. In comments to the Department of Defense, EPIC and 8 privacy and consumer groups objected to the creation of a massive database for military recruitment purposes. The database would contain the Social Security Numbers, race, and educational information on up to 25 million people as young as 16 years old. The database would be operated by a commercial data marketing company, and individuals would not be able to opt-out. The groups called upon the Department of Defense to terminate the database program, as the database is fundamentally incompatible with the government's responsibilities under the Privacy Act. For more information, see EPIC's DOD Recruiting Database Page. (Jun. 21, 2005)
  • EPIC Objects to Student Data Matching. A coalition of groups has objected to data sharing between the Selective Service System (SSS) and the Department of Education to determine whether students have registered for the draft. In a letter to the SSS, EPIC argued that a data matching arrangement does not comply with the Privacy Act, and that it should be suspended immediately. (Dec. 21, 2004)

Introduction

Students do not shed all of their rights at the schoolhouse gate, including the right to privacy. Although recent Supreme Court decisions have diminished this right, there are substantial federal and state protections for the privacy of students' educational records. The most prominent of the federal protections for student privacy is the Family Educational Rights and Privacy Act (FERPA), also known as the "Buckley Amendment, " FERPA protects the confidentiality of student records to some extent, while also giving students the right to review their own records.

Students' personal information is often collected through in-school surveys, sometimes for commercial use. Congress most recently addressed such surveys in the No Child Left Behind Act, a broad federal educational act. The Act provides parents and students the right to be notified of, and consent to, the collection of student information. However, the Act includes many exceptions to this right.

Congress does not always expand privacy when it addresses the collection of student information. Another provision of No Child Left Behind mandates that high schools turn over student contact information to military recruiters, unless parents or students explicitly opt out of such disclosure. And in 2002, Congress amended FERPA, via the USA PATRIOT Act, to require schools to transmit information about immigrant students to the INS. Under this program, the Student and Exchange Visitor Information System, schools had to begin in 2003 reporting immigrants' academic information, such as disciplinary actions or changes in programs of study.

Family Educational Rights and Privacy Act

The FERPA protects the confidentiality of student educational records. The Act applies to any public or private elementary, secondary, or post-secondary school and any state or local education agency that receives federal funds. All public schools and virtually all private schools are covered by FERPA because they receive some sort of federal funding.

The Act has two parts. First, it gives students the right to inspect and review their own education records, request corrections, halt the release of personally identifiable information, and obtain a copy of their institution's policy concerning access to educational records. (20 U.S.C.S. § 1232g(a)). Second, it prohibits educational institutions from disclosing "personally identifiable information in education records" without the written consent of the student, or if the student is a minor, the student's parents. (20 U.S.C.S. § 1232g(b)). Schools that fail to comply with FERPA risk losing federal funding.

However, there are several exceptions that allow the release of student records to certain parties or under certain conditions. Records may be released without the student's consent: (1) to school officials with a legitimate educational interest; (2) to other schools to which a student seeks or intends to enroll; (3) to education officials for audit and evaluation purposes; (4) to accrediting organizations; (5) to parties in connection with financial aid to a student; (6) to organizations conducting certain studies for or on behalf of a school; (7) to comply with a judicial order or lawfully issued subpoena; (8) in the case of health and safety emergencies; and (9) to state and local authorities within a juvenile justice system. (20 U.S.C.S. § 1232g(b)(1)).

In addition, some records maintained by schools are exempt from FERPA, including: (1) records in the sole possession of school officials; (2) records maintained by a law enforcement unit of the educational institution; (3) records of an educational institution's non-student employees; and (4) records on a student who is 18 years of age or older or who attends a post-secondary institution that are maintained by a health professional. (20 U.S.C.S. § 1232g(a)(4)(B)). In addition, FERPA allows, but does not require, schools to release "directory information," including students' names and addresses, to the public. (20 U.S.C.S. § 1232g(a)(5)(A)). However, this exception was modified in 2002, and high schools are now required to provide students' names, addresses and telephone numbers to military recruiters, unless a student or parent opts out of such disclosure.

History

The Family Educational Rights and Privacy Act, also commonly referred to as the Buckley Amendment after its principal sponsor Sen. James Buckley, was signed into law by President Ford on August 21, 1974. Traditional legislative history for FERPA as it was first enacted is unavailable because the act was offered as an amendment on the Senate floor to a bill extending the Elementary and Secondary Education Act of 1965 and was not the subject of committee consideration. Congress offered no opportunity to those affected by FERPA to be heard prior to its enactment. There was no legislative committee study and review nor any public hearings to receive testimony from institutions or individuals. However, in a speech explaining the act to the Legislative Conference of Parents and Teachers, Senator Buckley said FERPA was adopted in response to "the growing evidence of the abuse of student records across the nation."

Immediately following the enactment of FERPA, higher education officials became alarmed by the act's possible implications for colleges and universities. They voiced concern about what to do with existing records, such as letters of recommendation for college admissions, which were written under assurances of confidentiality, but open to student inspection under FERPA. These concerns led to major FERPA amendments that were enacted on December 31, 1974. Among other things, the amendments cleared up some of the law's ambiguous language and limited the right of post-secondary students to inspect and review records so that they would not have access to the financial records of their parents or to confidential letters of recommendation placed in their files before January 1, 1975.

The amendments' sponsors, Senators Buckley and Pell, also clarified the intent of FERPA by submitting a major source of legislative history for the amendments, the "Joint Statement in Explanation of Buckley/Pell Amendment." In the Joint Statement, the senators emphasized the need for parents to have access to the information contained in student education records in order to protect their children's interests.

  • Legislative History of Major FERPA Provisions, Department of Education Family Policy Compliance Office.
  • T. Page Johnson, Managing Student Records: The Courts and the Family Educational Rights and Privacy Act of 1974, 79 Ed. L. Rep. 2 (1993).
  • Address to the Legislative Conference of the National Congress of Parents and Teachers, March 12, 1975, 121 Cong. Rec. S7974 (daily ed. May 13, 1975).
  • Pupil Power, The Economist, Feb. 1, 1975, at 46.

Amendments

Including the 1974 amendments, FERPA has been amended a total of nine times since its enactment. Through these amendments, Congress has continually recognized new circumstances under which personally identifiable information contained in education records can be disclosed without the consent of parents or students.

  • December 31, 1974: In addition to limiting post-secondary students access to their parents' financial records and to confidential letters of recommendation submitted on the student's behalf prior to Jan. 1, 1975, the amendments strengthened the right of students to a hearing to challenge the content of records they believe are inaccurate, misleading, or otherwise in violation of the privacy or other rights of students and to an opportunity to correct any inaccurate or misleading information. The amendments also gave students the right to insert a written explanation regarding the contents of records.
  • August 6, 1979: Congress clarified that FERPA does not prohibit state and local educational officials from having access to student or other records that might be necessary in connection with the audit or evaluation of any federal- or state-supported education program. The amendments were enacted to correct an "anomaly" caused by the Department of Education's interpretation of FERPA as precluding state auditors from requesting student records in order to conduct state audits of local and state-supported programs.
  • November 8, 1990 (Campus Security Act): Amendments allowed post-secondary institutions to disclose to the alleged victim of a violent crime the results of any disciplinary proceeding conducted by the institution against the alleged perpetrator of the crime, regardless of the outcome of the proceeding.
  • July 23, 1992: FERPA was amended to exempt records created for law enforcement purposes and maintained by law enforcement units of educational institutions from the definition of education records. This means that law enforcement records, such as police crime logs, are not protected from disclosure by FERPA. In fact, the Clery Act requires any educational institution receiving federal funds to keep their police logs available for public inspection during normal business hours.
  • October 20, 1994 (Improving America's Schools Act): Amendments extended the right to inspect and review education records maintained by state educational agencies that are not otherwise subject to FERPA.
  • October 7, 1998 (Higher Education Amendments of 1998): Congress amended FERPA to clarify that schools may disclose to the public the final results of any disciplinary proceeding in which a student has been found responsible for a crime of violence or nonforcible sex offense. Although FERPA does not require schools to release this information, many public schools may have to release it under their state open-records laws. However, private schools are not required to release this information, and some states' educational privacy laws protect it from disclosure as well. Congress added nonforcible sex offenses to the list of crimes in which the victim is entitled to learn the outcome of any disciplinary proceeding against the perpetrator and clarified that only "final results" of disciplinary proceedings (the name of the student who was found responsible for the offense, the violated committed and the sanction imposed by the school) may be disclosed. Congress also added an amendment that allows post-secondary institutions to inform parents if their child has violated a law or school rule governing the use or possession of alcohol or illegal drugs. This amendment applies to post-secondary students under 21 years old regardless of whether the student is a financial dependent for tax purposes. However, the amendment does not supersede any state laws that may prohibit such disclosure. The regulations issued following the 1998 amendments added two new categories of potential student directory information to the list of information about a student that can be disclosed without his or her consent: photographs and e-mail addresses. The regulations also clarified that student "dates of attendance" that may be released as directory information includes the academic terms during which a student was enrolled, not the student's daily presence in school.
  • October 28, 2000: Congress added an amendment clarifying that FERPA does not prohibit educational institutions from disclosing information about registered sex offenders on their campuses. In fact, the Clery Act requires schools beginning in 2003 to notify the campus community about where public information about registered sex offenders on campus may be obtained.
  • October 26, 2001 (PATRIOT Act): Congress added an amendment allowing the attorney general or a designated representative of the attorney general to request a court order requiring an educational institution to permit the attorney general to collect, retain, disseminate and use education records relevant to an authorized investigation or prosecution of an act of domestic or international terrorism.
  • January 8, 2002: Congress made technical corrections to the text of the statute.
  • December 9, 2008: The Education Department issued regulations amending the FERPA. These amendments made several significant changes to the FERPA regulations. For example, in light of the Supreme Court decision in Owasso Independent School Dist. No. I011 v. Falvo (534 U.S. 426 (2002)), the regulations exclude “grades on peer-graded papers before they are collected and record by a teacher” from the definition of “education records.” The amendments also changed the definition of “personally identifiable information” to include a definition for “biometric record.” Under the regulations, biometric information includes “fingerprints; retina and iris patterns; voiceprints; DNA sequence; facial characteristics; and handwriting.” Additionally, the 2008 regulations permit educational agencies and institutions to disclose education records without consent to "contractors, consultants, volunteers, and other outside parties providing institutional services and functions or otherwise acting for an agency or institution.”
  • December 2, 2011: The Education Department issued regulations amending FERPA. Among other changes, the regulations reinterpreted the statutory terms "authorized representative," "education program," and "directory information." The regulations defined a previously undefined term, "authorized representative," to include non-governmental actors as "representatives" of state educational institutions. The agency also defined "education program" as any program that is "principally engaged in the provision of education, including, but not limited to early childhood education, elementary and secondary education, postsecondary education, special education, job training, career and technical education, and adult education, regardless of whether the program is administered by an education authority." Under FERPA, authorized representatives have access to "student or other records which may be necessary in connection with the audit and evaluation of Federally-supported education programs." The regulations also authorize schools to publicly disclose student ID numbers that are displayed on individual cards or badges. The regulations went into effect on January 3, 2012.

Protections offered by FERPA

Parents and Eligible Students

FERPA extends certain privacy rights to parents with regard to their children's education records. These rights transfer to the child when he or she reaches the age of 18, thus becoming a student eligible for rights under FERPA.

Parents have the right to inspect their children's education records, and eligible students have the right to inspect their own education records. A school must accommodate any inspection request within 45 days of receipt.

If a parent or eligible student is circumstantially unable to exercise the right to review the records, the school must provide copies of the records or otherwise make arrangements for the parents or eligible student to inspect the records. A school cannot charge a fee merely to search for a student's records, but may charge a copying fee. Parents and eligible students also have the right to request that education records be amended if the records contain information thought to be inaccurate, misleading, or in violation of the student's privacy. If school denies such a request, parents and eligible students have a right to a hearing to review the school's decision.

Schools are required to inform parents and eligible students of their rights under FERPA. The method of providing such information is left to the discretion of the school. Generally, schools must obtain written consent from parents and eligible students before disclosing any personally identifiable information from a student's education record other than "directory information." But there are many exceptions to this general rule. A school may disclose personally identifiable information from education records without consent under the following circumstances:

  • Education records may be disclosed to school officials within the school, such as teachers, who have a legitimate educational interest in the information. It is the school's responsibility to determine when there is a legitimate educational interest. For example, a teacher concerned about a student's performance may have a legitimate educational interest in looking at the student's standardized test scores, but a teacher who just wanted to find out the IQ scores of his or her students probably would not.
  • Education records may be disclosed to another school, school district, or post-secondary institution where the student is planning to enroll.
  • Education records may be disclosed to representatives of the Comptroller General of the United States, the Attorney General of the United States, the Secretary of the United States Department of Education, or other state or local authorities for purposes of audit or evaluation.
  • Education records may be disclosed for purposes related to financial aid for which the student has applied, as long as the information is necessary to make determinations of eligibility for aid, amount or conditions of aid, or enforcement of terms of aid.
  • Education records may be disclosed to state or local officials or authorities within a juvenile justice system, as long as the disclosure is made pursuant to a state law.
  • Education records may be disclosed to organizations that are conducting studies for educational agencies or institutions in connection with the development or administration of predicative tests or student aid programs, or studies that are intended to improve educational instruction. Such studies must not permit identification of parents or students by anyone other than representatives of the organization. Furthermore, the personally identifiable information must be destroyed when no longer needed for the study.
  • Education records may be disclosed to accrediting organizations for purposes of conducting accreditation procedures.
  • Education records may be disclosed to the parents of a dependent student as defined by the IRS.
  • Education records may be disclosed in connection with a health or safety emergency.
  • Education records may be released in compliance with a court order, such as a subpoena, but schools must first make a "reasonable effort" to provide notice to parents or students. In the case of law enforcement or federal grand jury subpoenas, the issuing court or agency may, for good cause, order the school not to disclose the existence or contents of the subpoena or the records released pursuant to the subpoena. However, absent an emergency, schools cannot provide non-directory student information to police without a subpoena.
  • Student "directory information" may also be disclosed without the student or parent's consent. Directory information can include the student's name, address, telephone number, date and place of birth, major field of study, dates of attendance, participation in school-sponsored extracurricular activities, height and weight of student athletes, degrees earned, honors and awards earned, the educational institution last attended, photographs and e-mail addresses. Schools do not have to release directory information, but if they do they must give public notice of the categories of information they classify as "directory information." The school must then give parents and eligible students a reasonable amount time to inform the school that they do not want some or all of their directory information disclosed without consent. Since 2002, secondary schools must provide students' names, addresses, and telephone numbers to military recruiters upon request, but must have first given students and parents the opportunity to opt out of such disclosure.

Every school is required to notify parents and eligible students annually of their rights under FERPA. The notice can take any form the institution or agency considers appropriate, but must explain how a parent or eligible student may:

  • Exercise the right to review education records.
  • Correct inaccurate, misleading, or privacy-violating information in their education records.
  • Consent to disclosure of a student's personally identifiable information.
  • File a complaint concerning the failure of a school to comply with FERPA's requirements.

Schools are required to maintain a list of all individuals or organizations that have requested or obtained a student's education records. These records can only be accessed by a parent or eligible student, the school official responsible for education records and authorized auditing personnel. This list, which must be kept with the education record to which it pertains, must state the specific interest each requesting party has in the student's information. Third parties who obtain access to student education records must agree not to disclose the information to anyone else without a parent or eligible student's written consent.

Post-secondary Students

Students enrolled in post-secondary schools are considered eligible students under FERPA and have the right to review their own education records. However, post-secondary students may not review:

  • Their parents' financial records.
  • Confidential letters of recommendation included in their education records before January 1, 1975.
  • Confidential letters of recommendation included in their education records after January 1, 1975, that pertain to the student's admission to the school, application for employment, or receipt of an honor if the student has waived to right to inspect those statements.

The education records of post-secondary students are also less secure. In addition to the circumstances under which personally identifiable information may be disclosed without consent, listed above, post-secondary schools may also disclose:

  • The final result of a disciplinary proceeding to the victim of an act of violence or nonforcible sex offense allegedly perpetrated by the subject of the records, regardless of the outcome of the proceeding. Schools may not disclose the names of other students connected with the proceedings, including the victim or any witnesses, without the written consent of those students. Disclosure under this exception may be made only regarding disciplinary proceedings in which a result was reached on or after October 7, 1998.
  • The student's violation of a law or school rule pertaining to the use or possession of alcohol or drugs to the student's parent. Such disclosure may be made only when the student is under the age of 21.

What to do if your school has violated your rights under FERPA:

If you think your or your child's FERPA rights have been violated, you can file a complaint with the Department of Education's Family Policy Compliance Office (FPC). Complaints should contain specific allegations of fact giving reasonable cause to believe that a violation of the Act or this part has occurred. Complaints must be filed within 180 days of the alleged violation, or at the time the complainant knew of the violation or reasonably should have known of the violation. If you fail to report a violation within this time period, you may request an extension from the FPC.

After the FPC receives a complaint, it will then notify the student and the school in writing if it initiates an investigation of the complaint. The notice to the school includes the substance of the alleged violation and asks the school to submit a written response to the complaint. The FPC will notify the complainant if it does not initiate an investigation of a complaint because the complaint is untimely or otherwise defective.

If the FPC initiates an investigation, it may permit the parties to submit further written or oral arguments or information. There is no deadline under FERPA for processing complaints, so it may take many months before the FPC makes a finding. However, once the FPC concludes its investigation, it will provide to both the complainant and the school written notice of its findings and the basis for its findings.

If the FPC finds that the school has violated FERPA, it will include in its findings a statement of the specific steps the school must take to comply and provide a reasonable period of time during which the school may voluntarily comply. If the school does not comply during the time period set out by the FPC, the secretary of the Department of Education may withhold payments to the school under any applicable federal program, issue a complaint to compel compliance through a cease-and-desist order, or terminate the school's eligibility to receive federal funding. If the secretary finds that an educational agency or institution has complied voluntarily, the Secretary will provide the complainant and the school written notice of the decision and its basis for the decision.

No Private Cause of Action

Courts are unanimous in holding that FERPA does not provide the right to file a private lawsuit to challenge alleged violations. The Supreme Court held in June 2002 that students may not file a Section 1983 civil rights action against a school for alleged FERPA violations because the Act's nondisclosure provisions did not create any enforceable rights.

Student Profiling, Student Surveys, and The No Child Left Behind Act

American Student List Information BrokerageAmerican Student List sells databases of children's names in grades K-12 overlaid with data on sex, age, whether they own a telephone, income, religion, and their race or ethnicity. This information is often gleaned from surveys that are administered while children are in school under the pretense of college admissions and other education-related purposes. Students and parents do not know that their personal information is being used for the secondary purpose of marketing. The data is used for hawking credit cards, catalog items, magazines, student "recognition" products, and job recruitment. This image of American Student List data comes from the SRDS Direct Marketing List Manual, a list of marketing lists. It is not available online, but one can often find it in a library.

Student "recognition" products, such as "Who's Who Among American High School Students" and the "National Dean's List" have a strong marketing function. Information collected in composing both directories is used for marketing a wide variety of products wholly unrelated to education. And, although teachers and administrators are encouraged to nominate students and transfer data to the company, the reality is that a growing number of employers and colleges don't consider such recognition directories as meritorious.

In October 2002, the Federal Trade Commission (FTC) settled cases against American Student List (ASL) and the National Research Center for College and University Admissions (NRCCUA) for collecting personal information from children using deceptive practices. The FTC complaint alleged that the companies operated a scheme to cull marketing data from student through surveys administered under the pretense of college admissions and scholarship opportunities.

NRCCUA sent letters to schools asking teachers to dedicate classroom time to administering detailed surveys for college admissions and financial aid purposes. These "Post-Secondary Planning" surveys elicited detailed personal information from students, including their religious affiliation, personal interests, and social attitudes. The surveys did have a privacy notice, but the language implied that the information was for educational purposes only. NRCCUA marketed the information collected to higher education institutions, but also shared the information with ASL, which used the data for direct marketing.

In August 2002, the New York Attorney General filed suit against Student Marketing Group (SMG), a company that collected information from students for direct marketing. The company was alleged to have formed a non-profit subsidiary, Educational Research Center of America (ERCA), that sent millions of surveys to high schools to collect information for college financial aid and scholarship opportunities. ERCA, without notice to the schools or students, was also using the information for direct marketing of magazines, credit cards, and other items. In January 2003, SMG and ERCA settled the New York Attorney General's case, and a separate investigation brought by the Federal Trade Commission.

Student profiling does not end with grade school. Profilers collect and use information from students in higher education as well. College students are targeted for magazine subscriptions, student "recognition" programs, credit cards, insurance solicitations, long distance plans, toys, cell phone plans, mail-order food, and other products. Often, college students' personal information is obtained through the institution itself. Institutions may reveal students' contact and activities (club membership) information through student directories, joint marketing agreements, or through state open records acts that require the release of enrollment lists.

The No Child Left Behind Act Limits Some Student Profiling

In 2001, President Bush signed into law H.R.1, a large-scale education bill that expands federal involvement in student testing, academic standards, and teacher quality. H.R.1 is also known as the No Child Left Behind Act (NCLB). Included in the Act's 670 pages is Section 1061, a provision that provides students and parents with rights to be informed about, and opt out of, the in-school collection of students' personal information.

Section 1061 amends a part of the Elementary and Secondary Education Act (ESEA) of 1965, and applies to any "local educational agency"- meaning a public or private school, school district, or local board of education - that receives federal funds. It does not apply to colleges or universities. The local educational agencies (LEAs) must develop a number of policies, in consultation with parents, regarding the collection and use of student information. First, LEAs must adopt policies giving parents of minor students, and adult students, the right to inspect any survey created by a third party before it is administered in school. (20 U.S.C.S. § 1232h(a)). Second, LEAs must notify parents and adult students about, and allow them to decline participation in, surveys which collect information from students regarding a number of subjects:

  • Political affiliations or beliefs of the student or the student's parent
  • Mental and psychological problems of the student or the student's family
  • Sex behavior or attitudes
  • Illegal, anti-social, self-incriminating or demeaning behavior
  • Critical appraisals of other individuals with whom respondents have close family relationships
  • Legally recognized privileged or analogous relationships, such as those of lawyers, physicians, and ministers
  • Income (other than that required by law to determine eligibility for participation in a program or for receiving financial assistance under such program)
  • Religious practices, affiliations or beliefs of the student or the student's family
(20 U.S.C.S. § 1232h(c)).

These categories are drawn from the 1978 Protection of Pupil Rights Amendments (PPRA) to the ESEA, also known as the Hatch Act. The PPRA, as updated in 1994, addresses only Department of Education-funded surveys, and requires schools and contractors to obtain written parental consent before minor students are required to participate in any Department survey, analysis, or evaluation that reveals information concerning the above categories of information. (20 U.S.C.S. § 1232h(b)). (The "religious practices, affiliations or beliefs" category was added by NCLB). NCLB's Section 1061 expands the PPRA significantly by applying this requirement to any survey collecting such information, not just to those surveys developed by the Department of Education.

Section 1061 also requires that parents and adult students be notified about in-school surveys conducted for sales or marketing purposes, and be able to opt of participation. (20 U.S.C.S. § 1232h(c)(1)(E)). However, NCLB carves out a number of exceptions to this restriction on commercial surveys. The exempted surveys, which may be administered without parental notification and without allowing opting out, involve an array of subjects:

  • college or other postsecondary education recruitment, or military recruitment
  • book clubs, magazines, and programs providing access to low-cost literary products
  • curriculum and instructional materials used by elementary schools and secondary schools
  • tests and assessments used by elementary and secondary schools to provide cognitive, evaluative, diagnostic, clinical, aptitude, or achievement information about students - and the subsequent analysis and public release of the aggregate data from it
  • the sale by students of products or services to raise funds for school-related or education-related activities
  • student recognition programs

(20 U.S.C.S. § 1232h(c)(4)).

Section 1061 leaves in place schools' ability, under the FERPA, to release students' "directory information" - such as addresses and phone numbers - as long as parents or adult students do not request that the information be kept private. (Opting out of such disclosure is usually performed by noting this preference on a form at the beginning of the school year.) According to a 2003 Department of Education letter, this means that schools may release to companies the directory information of students who are not opted out of release. However, if a company seeks personal, non- "directory" information - such as Social Security numbers - a school would be obligated under FERPA and, apparently, under Section 1061, to specifically notify parents and students of such collection and permit them to opt out.

Section 1061 also requires schools to:

  • Notify parents and adults students about nonemergency, invasive physical examinations and provide them with the ability to opt out (20 U.S.C.S. §1232h(c)(2)(C)(iii)).
  • Allow parents to inspect, upon request, any instructional material used in the classroom (20 U.S.C.S. §1232h(c)(2)(A)).
  • Provide at least yearly notice of the privacy policies that are adopted (20 U.S.C.S. §1232h(c)(1)(A)(i)).

Resources:

History of the No Child Left Behind Act

In 2001, Senators Christopher Dodd (D-CT) and Richard Shelby (R-AL) introduced Senate Bill 290, the Student Privacy Protection Act, to address the problem of "student profiling," the in school collection of data for marketing and sales purposes. The legislation would have required that before schools could provide companies with information collected from students in school, the schools would have to explain to parents what information would be disclosed, to whom it was going, how it would be used, and the amount of class time used to collect the information. The information could not be released without parents' consent. Further, the Dodd-Shelby bill would apparently have completely prohibited a company from itself gathering students' information, as opposed to requesting the information from a school, if the information was to be used for a commercial purpose. College recruiting and book clubs were exempted from this "commercial purpose" category.

Senator Dodd, in introducing the bill, pointed to examples of marketing in schools, such as the 27-page survey "All About Me" that a New Jersey television station had induced elementary students to fill out for marketing purposes. "If someone came to your home and started to ask your child about his or her age, gender, neighborhood, food preferences, and entertainment preferences, surely you would want to know the purpose of such questions before deciding whether to consent to them," Dodd's introduction stated. "We think parents and children are entitled to no less consideration just because a child is in school."

Congress, however, adopted compromise language after being lobbied by groups such as the American Advertising Federation and American Student List, a company that sells personal information about tens of millions of American students. The resulting provision, Section 1061 of the No Child Left Behind Act, departed significantly from the Dodd-Shelby bill by not requiring parents' written consent for companies to collect information from students. Section 1061 only mandates that parents and adult students be given the opportunity to opt out of commercial surveys. In other words, the default rule shifted from "no collection unless affirmatively granted permission," to "collection unless denied permission." The burden falls on the student or parent to make it known that they do not want personal student information to be gathered by companies. In addition, Section 1061 departed from the Dodd-Shelby bill by adding fundraising programs, magazine sellers and "student recognition programs" to the list of companies not considered "commercial." These companies are therefore exempt from the requirement that parents and students be given the opportunity to opt-out of their surveys.

Military Access to Students and Student Information

Two laws were passed in 2001 which make it easier for military recruiters to access high school students' contact information. The laws changed schools' previous ability, under the Family Educational Rights and Privacy Act (FERPA), to choose to whom they would release such information. Detailed information about this issue is on EPIC's DOD Recruiting Database Page.

Tracking and Managing Student Information

Although the No Child Left Behind Act explicitly prohibits the creation of a nationwide student database, the Act does set up requirements for collecting information from students that may encourage school districts and states to develop new ways to track students. The NCLB requires each state to create procedures for "facilitating the transfer of disciplinary records" to any school in which a student enrolls or seeks to enroll. (20 U.S.C.S. §7165). NCLB also includes vast guidelines and requirements for monitoring student achievement. Schools, districts and states will link test scores to, for instance, information like race and socioeconomic status. Some states have created unique identifiers for all students that can carry many pieces of information, and some of these systems have raised the concern of groups like the ACLU.

Student and Exchange Visitor Information System (SEVIS)

In January 2002, FERPA was amended to permit the Attorney General to obtain a court order to collect education records from schools for the purposes of investigating or prosecuting terrorism. The INS, in conjunction with a number of other federal agencies, is currently in the initial stages of implementing the Student and Exchange Visitor Information System (SEVIS).

SEVIS is an Internet-based system that allows schools to transmit student information to the INS for purposes of tracking and monitoring non-immigrant and exchange students. Accessible information includes a student's personally identifiable information, admission at port of entry, academic information, such as changes in program of study, and disciplinary information. Schools will be required to transmit such information to the INS for the duration of a student's stay in the United States. The USA PATRIOT Act requires that SEVIS be fully implemented by January 1, 2003.

Federal Substance Abuse Records Laws: If a state law gives older minors the right to get treatment or counseling for substance abuse problems without parental consent, and school-based persons operate a program to provide that assistance, the federal laws require that any record in the student's file relating to the assistance be kept confidential--even from the minor's parents--unless the minor consents to a release.

Minors' Reproductive Rights: If a student confides in school personnel about pregnancy or birth control issues, case law establishing minors' reproductive rights probably limits schools' ability to disclose this information to the student's parents without his or her consent.

State laws

As of September 2002, thirty-five states have passed laws supplementing the protection of education records provided by FERPA. The states that offer the most protection include:

California: College and university students have a right to privacy under the state Constitution. Parents have a right to inspect children's records in both public and private schools. (Cal. Educ. Code § 49060-49083.)

Louisiana: A 1974 Louisiana Attorney General's opinion states that children have a right to privacy in schools. Their records are considered confidential.

Nebraska: Academic and disciplinary records are to be kept separate. Disciplinary records are destroyed at the time of the student's graduation if authorized by the state records board. (Neb. Rev. Stat. § 79-4,157.)

Ohio: Schools are forbidden to release education records for any profit-making activity. (Ohio Rev. Code § 3319.321.)

Oklahoma: It is a misdemeanor for a teacher to reveal any information about a child obtained in the teacher's professional capacity, except as required by fulfillment of contractual obligations or as requested by a parent. (Okla. Stat. Ann. 7-6-115.)

Texas: Education records are considered confidential and can be released only upon request of school personnel, a student, parent, or spouse. (Tex. Gov. Code § 552.114).

The Fourth Amendment and Public Schools

School Drug Testing

The Supreme Court bolstered schools' abilities to conduct random, suspicionless drug tests of students in June 2002 by ruling that a public high school in Oklahoma did not violate its students' Fourth Amendment right to be free from unreasonable searches by requiring all students who participate in extracurricular activities to submit to urinalysis testing for illegal drugs. In Board of Ed. of Independent School Dist. No. 92 of Pottawatomie Cty. v. Earls, 536 U.S. ___, No. 01-332 (2002), the Court ruled that students who voluntarily participate in extracurricular activities have a limited expectation of privacy because they voluntarily subject themselves to intrusions on their privacy, such as "occasional off-campus travel and communal undress." Furthermore, the Court found that requiring students to submit urine samples (by urinating in a bathroom stall while the teacher stood outside the stall listening "for the normal sounds of urination in order to guard against tampered specimens and to insure an accurate chain of custody") was "minimally intrusive" and a "not significant" invasion of students' privacy.

In a concurring opinion, Justice Breyer compared student drug testing to other responsibilities that schools must bear, such as providing school lunches. Schools "prepare pupils for citizenship in the Republic [and] inculcate the habits and manners of civility as values in themselves conductive to happiness and as indispensable to the practice of self-government in the community and the nation," Breyer said.

The Court's decision in Earls followed a 1995 decision upholding the random, suspicionless drug testing of student athletes. Vernonia School Dist. 47J v. Acton, 515 U.S. 646 (1995). In that case, the Court said that athletes had a diminished expectation of privacy in relation to other students, noting that athletes were required to undergo physical exams before being allowed to join a team and undress and shower in communal locker rooms.

Searches of Students' Belongings

In New Jersey v. T.L.O., 469 U.S. 325 (1985), the Supreme Court held that the Fourth Amendment's prohibition on unreasonable searches and seizures applies to searches conducted by public school officials, who are not exempt from the Amendment's dictates by virtue of the special nature of their authority over schoolchildren. However, the Court said that school officials do not have to obtain a warrant before searching a student who is under their authority if the officials have reasonable grounds for suspecting that the search will turn up evidence that the student has violated the law or the rules of the school. The court held that searches of students' belongings are permissible if the measures adopted are reasonably related to the objectives of the search and not excessively intrusive in light of the student's age and sex and the nature of the infraction.

In T.L.O., the court said school officials' search of a female student's purse was reasonable after she had been caught smoking by a teacher in violation of school rules and that evidence of marijuana use that school officials found in her purse and turned over to police could be admitted in court.

Related Student Privacy Issues

Campus Identification Cards

Many colleges and universities are employing identification cards that are used to access every facility or service on the campus. The goal of these cards is to create a seamless system where students can purchase items or access services with just one card.

These systems of identification pose new risks to privacy and autonomy. First, such systems can create a log of students' movements, which later can be accessed by police or other authorities. There is also the problem of malicious student or employee access-that is, often institutions hire students for positions where they can access the personal data of other students. With ubiquitous campus identification schemes, student employees or others may use the data to stalk or harass other students and employees.

Second, it creates an infrastructure that allows dataveillance. Such systems can allow secondary use of location or consumption data, much like supermarket-shopping cards are used now to profile what individuals purchase at stores. These cards eliminate cash transactions, and in doing so, may tie identity to every transaction. For instance, Blackboard's student identification system notes that it:

"Provide you [sic] users with identification cards and track user data. All user profiles are stored in a central database, and user data can be imported from a variety of commercial Student Information Systems (SIS).

NuVision Networks, Corp. markets their student identification system as one that can accommodate a number of campus activities, including student voting:

"Voting
We've taken all the work out of college voting. With Campus Center it's easy to manage complex voting situations involving an unlimited number of specialized groups. Votes can be multiple choice or Yes/No, and since the actual tally is constantly displayed for each vote, there is really no need to post results. Student can watch the voting as it happens from any network computer.

One cannot take "all the work out" of voting. Electronic voting is an extremely complex topic that implicates risks to the secret ballot, and inference with the vote. Bryn Mawr Professor Rebecca Mercuri, a leading authority in electronic voting notes:

Fully electronic systems do not provide any way that the voter can truly verify that the ballot cast corresponds to that being recorded, transmitted, or tabulated. Any programmer can write code that displays one thing on a screen, records something else, and prints yet another result. There is no known way to ensure that this is not happening inside of a voting system

Another service offered by Blackboard, "Bb One," allows off-campus use of campus identity cards. This system specifically allows direct marketing based on the identification system:

Bb One™ is a transaction-based outsourcing solution that enables the acceptance of the university ID card as a form of payment off-campus. Bb One provides students with a cashless, safe, and secure way to transact on and around campus while offering parents the assurance that their funds will be spent within a university-approved network. Blackboard develops a comprehensive off-campus merchant network on behalf of each university and manages every aspect of the program from merchant acquisition to merchant support. Participating merchants also benefit from access to a university-endorsed spending program and direct-to-student and parent marketing programs.

The security of these identification systems is also questionable. Most of the systems operate on Windows platforms, which are particularly vulnerable to malicious cracking. Furthermore, Blackboard Inc. has employed the Digital Millennium Copyright Act to stop two students from delivering a lecture on the security vulnerabilities of the cards.

Third, and most importantly, pervasive identification systems acclimatize students to the custom of carrying an identity card and using it for routine purposes. We do not live in a society where individuals are required to carry identification, but these systems essentially force students to do so. Campuses that employ these systems are likely to breed a generation of students who don't see the fundamental privacy risks that flow from eliminating anonymous systems, and from requiring individuals to carry credentials. CampusWide Materials, Acidus.

Campus Credit Card Marketing

Financial institutions are very aggressive in attracting student customers. New students generally have no debt, and little understanding of how credit cards and compound interest work. Many financial institutions actually have exclusive credit card marketing agreements on certain campuses, where the school profits from the issuance of credit cards to students. The pursuit of students after graduation is also privacy invasive, as alumni associations receive payment for selling personal information to the credit card companies.

News

Resources

Cases

  • Gonzaga Univ. v. Doe, 122 S. Ct. 2268 (2002). In Gonzaga, the Supreme Court held that a student could not privately enforce rights conferred under FERPA by bringing a § 1983 civil rights action against a private university because the Act's nondisclosure provisions did not create any enforceable rights.
  • Owasso Indep. Sch. Dist. No. I-011 v. Falvo, 534 U.S. 426 (2002). In Owasso, the Supreme Court determined that grades on peer-graded papers do not qualify as education records, and thus are not protected by FERPA.
  • United States v. Miami Univ., No. 00-3518, 2002 FED App. 0213P (6th Cir. 2001). In Miami, the Sixth Circuit held that a newspaper does not have unrestricted access to unredacted student disciplinary records because such records are "education records" within the meaning of FERPA.
    Jensen v. Reeves, No. 99-4142, 3 Fed. Appx. 905 (10th Cir. 2001). In Jensen, the Tenth Circuit determined that limited disclosure to interested parties about a child's misbehavior in school is legitimate under FERPA.
  • Bauer v. Kincaid, 759 F. Supp 575 (WD Mo. 1991). In Bauer, a district court held that a public university student newspaper may obtain and publish criminal investigation and incident reports prepared by a campus security department because such documents are not "education records" under FERPA.
  • Red and Black Publ'g Co. v. Bd. of Regents, 427 S.E.2d 257 (Ga. 1993). In a suit filed by the University of Georgia's student newspaper after it was denied access to campus court records and proceedings about hazing charges against two fraternities, the Georgia Supreme Court held that student court records were subject to the state open-records law and that disciplinary proceedings were subject to the state open-meetings statute.