06/09/2017Reminders on Data PrivacyBy Tod MassaFiled Under: Tags:
Information about a student is protected as it is part of the education record under the Family Educational Rights and Privacy Act (FERPA), unless the school has certain elements as directory information. Some elements, such as race, sex/gender, SSN, or student ID, can never be designated as directory information.
BUT. At least 20 states' attorneys general have agreed that "applicant records" have no such protection and USED's Office of Family Compliance (FCO) has agreed that applicant that does not enroll is not a student. What is less clear is when an applicant becomes an enrolled student. The FCO leaves that to a decision of an institution. The upshot of this is that the records of applicants who are denied admission or do not enroll, may not have FERPA rights attached to their records, with the exception of educational records from other institutions, such as transcripts, because educational records never lose their status as educational records.
Explicit exceptions to disclosure prohibitions:
Generally, schools must have written permission from the parent or eligible student in order to release any information from a student's education record. However, FERPA allows schools to disclose those records, without consent, to the following parties or under the following conditions (34 CFR § 99.31):
- School officials with legitimate educational interest;
- Other schools to which a student is transferring;
- Specified officials for audit or evaluation purposes;
- Appropriate parties in connection with financial aid to a student;
- Organizations conducting certain studies for or on behalf of the school;
- Accrediting organizations;
- To comply with a judicial order or lawfully issued subpoena;
- Appropriate officials in cases of health and safety emergencies; and
- State and local authorities, within a juvenile justice system, pursuant to specific State law.
Virginia law, the Government Data Collection and Dissemination Practices Act requires this:
§ 2.2-3806. Rights of data subjects.
A. Any agency maintaining personal information shall:
1. Inform an individual who is asked to supply personal information about himself whether he is legally required, or may refuse, to supply the information requested, and also of any specific consequences that are known to the agency of providing or not providing the information.
2. Give notice to a data subject of the possible dissemination of part or all of this information to another agency, nongovernmental organization or system not having regular access authority, and indicate the use for which it is intended, and the specific consequences for the individual, which are known to the agency, of providing or not providing the information. However documented permission for dissemination in the hands of the other agency or organization shall satisfy the requirement of this subdivision. The notice may be given on applications or other data collection forms prepared by data subjects.
Basically this says an eligible student or parent may refuse to provide any requested data/information, at the risk of not receiving the service or benefit (admission, in-state tuition eligibility, financial aid, etc.). Perhaps more importantly, the data cannot be used for law enforcement actions without notice to the student at time of collection that this may happen, except as mandated by a court ruling.
I have no specific reasons for sharing this information at this specific time, other than it seems there might be enough nervousness in the air about the topic generally. The best way institutions can avoid many difficulties is to ensure that their required annual notification of directory information and rights under FERPA includes a list of the known and possible disclosures of non-directory information, and possible risks of such, to comply with Virginia law as well as FERPA.
It is always a good time to review your privacy policies and statements.