Judge Tosses Challenge to FERPA Rules on Student ID Numbers

By Mark Walsh — September 30, 2013 2 min read
  • Save to favorites
  • Print

A federal judge has a thrown out a lawsuit challenging 2011 regulations for the main federal education privacy law that added student identification numbers to the “directory” of information that may be disclosed by schools and colleges.

The Electronic Privacy Information Center and four individuals sued the U.S. Department of Education over the latest rules for the Family Educational Rights and Privacy Act of 1974, or FERPA.

But Judge Amy Berman Jackson of U.S. District Court in Washington issued summary judgment for the Education Department, ruling that the plaintiffs have not suffered any real legal injuries stemming from the regulations and thus they lack legal standing to bring their suit.

“The individual plaintiffs have alleged nothing more than a hypothetical possibility of some vague harm, and that harm does not even flow from the challenged regulations,” Judge Jackson said in her Sept. 26 decision in Electronic Privacy Information Center v. U.S. Department of Education. “And the organizational plaintiff, EPIC, complains simply that the new rules have prompted it to engage in the very sort of advocacy that is its raison d’etre.”

FERPA governs the disclosure of student records by educational institutions receiving federal funds. Most records generally may not be disclosed without a parent’s consent, or the consent of an adult student.

Schools and colleges, however, may disclose directory information without consent, including a student’s name, address, participation in sports and activities, dates of attendance, and degrees awarded, among other categories.

The 2011 regulations added student ID numbers or unique personal identifiers to the list of directory information, including those displayed on student ID badges, as long as such numbers cannot be used to access the student’s other educational records without a password or PIN.

The rules also slightly changed some definitions in the law in a way that EPIC said would “expose troves of sensitive, non-academic data” and “insufficiently safeguard students from the risk of re-identification,” or allowing someone to use a student ID number from a card to access more detailed records, the organization said.

The EPIC suit said the Education Department lacked authority under FERPA to adopt the regulations it did and thus violated the Administrative Procedure Act.

“Unlike other directory information such as name and major field of study, student ID numbers used in conjunction with other readily available directory information provide access to education records in violation of the FERPA,” the privacy group said in one court filing. “Publicly available unique student identifiers expose personal information that places at risk the privacy of students, the precise concern of Congress in enacting the statute.”

Judge Jackson said in her opinion that “this case begins and ends with plaintiffs’ constitutional standing to bring their claims.”

The judge suggested that the only plaintiff who came close to having standing to challenge the regulations was Pablo Garcia Molina, a doctoral student at Georgetown University (who also happened to be an administrator there.)

“Plaintiffs have not shown that disclosure of Molina’s Georgetown University ID number on a badge makes it substantially more probable that he will be the victim of identity theft,” the judge said.

A version of this news article first appeared in The School Law Blog.