New Rules on School Privacy Law Proposed
FERPA regulations seek to clarify that data on dangers may be shared.
The Department of Education this week proposed the most comprehensive update of its regulations for the main federal school privacy law in two decades.
The more than 30 pages of proposed rules for the Family Educational Rights and Privacy Act, or FERPA, include protections for educators who seek to share information to protect a student’s health or safety, new guidelines for school districts on sharing student data with educational researchers, and a proposed requirement that schools safeguard electronic and other records, including from some school staff members.
Several of the proposed changes, published March 24 in the Federal Register, stem from problems with FERPA identified by federal and state investigations into the massacre at Virginia Polytechnic Institute and State University in April 2007, in which a student at the university, Seung Hui Cho, killed 33 people, including himself.
President Bush tapped Secretary of Education Margaret Spellings, Secretary of Health and Human Services Michael O. Leavitt, and then-Attorney General Alberto R. Gonzales to meet with educators, law-enforcement officials, and others around the country to discuss the issues raised in the wake of the shootings. Last June, the federal officials released a “Report to the President on Issues Raised by the Virginia Tech Tragedy,” which noted that fear of violating privacy laws appears to present a barrier to sharing information, even in potential emergencies.
Another report on the Virginia Tech shootings, compiled by a panel established by Virginia Gov. Tim Kaine, cited similar concerns last fall. FERPA should include stronger liability protections for school officials who disclose student information in an emergency, the panel’s report recommended. ("Role of Privacy Laws Scrutinized in Report on Va. Tech Tragedy ," Sept. 12, 2007.)
The Education Department’s proposed regulations would implement the Virginia panel’s call for a “safe harbor” provision to protect school officials who disclosed private information about a student, as long as they believed the information was necessary to ensure the health and safety of the student or other people.
“If, based on the information available at time of the determination, there is a rational basis for the determination, the department will not substitute its judgment for that of the educational agency,” the proposed regulations say.
Thomas Hutton, a senior staff lawyer with the National School Boards Association, in Alexandria, Va., said that wording would help school officials feel more secure in potential emergency situations.
“That’s a very, very safe harbor,” he said. “That doesn’t mean it’s carte blanche. … But that’s going to provide a lot of reassurance in those borderline situations.”
The proposed regulations would also clarify that it was permissible to disclose information to a student’s parents without the student’s consent in a health or safety emergency.
The Department of Education is proposing new regulations for the Family Educational Rights and Privacy Act. Among the changes:
• The regulations would provide new protections for educators who disclose information to protect the health and safety of a student or the general public.
• The rules would interpret the law to cover the education records of students who take classes through distance learning or over the Internet.
• School districts would have to ensure that individual students’ records were available only to employees with a legitimate educational interest in them.
• Districts would have to enter into written agreements with researchers to whom education records were to be disclosed without parental consent. The agreements would have to specify the purposes of the studies.
In Mr. Cho’s case, several professors in the English department at Virginia Tech had been aware that the student had written violent stories and had taken pictures of other students during class without their permission. Even under existing rules, they could have shared that information with Mr. Cho’s parents without violating FERPA.
Joining Internet Age
The proposed rules would also help with the 34-year-old school privacy law’s application to recent developments in technology and other areas.
In the case of minor students, the law guarantees parents access to their children’s educational records and requires their consent to disclose such information as course grades, test scores, attendance data, and disciplinary records.
The law allows schools to disclose student “directory information,” which includes names, addresses, telephone numbers, birthdates, participation in activities, dates of attendance, and the height and weight of members of athletic teams. Parents may block the release of such information about their minor children.
The proposed rules would make it clear for the first time that FERPA covers the educational records of students who attend classes through videoconferencing, via satellite broadcast, or over the Internet.
And the proposed regulations would clarify that schools may share student data with outside contractors who perform work that school employees would otherwise do, such as electronic recordkeeping and testing. That would be an important change, because school districts are increasingly outsourcing such work.
The regulations would prohibit schools and colleges from disclosing students’ Social Security numbers without their permission, because of the ease with which such information can be used for identity theft.
Under the proposal, disclosable directory information could include unique student-identification numbers, however, as long as such identifiers wouldn’t enable someone to access a student’s personal information without a password or other protection. Such identification numbers can be used to help students register for classes, view their academic records, and gain access to online library resources and other student services.
The regulations would also allow an educational agency or college to share a student’s records with the agency that originally created them without getting consent from the student or a parent. That regulation was proposed partly in response to concerns from educators that FERPA makes it too difficult to verify whether a record is authentic.
Under the proposed change, if officials at a school or college thought a transcript or letter of recommendation had been falsified, they could send the document back to the official who supposedly issued it for verification.
Implications for Research
Meanwhile, the proposed regulations would place new obligations on districts to make sure their own employees were accessing only student information that was pertinent to their jobs.
The rules would specify that school employees could only access education records in which they had “a legitimate educational interest.” The proposed regulations do not define what constitutes such an interest.
The proposal stems from an increase in the use of computerized or electronic records, which may give educators access to the records of all students in their school or district, not just those they work with directly.
That regulation would affect “every single school in the country,” Mr. Hutton said. “It’s not earthshattering change,” he added, but it would make clear that “there are limits, and you shouldn’t just be willy-nilly sending information around to everybody.”
The proposed regulations also seek to formalize how researchers may use student records. Schools may already disclose student information to researchers without parental consent to facilitate testing, student financial aid, and the improvement of instruction.
Under the proposal, a school district would have to enter into a written agreement with the researchers, specifying that the records could be used only for the purposes of the study. The district would not have to endorse, or agree with, the study’s conclusions, but it would have to agree with the purposes of the study.
Comments on the proposed regulations must be submitted to the Education Department by May 8.
Vol. 27, Issue 31, Page 22Published in Print: April 2, 2008, as New Rules on School Privacy Law Proposed