Bill Fitzgerald (@FunnyMonkey) writes:
…. As described in this FERPA directory information model form, “Directory information, which is information that is generally not considered harmful or an invasion of privacy if released, can also be disclosed to outside organizations without a parent’s prior written consent.”
The list of information included as part of directory information – or “information that is generally not considered harmful or an invasion of privacy if released” – is pretty complete:
- Student’s name
- Address
- Telephone listing
- Electronic mail address
- Photograph
- Date and place of birth
- Major field of study
- Dates of attendance
- Grade level
- Participation in officially recognized activities and sports
- Weight and height of members of athletic teams
- Degrees, honors, and awards received
- The most recent educational agency or institution attended
- Student ID number, user ID, or other unique personal identifier used to communicate in electronic systems
- A student ID number or other unique personal identifier that is displayed on a student ID badge
If this information was compromised as part of a data breach, it would be considered substantial – yet, this information about children can be shared without parental consent, for their entire K12 experience.
Read more on his blog.
Note that if these data are breached, if student ID is not SSN, then many states would not even require breach notification under their statutes. And we know that the U.S. Education Dept. has never withheld federal funds from any k-12 institution over a breach.
Consequences for breaches at the post-secondary level can be more costly for universities and colleges who may find themselves sued (generally unsuccessfully), but again, federal enforcement is lacking: USED does nothing and FTC has no authority other than enforcing the Safeguards Rule if financial information is involved – an authority it seemingly declined to use in the case of the massive MCCCD breach that I reported on DataBreaches.net.
If student privacy is to be truly protected, it’s time to revise FERPA to make sharing of “directory” information opt-in, not opt-out. And it’s time to recognize that Google is not a school official – it’s a vendor that is not in business to be charitable. There is no such thing as a free lunch when it comes to student data and tech.