Steven J. McDonald is General Counsel at Rhode Island School of Design and previously served as Associate Legal Counsel at The Ohio State University. On Data Privacy Day, he wrote a post on EDUCAUSE on FERPA that unintentionally demonstrates how imprecise standards are for data security and protection of student records. For example, he writes:
electronic records do raise unique security concerns, and FERPA does require us to address them. Even then, however, the standard is the same as for paper records: we must use “reasonable methods” to protect all student records. Just as it is appropriate to lock the file cabinet in which we maintain paper student records, it is appropriate to take steps to prevent unauthorized access to and disclosure of our electronic student records. How we do that, however, is largely up to us. In the words of the Family Policy Compliance Office:
[T]he standard of “reasonable methods” is sufficiently flexible to permit each educational agency or institution to select the proper balance of physical, technological, and administrative controls to effectively prevent unauthorized access to education records, based on their resources and needs.
and:
an educational agency or institution may use any method, combination of methods, or technologies it determines to be reasonable, taking into consideration the size, complexity, and resources available to the institution; the context of the information; the type of information to be protected (such as social security numbers or directory information); and methods used by other institutions in similar circumstances. The greater the harm that would result from unauthorized access or disclosure and the greater the likelihood that unauthorized access or disclosure will be attempted, the more protections an agency or institution should consider using to ensure that its methods are reasonable.
Should consider using? But they don’t have to, because there’s no law requiring them to if they don’t see a real risk of compromise or they just don’t have the resources.
And therein lies a big part of the rub. If a district is totally negligent in its security and your child’s education records are breached and their PII stolen or acquired, FERPA provides no cause of action for you to sue your child’s district.
But I totally disagree with his statement:
Dealing with electronic student records is thus really not terribly difficult, nor terribly different from dealing with other electronic records. The key is simply to think about these issues, rather than to just assume that the system will take care of them. If you have a good general data security program in place already, you’re probably in good shape when it comes to student records.
How many k-12 districts have good general data security programs in place? If you think they do, trot on over to the sister site, DataBreaches.net, and start looking at some of the audits I’ve posted over the years.
Does your district have a good security program? If you want to find out, send them the letter I published earlier today.