PogoWasRight.org

Menu
  • About
  • Privacy
Menu

FERPA Directory Information as Anchor Data

Posted on January 14, 2016June 26, 2025 by Dissent

Bill Fitzgerald (@FunnyMonkey) writes:

…. As described in this FERPA directory information model form, “Directory information, which is information that is generally not considered harmful or an invasion of privacy if released, can also be disclosed to outside organizations without a parent’s prior written consent.”

The list of information included as part of directory information – or “information that is generally not considered harmful or an invasion of privacy if released” – is pretty complete:

  • Student’s name
  • Address
  • Telephone listing
  • Electronic mail address
  • Photograph
  • Date and place of birth
  • Major field of study
  • Dates of attendance
  • Grade level
  • Participation in officially recognized activities and sports
  • Weight and height of members of athletic teams
  • Degrees, honors, and awards received
  • The most recent educational agency or institution attended
  • Student ID number, user ID, or other unique personal identifier used to communicate in electronic systems
  • A student ID number or other unique personal identifier that is displayed on a student ID badge

If this information was compromised as part of a data breach, it would be considered substantial – yet, this information about children can be shared without parental consent, for their entire K12 experience.

Read more on his blog.

Note that if these data are breached, if student ID is not SSN, then many states would not even require breach notification under their statutes. And we know that the U.S. Education Dept. has never withheld federal funds from any k-12 institution over a breach.

Consequences for breaches at the post-secondary level can be more costly for universities and colleges who may find themselves sued (generally unsuccessfully), but again, federal enforcement is lacking: USED does nothing and FTC has no authority other than enforcing the Safeguards Rule if financial information is involved – an authority it seemingly declined to use in the case of the massive MCCCD breach that I reported on DataBreaches.net.

If student privacy is to be truly protected, it’s time to revise FERPA to make sharing of “directory” information opt-in, not opt-out. And it’s time to recognize that Google is not a school official – it’s a vendor that is not in business to be charitable. There is no such thing as a free lunch when it comes to student data and tech.

Related posts:

  • NYS legislature considers two student data privacy bills
Category: LawsYouth & Schools

Post navigation

← French government rejects crypto backdoors as “the wrong solution”
Ontario court rules police orders breached cellphone users’ Charter rights →

Now more than ever

Search

Contact Me

Email: info@pogowasright.org

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

Categories

Recent Posts

  • Congress tries to outlaw AI that jacks up prices based on what it knows about you
  • Microsoft’s controversial Recall feature is now blocked by Brave and AdGuard
  • Trump Administration Issues AI Action Plan and Series of AI Executive Orders
  • Indonesia asked to reassess data privacy terms in new U.S. trade deal
  • Meta Denies Tracking Menstrual Data in Flo Health Privacy Trial
  • Wikipedia seeks to shield contributors from UK law targeting online anonymity
  • British government reportedlu set to back down on secret iCloud backdoor after US pressure

RSS Recent Posts on DataBreaches.net

  • Scattered Spider Hijacks VMware ESXi to Deploy Ransomware on Critical U.S. Infrastructure
  • Hacker group “Silent Crow” claims responsibility for cyberattack on Russia’s Aeroflot
  • AIIMS ORBO Portal Vulnerability Exposing Sensitive Organ Donor Data Discovered by Researcher
  • Two Data Breaches in Three Years: McKenzie Health
  • Scattered Spider is running a VMware ESXi hacking spree
©2025 PogoWasRight.org. All rights reserved.
Menu
  • About
  • Privacy