Douglas Gerhardt, Tracie Lopardi, and Alan Winchester of Harris Beach PLLC write:
School districts must consider the sanctity and privacy of data they maintain, as a recent decision underscores from the New York State Education Department’s Office of the Chief Privacy Officer. This alert explains the recent decision, a prior guidance opinion and considerations for school districts going forward.
In Re North Shore: FERPA, Education Law 2-d and Directories
In Re North Shore was issued December 1, 2021. It examined the interplay between education records protected under Education Law 2-d and directory information under FERPA.
[…]
Months prior to In Re North Shore, on August 5, 2020, NYSED’s Chief Privacy Officer (CPO) issued a guidance opinion on the interplay between FERPA and Education Law 2-d in the context of a FOIL request. There, the request sought primarily Directory Information, but the CPO opined a response would not benefit either the student or the District. The CPO found providing the full name, mailing address, date of birth and optional phone number of recent graduates to an alliance seeking to educate these students about their right to vote did not meet the additional test of “benefit to the student or education agency” to warrant the disclosure even though this information had previously been identified as Directory Information under FERPA.
FERPA defines personal information and directory information, and both definitions are reviewed in this article. Of note, however, NYSED adds a fourth criterion to consider in determining whether disclosure of directory information is warranted: the disclosure must benefit students and the education agency (district) (See Education Law § 2-d(5)(b)(1).)
Somewhat disappointingly to this blogger, the article appears somewhat slanted to helping districts avoid liability by making more data types “directory information” and just notifying everyone of that in advance. They write:
Practically, the more types of information identified as Directory Information in the notice and the broader its allowed purposes for disclosure are defined, the less risk a District will face following any disclosure.
What a pity the approach wasn’t to reduce the types of data and acceptable purposes for directory information so that there is more protection for student and parent information.
Read more at JDSupra.