The perfect storm is on the horizon. Is there still time for American parents to protect their children from it?
I watched it start years ago with school districts amassing tons of sensitive and personal information on children and their parents. Rather than prohibiting data collection or the use of Social Security numbers, however, the government took the approach that the data could not be shared except under a few conditions. When it was first passed, FERPA was welcomed as offering some privacy protection for education records, even if it didn’t give parents or students a private cause of action in the event of violations. But over the years, FERPA’s protections are being somewhat eroded, partly because covered entities realized there was money to be made in providing the information to banks and others, partly because attacks on college campuses made people aware that they didn’t know when they could share information in an emergency, and partly because the states decided, “Hey, let’s really track kids so we can see what happens later on.”
The increased data collection and sharing was not accompanied by any meaningful new mandates on data security or audits, however. Indeed, when I contacted the New York State Education Department and asked them how many data breaches had been reported to them by schools, they only knew of one incident, explaining that schools were not required to report breaches to them. And when I contacted the state comptroller’s office to ask how often their audits of school districts included checks on data security for sensitive student information, their answer was “none.” Because there can be no assurance of privacy if data security is inadequate or non-existent, the state of privacy of student education records remains at significant risk.
The risk to privacy is not just from the absence of adequate data security or expanded permissible sharing, although that’s bad enough. The recent and ongoing situation in Oklahoma, which I blogged about (here and here) could turn out to be a major tipping point for student privacy advocates, as the state insists that it has to and can lawfully ask parents to waive all of their rights and their children’s rights under FERPA to seek educational benefit. And not only does the state maintain that they can do this, but they maintained that state open records law in Oklahoma required them to post the students’ identifiable information on the Internet.
Needless to say, I disagree with them strongly. First, FERPA only has a few exceptions, and the Oklahoma situation does not seem to fall under any of them. Second, the FERPA exceptions require the entity to effectively and clearly explain the parents’ and students’ rights, and the state never clearly stated that any records submitted would be uploaded to the Internet for public perusal by non-involved parties. Look at their original waiver and see if you would understand that to mean that you were agreeing to have your child’s unredacted and sensitive information disseminated to reporters and the public at a meeting and then uploaded to the web:
“To the extent necessary” is a key phrase. It is not necessary to upload documents to the Internet for the state board to make a decision on the student’s appeal, and I doubt parents understood that they were giving consent for that to happen. Nor did the state ever explain whether a student could file an appeal without waiving some or all of their rights under FERPA. Why couldn’t parents waive rights for specific records needed by state officials to consider the appeal without waiving right to have the records protected from all others? Why didn’t the state contact the U.S. Department of Education to check on its understanding of FERPA’s requirements?
Following a predictable uproar, Oklahoma inadequately redacted some of the uploaded records, but plans to continue requiring a full waiver of all rights under FERPA and it plans to continue to upload student information to the web. Their new form reiterates the FERPA waiver above but Sheila Kaplan (@EducationNY) picked up on the fact that they now add:
Again, why should parents and students have to waive privacy rights to secure educational benefit that can be provided while protecting their privacy? It’s not even like the media sued the state to obtain identifiable information – the state just voluntarily disclosed it.
In addition to actions that I think violate the letter and spirit of FERPA, the state has also seemingly violated a second federal law that protects the rights of students with disabilities. The Individuals with Disabilities Education Act (IDEA) generally refers to FERPA and the Privacy Act of 1974 in terms of privacy protections, but adds several subsections on state reporting that make it crystal clear that no data may be disclosed that could be linked to an identifiable student (cf, § 300.642 and § 300.602). Thus, although states are required to provide certain reports publicly, they must not disclose individual information. As § 300.602 explains:
(3) Privacy. The State must not report to the public or the Secretary any information on performance that would result in the disclosure of personally identifiable information about individual children, or where the available data are insufficient to yield statistically reliable information
Nowhere do FERPA or IDEA indicate that a state’s open records law could make it permissible to share personally identifiable student education records. The intent of Congress was clear.
In previous blog posts, I urged the U.S. Department of Education to get involved in this case before more students have their privacy violated and have records publicly disseminated that could haunt them or harm them now and in the future. I also urge the ACLU, EPIC, and all organizations concerned with the rights of students to step up and offer to represent the parents and students against the state in an urgent federal court action seeking an injunction against further disclosures and removal of all records currently disclosed. The U.S. Department of Education has pretty much one remedy for willful FERPA v iolations – to cut off all federal education funds to entities who have a policy or practice of violating FERPA. They have never, to my knowledge, exercised that option, but if there was any situation that called for it, this is it.
Of course, one major problem by itself does not make a perfect storm. So what else is brewing, you ask? Well, one storm front, previously mentioned on this blog, also relates to the education sector, where we see schools increasingly chipping or tagging students. While numerous “benefits” have been suggested, there has been inadequate consideration of the psychological impact of students feeling that their every move and location is being tracked by school personnel. Combine the chipping with schools deciding they can read your child’s social media entries and punish them for out-of-school conduct, the expanded use of searches of cell phones or cars, cameras that record how many calories the student is having at lunch, intrusive surveys on intimate issues, and drug testing just to sing in chorus, and I think you have a recipe for children being raised with NO expectation of privacy.
And if you’re not already scared enough about whether your child will have any reasonable expectation of privacy by the time they’re ready to leave school, think about how much faster their privacy will erode if Facebook allows the under-13’s to sign up legitimately.
Yes, I see a perfect storm on the horizon. My kids are safe as they’re already out of school, but are your kids? What are you doing as a parent to push back against a culture of privacy intrusions?
Carousel image from “The Perfect Storm.”