Want to throw away old student records? Make sure you don’t just put them in trash cans—shred them first. If you don’t, your institution might get accused of violating the Family Educational Rights and Privacy Act, or FERPA, which protects student education records in both K-12 and higher education.
LeRoy Rooker is a senior fellow at the American Association of Collegiate Registrars and Admissions Officers. He’s a FERPA expert, having been the director of the Department of Education’s Family Policy Compliance Office for 21 years. That “clear violation of FERPA” is one of many he’s seen throughout the years, and he says it’s not just trash that schools and educators have to worry about.
Here are other unintentional ways they might be breaking the law, and what they need to be aware of in order to avoid consequences, which can include the Department of Education investigating the school (and the school then deciding to fire the offending educator).
Be Careful with Vendors
Rooker warns that under FERPA, schools are responsible for what their vendors do with data. That means that if a vendor intentionally or accidentally misuses students’ education records, the school would still be at fault.
Carefully screening vendors to make sure they are FERPA compliant can help, says Rooker. Among the questions they should ask are how the vendor gives parents and students access to records, and how it prevents unauthorized people from accessing those records.
Schools should also be careful with online vendors such as apps and websites that offer free services, Rooker adds. Those services might appear free on the surface, but the vendors could be “getting paid in education records,” or mining the data to sell to third-parties, another violation.
Steven McDonald, a FERPA expert and general counsel at the Rhode Island School of Design, thinks similarly. “Free” vendors, he explains, might not cost money, but their business model typically entails data mining, which is not allowed under FERPA. To stay compliant, schools should understand exactly what vendors are doing with their data.
“It should be clear that [the data] belongs to the school, not to the vendor, and that the vendor’s responsibility is to process it for the benefit of the school and its students, and not for the vendor’s own benefit,” McDonald says.
Know When to Release and Withhold Records
Parents own the FERPA rights of their child until the child turns 18 or enters a postsecondary institution, McDonald says. However, there are exceptions. One is that, generally, higher education institutions can choose to release a students’ education records to both parents, provided that at least one parent claims the student as a dependent for tax purposes.
If a school denies access to student records to a parent of a student under the age of 18, that’s a FERPA violation, Rooker points out. It’s also a violation to deny the student access to his own records (provided the student is at least 18 or is enrolled in a postsecondary institution).
However, McDonald notes that schools must remember the law’s nuance. If they don’t, they risk illegally denying someone their right to that information, or wrongfully giving a parent access.
“We are increasingly in the era of active parents,” McDonald says. “At the college level, we don’t have the right to talk to mom and dad just because they’re mom and dad.”
Be Cautious About What You Tell To Whom
If a teacher witnesses an incident such as a fight on a school’s grounds, he can talk to, say, other parents or the press about what he saw. But if the principal reads a report about that same incident, she can’t talk about it publicly. Rooker explains that this is because what the principal read was an education record, which FERPA protects. The teacher who saw the incident in-person can speak about it because FERPA is not a confidentiality law. It only protects what’s in a student’s education record.
Educators should be also be diligent on social media. An inappropriate disclosure to just one person and an inappropriate disclosure to thousands of people on social media are both FERPA violations, Rooker notes. “It’s just that it’s easier to disclose to a thousand people in the social media age.”
Under the law, a school may disclose “directory information,” a blanket term for basic identifying data such as a student’s name and address, to a third party if it has taken certain steps, including giving parents and eligible students the right to opt out. However, other student information is more privileged. Online or off, even if a school does legally disclose that directory information, Rooker says it can’t combine or link it with non-directory information, like a specific class a student is taking.
McDonald says that FERPA allows educators to share information about a student internally—within the institution or school district—with “basically any employee or agent who has a job” that gives them a need to have access to certain information about a student. That means a teacher can share students’ grades with the registrar, or contact the counseling office with concerns about a student’s mental health, without consent. Although not illegal, McDonald says it’s probably best not to share such sensitive information over email, which is “not the most secure method of communication.”
But that’s not to say that FERPA violations can’t happen over email.
“I’ve seen over the years, at least several stories from places around the country with either the inadvertent email attachment or [reply all], where information is going far beyond need-to-know,” McDonald says.