It makes sense that you can’t legally publish your students’ grades along with their names and addresses without their consent. But when Georgia Tech abruptly closed all their student-created wikis in 2011, were they protecting student privacy—or being overly cautious with the Family Educational Rights and Privacy Act?

FERPA was signed into law in 1974 with two purposes: first, that college students could receive copies of their educational records and correct them if need be, and second, to block the release of personally identifiable student information from those records without consent. Penalty for violation is not jail, but is almost as bad: withdrawal of federal funding.

But a law signed over 40 years ago could not look ahead to the 21st century. There are areas that the lawmakers could not predict. Quite apart from wikis, which seem quaint in 2017, we now have to deal with big data and the social media firehose. When enormous amounts of personal information are being invisibly transmitted across your campus every day, where does that leave privacy?

A white paper from the Student Press Law Center says that colleges commonly cite FERPA as a reason to avoid sharing non-educational information, such as the names of people who receive free football tickets—or even minutes of public committee meetings. The outgoing director of the SPLC, Frank D. Lo Monte, has gone so far as to call the law a “default excuse to conceal wrongdoing,” particularly in high-profile cases involving tutors or athletes.

In actual fact, no school has ever been successfully prosecuted for a FERPA violation in the history of the Act. This is in contrast to a law FERPA is often compared with, the Health Insurance Portability and Accountability Act; and while HIPAA prosecutions are rare, they result in fines and even jail time.

Each university will obviously need to take their own qualified legal advice. But according to the SPLC’s white paper, the legal test for whether a record is covered by FERPA is not that it merely mentions a student, but that it is an educational record specifically related to each student member. Information derived from sources other than confidential records is also exempt.

So parking tickets, Instagram posts, and Rate My Professor rants are all safe to share under FERPA. But when you choose an educational technology solution that specifically handles FERPA-protected records, always check with your vendor that their compliance is correct.

Because a FERPA prosecution is a first that no school wants.

Student privacy and FERPA compliance is just one thing to remember when choosing a student engagement system. Download our free guide for a full checklist.


Quin Parker

Quin Parker

Quin Parker is a Toronto-based digital editor and writer, and is Content Marketing Manager at Top Hat.