What is FERPA?
FERPA, or the Family Educational Rights and Privacy Act, was signed into U.S. law in 1974 with two purposes: first, that college students could receive copies of their educational records and were authorized to correct them if need be, and second, to block the release of personally identifiable information from those student records without consent. The penalty for violating FERPA is not jail, but is almost as bad for institutions: withdrawal of federal funding.
This extremely harsh financial and administrative penalty has had some unusual results, mainly that many higher education institutions err on the side of extreme caution to comply with the law. FERPA mandates that you can’t legally publish your students’ grades or attendance along with their identification (names and addresses) without their consent. But when, for example, Georgia Tech1 abruptly closed all their student-maintained wikis in 2011, were they protecting student privacy by preventing student records from disclosure—or being overly cautious?
Subscribe to Top Hat’s weekly blog recap
Get the best posts of the week delivered to your inbox:
The fact is, regulation signed over 40 years ago could not look ahead to the 21st century. There are areas that the lawmakers could not predict. Quite apart from wikis, which seem quaint now in 2017, we now have to deal with big data and the social media firehose. When enormous amounts of personal information are being invisibly transmitted across your campus every day, where does that leave privacy rights?
A white paper from the Student Press Law Center2 (SPLC) says that colleges commonly cite FERPA as a reason to avoid sharing non-educational information, such as the names of people who receive free football tickets—or even minutes of public committee meetings. The outgoing director of the SPLC, Frank D. Lo Monte, has gone so far as to call the law a “default excuse to conceal wrongdoing,”3 particularly in high-profile cases involving tutors or athletes.
How a FERPA complaint is handled
According to guidelines posted by the U.S. Department of Education, in higher education only a student—not a parent—may apply to file a FERPA complaint. (Parents can file complaints if the student is under 18, which doesn’t apply here.)
The complaint must be written, fact-based, and disclose the specific conduct on behalf of the institution that shows that a FERPA violation occurred. The law only applies within 180 days of the alleged violation (or when the student would have reasonably known, or received a notification that it happened.)
To be in accordance with FERPA, institutions must annually notify students of their rights. Records that are not educational, such as those created by law enforcement agencies, are not covered under privacy laws.
It’s worth remembering that, with regards to FERPA’s enforcement, no institution has ever been successfully prosecuted for a violation in the history of the Act. This might suggest that self-enforcement and the strong financial penalty has worked so far, although with the consequence that institutions have tended to over-police themselves. This is in contrast to a law FERPA is often compared with, the Health Insurance Portability and Accountability Act. While HIPAA prosecutions are rare, they have happened and they result in fines and even jail time.
What FERPA means for recordkeeping and edtech
Each university will obviously need to take their own qualified legal advice. But according to the SPLC’s white paper, the legal test for whether a record is covered by FERPA is not that it merely mentions a student, but that it is an educational record specifically related to each student member. Information derived from sources other than confidential records is also exempt.
So parking tickets, Instagram posts, and Rate My Professor rants are all safe to share under FERPA. But when you choose an educational technology solution that specifically handles FERPA-protected records, always check with your vendor that their compliance is correct and that student confidentiality is watertight.
Because a FERPA prosecution is a first that no school wants.
Student privacy and FERPA compliance is just one thing to remember when choosing a student engagement system.
Download our free guide, How to Choose a Student Engagement System, for a full checklist. Fill out the simple form below.
1. Feldstein, M. (2016, February 2). Muy Loco Parentis: How ‘Freakouts’ Over Student Privacy Hamper Innovation. The Chronicle of Higher Education. Retrieved from https://www.chronicle.com/article/Muy-Loco-Parentis-How/235132
3. LoMonte, F. D. (2012, September 13). Why FERPA Is Unconstitutional. Inside Higher Education.. Retrieved from https://www.insidehighered.com/views/2012/09/13/federal-privacy-law-should-be-deemed-unconstitutional-essay