The federal Family Educational Rights and Privacy Act (“FERPA”) is the primary source of privacy requirements applicable to post-secondary institutions that receive federal funding (“institutions”).1 FERPA applies to “education records” held or controlled by educational institutions, which include records, files, documents and other materials about students.2
Rights of Inspection and Amendment
Under FERPA, parents and eligible students have the right to inspect information in the student’s education record and the right to request the correction of inaccurate or misleading information.3 The right to correct student records is limited to amending inaccurate information, not to challenge substantive decisions made by school officials, such as grades or other evaluations.4 FERPA provides these rights to parents until students are 18 years of age or are attending a post-secondary institution, and after that the students themselves retain these rights.5 Institutions have flexibility in how they honor these rights; for example, they may offer self-help online tools or simply provide written forms.
Limits on Disclosure
As a general rule, FERPA prohibits institutions from disclosing personal information in education records without the written consent of the parent or adult student.6 However, there are several exceptions, such as that institutions may disclose an adult student’s education records to a parent, without the adult student’s consent, if the parent claims him or her as a dependent for federal income tax purposes.7
The “Directory Information” Exception
In addition, institutions may publish “directory information” without consent (although they must provide certain opt-out rights).8 “Directory information” is information contained in education records that “would not generally be considered harmful or an invasion of privacy if disclosed.”9 Institutions designate what they specifically consider to be “directory information,” but the information typically includes a student’s name, address, telephone listing, date and place of birth, participation in school activities and sports, and dates of attendance. Directory information would not include information like a student’s grades or social security number.
The “School Official” Exception
Under the “school official” exception, institutions may disclose education records to a service provider without consent from the parent or eligible student if the service provider:
- performs a service or function for which the institution would otherwise use employees;
- is under the “direct control” of the institution with respect to the use and maintenance of education records; and
- is contractually prohibited from using the education record other than as specified in the agreement and from re-disclosing any education record to another party without the consent of the parent or eligible student.10
In practice, qualifying for this exception requires specific types of provisions in the service provider contract.
The Studies Exception
FERPA also permits institutions to disclose personal information to organizations conducting studies on behalf of the institutions.11 To qualify, the purpose of the disclosure must be to develop, validate, or administer tests, administer student aid programs, or improve instruction. Importantly, when sharing data under the studies exception, the institution must have a contract with the data recipient that:
- specifies the purpose, scope, and duration of the study and the information to be disclosed;
- requires the recipient to use personal information from education records only for the study;
- requires the recipient to conduct the study in a manner that limits the possibility of student identification; and
- requires the recipient to destroy all personal information within a certain time period after permitted use is complete.
Most state education privacy laws apply to K-12 institutions, and not to post-secondary institutions. Significantly, though, the state laws that do impose requirements on post-secondary schools typically include specific requirements that would not apply to K-12 institutions. Examples include the following:
- Louisiana requires that post-secondary institutions that have received student information from secondary schools for the purposes of processing applications for admission and financial aid must delete that information five years after the student graduates.12
- Minnesota requires registered schools, including post-secondary institutions, to maintain a permanent record for each student for 50 years from the last date of the student’s attendance. The record must include academic transcripts and other information about courses completed, degrees, awarded, period of attendance, etc.13
- Delaware prohibits post-secondary institutions from requesting or requiring access to students’ social media accounts or obtaining access through software or indirectly through a student social media contact.14
- Iowa provides that student records maintained by a “school corporation or educational institution,” including those that do not receive federal funding, must be kept confidential unless ordered by a court, lawful custodian, or other duly authorized person.15
In addition, several states have implemented privacy laws that apply to agencies or other divisions of state government, including public universities and colleges. The laws include privacy rights and requirements such as the following:16
- student rights to access records;
- student rights to correction of inaccurate information and/or deletion of irrelevant information;
- limits on collection of personal information, only as related to education or other services provided to the student;
- privacy notice requirements (personal data collection, storage, and use);
- limits on sharing of personal information without consent, unless an exception applies.
Recommended Privacy Practices for Higher Ed
In addition to abiding by specifically applicable state and federal laws, higher education institutions may consider some or all of the best practices set forth below. For the most part, these practices are the subject of K-12 privacy laws and generally applicable privacy norms.
Marketing with student data is a controversial issue, and institutions should carefully consider the extent they allow service providers to tailor advertising or marketing to students based on information from their education records or from the student’s interactions with an app or website provided as a learning resource. Targeted advertising is one area state legislatures have addressed through state privacy laws applicable to K-12 students. State privacy laws may prohibit targeted advertising based on the collection and retention of student online activity over time, such as through the use of unique or persistent identifiers.17 Some states specifically prohibit contextual advertising, which is advertising based on factors such as the student’s recent browsing history, language, location, or other personal attributes.18
In the wake of major data breaches, such as those suffered by Equifax and Schoolzilla, data security has become increasingly important for institutions and service providers that store or process student data. FERPA does not explicitly impose data security requirements, although appropriate security is nonetheless an essential element of privacy. Several recent state education privacy laws, such as those in Colorado and Connecticut, expressly require K-12 institutions to implement reasonable data security measures.19
Limited Data Collection and Data Deletion
Where feasible, institutions should limit the type and amount of personal information they collect from students and the type and amount of personal information they retain to only that which is necessary for the purpose for which the information is being collected. Data retention policies should be adjusted accordingly and, where possible, service provider contracts should include provisions addressing deletion of personal data when no longer needed. As the saying goes, you can’t get in trouble for losing or misusing data that you don’t have. Data deletion is a common feature of state education laws applicable to K-12 institutions.20
Transparency and Notice
Institutions may consider publishing a privacy notice, even when it is not required by law. Privacy notices set expectations – both internally and externally – as to how personal information is collected, used, disclosed, and secured. Some K-12 state laws require notice of a list of the service providers with which the institutions share student information, as well as the reasons for data sharing and the restrictions on the use and retention of student information by service providers.21 Having this type of information available is a best practice for any number of reasons (including implementation of controls and data retention policies).
Privacy professionals often cite employee error as the most frequent cause of privacy and data security problems. Like other types of institutions, post-secondary institutions should emphasize training and awareness for all personnel on the proper handling of student personal information and education records, especially with respect to privacy and data security concerns. In addition, because institutions remain responsible for the personal information they entrust to service providers (another major source of privacy and data security incidents), institutions should also consider updating procedures and training on managing service provider engagements, including appropriate pre-contract diligence, protective contract language, and ongoing oversight or validation measures.22
Technology continues to present unprecedented opportunities to better engage students in the learning process. As post-secondary and other educational institutions seize these opportunities, they must remain mindful of the risks to student privacy and data security. FERPA provides a baseline level of privacy for students; however, many state laws (even if not applicable to post-secondary institutions) address topics of growing concern to parents and students, including targeted advertising and data security. Post-secondary institutions should remain mindful of these emerging issues, too, and should be able to respond to questions regarding them, even if laws concerning those issues are not (yet) directly applicable.
For additional information, please view our recent webinar on this topic.
- 20 U.S.C. § 1232g; 34 CFR Part 99
- 34 CFR § 99.3. In many cases, compliance with FERPA will satisfy privacy requirements under other statutes, such as the Health Insurance Portability and Accountability Act for protected health information (such as information collected through student health clinics) and the Gramm-Leach-Bliley Act for financial information (such as information collected for student loans).
- 20 U.S.C. § 1232g(a)(1)(A).
- DEPARTMENT OF EDUCATION, FAMILY POLICY COMPLIANCE OFFICE, Letter to Parent re: Amendment of Special Education Records (August 13, 2004), ed.gov.
- 20 U.S.C. § 1232g(a)(4)(B)(iv).
- 20 U.S.C. § 1232g(b)(1).
- 20 U.S.C. § 1232g(b)(1)(H).
- 20 U.S.C. § 1232g(b)(1).
- 20 U.S.C. § 1232g(a)(5).
- 34 CFR § 99.31(1)(i)(B).
- 34 CFR § 99.31(6).
- La. Revised Statute § 17-3914 (K)(4).
- Minn. Stat. § 136A.68.
- 14 Del. Code. Ann. § 8103.
- Iowa Code § 22.7.
- See, e.g., N.Y. Public Officers Law §§ 91-99; Arizona Revised Statutes § 41-4152; California Civil Code §§ 1798-1798.78.
- See, e.g., MD Educ Code § 4-131(a)(6).
- See. e.g., Me. Rev. Stat. Ann. Tit. 20-A, § 952(8).
- Fundamentals of information security include reasonable and appropriate administrative, technical, and physical security measures that are tailored to the risks presented and that are reviewed and updated on an ongoing basis. Post-secondary institutions concerned about data security may also consider adopting a framework, such as the NIST Cyber Security Framework.
- See, e.g., C.R.S. 22-16-110; Conn. Gen. Stat.10-234cc.
- See, e.g., id.
- For more information, see Reed Smith’s Client Alert, “Mitigating Third Party Data Breach Risks.”
Client Alert 2017-241