By Samantha Cleaver
Last summer, when 50.8 million children enrolled in public school in the United States, and 14.7 million more students arrived at postsecondary schools, their data went with them.
Student data, from addresses to photographs, is protected under the U.S. Family Educational Rights Privacy Act (FERPA).
In compliance, students, or their parents, must consent before a school discloses any identifiable information.
But what students and parents may not know is that, unless they opt out, FERPA also allows for some of that data to be released.
In 1974, when FERPA was written, a directory information exemption was put in place. Under this exemption, schools can designate information that can be made public without explicit parental consent.
“If someone wants the information, and they’re not comfortable giving it, they don’t have to.”— LeRoy Rooker, American Association of Collegiate Registrars and Admissions Officers.
Any information that is included in directory information should not be considered harmful or an invasion of privacy, said LeRoy Rooker, FERPA expert and senior fellow with the American Association of Collegiate Registrars and Admissions Officers.
That information, a spokesperson with the Department of Education told Digital Privacy News, would be included in a yearbook or school directory. Without the exemption, schools would have to get consent for every disclosure.
“It’s easy to understand how, within a school community, having some amount of sharing is helpful to enable engagement in a positive way,” said Caitlin Fennessy, research director for the International Association of Privacy Professionals in Portsmouth, N.H.
How to Handle FERPA Directory Information
Currently, the default setting for directory information in FERPA is for schools to “publish without prior consent.”
You can opt-out of the directory, which would prohibit the school from sharing your information.
Here are steps to ensure your school is handing directory information correctly:
- If you are not clear about the directory information that your school collects, ask what is collected, why and whom they share it with.
- Ask specifically about visual images and videos. Are they included under the directory-information exemption? If so, why?
- Encourage data minimization, or collecting the least amount of data possible.
- Ask what steps the school takes to protect student information from data-mining.
- Be prepared to complete opt-out forms each year your child is in K-12 education.
‘They Don’t Have To’
Schools must notify students of their FERPA rights and what is collected as directory information. This is typically done upon enrollment and may be through an email, a page in the handbook or by another means.
Schools also must provide parents with a reasonable window to opt-out of disclosing a student’s information.
“If someone wants the information, and they’re not comfortable giving it,” Rooker said, “they don’t have to.”
Concerns about how schools are informing parents and students about directory information have come to light through a recent World Privacy Forum (WPF) report.
The report, released earlier this month, highlights concerns with how directory information is communicated, how opt-out options are provided, and what becomes of student data.
Key WPF Findings
The WPF examined more than 5,000 K-12 schools and 102 postsecondary schools to learn more about how schools were providing FERPA information to students and parents, the accessibility of opt-out options and how directory-information data was being used.
Key findings include:
- The vast majority (98% of postsecondary institutions and 97% of K-12 schools) provided annual FERPA notices through phone, internet or paper. However, FERPA information could be hard to find.
- Schools varied on what was designated as directory information and how much information was released. Some schools released lots of information, while others made none available.
- All schools allowed students to opt-out of information-sharing when they enrolled. After that, K-12 schools gave an average of 45 days, while postsecondary schools typically allowed students to opt-out any time in the year.
- Fewer than half (39.7%) of K-12 schools and 60% of postsecondary schools offered an opt-out form online.
- At least half of the forms included a “nudge” that encouraged students not to opt-out: For example, insinuating that the student’s name would not be in the commencement bulletin.
- The WPF identified that data brokers, companies that collect and sell data, are mining directory information — including name, age, address and racial data — of minors.
For Fennessy, the WPF report highlighted how schools must have someone on staff with privacy knowledge. For example, FERPA requires opt-out consent, she said, and you may have a transparent and helpful notice, or one that is difficult to use.
The report also suggested that with advancements in how data is accessed and used, the directory-information exemption might need to be revisited.
However, the challenge is how to manage legitimate data-sharing and eliminate data-mining.
“There is going to be a heightened awareness around (student) privacy.”— Caitlin Fennessy, IAPP research director.
In 2011, according to the Education Department, FERPA was revised to clarify that schools can have a limited directory-information policy that would give them greater discretion by restricting the release of such data.
“The directory-information loophole was put in for the benefit of schools,” Rooker told Digital Privacy News, “not for the benefit of external audiences.”
But Fennessy is optimistic that the report, as well as the current focus on digital learning and privacy, will have a positive impact. For example, the Education Department just released new FERPA guidelines related to online learning.
Heading into the coming school year, Fennessy said, “there is going to be a heightened awareness around (student) privacy.”
Samantha Cleaver is an education writer in Charlotte, N.C.
Sources (external links):