FERPA

Congress originally passed the 1974 Family Education Rights and Privacy Act, or FERPA, in the wake of the Church Senate Committee investigations on law enforcement overreach. Privacy reached an apex. Almost a decade before Congress passed FERPA, the Supreme Court found a constitutional privacy right in family planning (Griswold v. Conn, 1965), from a “penumbra” of 1, 3, 4, 5, and 9th Amendments.  In criminal procedure, the Court established a 4th Amendment right in electronic communications (Katz v. U.S.).  In the same year as FERPA, Congress passed the Privacy Act, which established fair information practices for the federal government.  Many states had medical privacy laws in that era that became federal in 1996 with the Health Insurance Portability Accountability Act (HIPAA).  Similarly, the Financial Services Modernization Act, commonly known as the Gramm, Leach, Bliley Act of 1999 (GLBA) protected some financial information. Both of those laws, more robust than FERPA, acted as a follow up in the sectoral manner in which the United States handles public privacy law.   

 The historical context in which Congress passed FERPA is important to bear in mind as we assess where it stands contemporarily. At the time, it represented a correction to overbearing governmental surveillance.  It stood in support of the autonomy of the educational process.  It was a part of a constellation of laws -- executive, legislative, judicial -- that signaled a shift in social norms. Historians recognize it as a prized middle-class notion of citizenship, one that created both physical and psychological space around the individual in which that person could learn, work, and think without undue governmental influence. 

 Supreme Court cases further defined FERPA. In 2002, the Owasso case declared shared grading among students not a violation; the Gonzaga case decided that there was no private right action. The events of 9/11 marked the first significant amendment to FERPA.  Added to the usual exceptions, such as individual health and safety, was a “Patriot Act” one for the health and safety of everyone else as in the case of international terrorism. Although specific circumstances shaped these changes, one might observe a weakening of FERPA. And as new privacy legislation emerged in public law, such as HIPAA and GLBA, FERPA remained stuck in time.  It lacked, for example, specific security provisions.  So, too, was its remedy limited to the “nuclear option,” a loss of federal funding for the institution, one so nuclear that to date not a single institution has suffered it.  Reputation loss, institutional ethics and decades of existing policies and practices have retained FERPA, but in terms of institutional risk assessment, it pales in comparison to HIPAA, for instance. 

 Information technologies and the market, operating in conjunction with each other, have further challenged FERPA. A global information economy has commoditized information; information about individuals, the more personal the more remunerative, hungrily grabs at the data that FERPA protects. It is therefore not governmental influence so much that poses a threat to the integrity of FERPA as it is vendors of academic technology services. Back a few years ago Google posed a specific threat, but they were just the big tip of the iceberg that has continued to lurk underneath the steady drumbeat of procurement. 

 Many examples can be given. One recent one to cross my path is a student grading service that mistakenly dispersed personal information to all users on a campus instead of each faculty member individually. Not a violation of FERPA per se, in my opinion at least, but a reminder of how fragile are the boundaries of a single keystroke. The other involved a company that teaches coding. It wanted to have an institution sign onto a contract that allowed it, in exchange for the “free” service, to use the information gathered from the named students. Did the vendor know about FERPA? Not clear. It is easy for a company not to know about it, because it is law specific to education records. The higher education community went through this issue with Box some years ago. Like the five stages of grief, the Internet2 schools that negotiated with Box went first to Box not knowing about FERPA, second denying that it had anything to do with their service, third resisting specific required language in the contract, four to acceptance, and finally to modeling contracting of cloud vendor services. Not two weeks ago, an article in IHE pointed to another example. Handshake connects students with employers, but questions have arisen about the circumstances under which students have consented to having their Grade Point Averages (GPAs) appear in their profiles and/or how and in what ways colleges and universities supply such data to the vendor.  

 In November 2014, I talked one on one with the Federal Trade Commissioner, Terrell McSweeny about the Google issue. Both procurement and informed consent came up as general areas of concern.  Plus, a third: transparency.  How do we know what a vendor is really doing with education records?  And a fourth: recourse: what does a college or university do if a vendor abuses the contract?  FERPA falls back only on the institution.  Sure, there is breach of contract, but what that means in practice?  The institution suffers disrupted services and potentially.  From a public relations perspective in a competitive market a lot of mud lands on the institution’s face.  People get fired.  But don’t we see how higher education begins the process on the ropes?

There are steps higher education can take to shore up its place in this shifting landscape. Our associations should make procurement pathways more uniform when it comes to compliance and continue to advocate for buyer’s club discounts. Institutional leaders should follow suit to organize procurement on campus, especially when it comes to faculty use of services that involve students. Higher education should take a purer-than-Caesar’s-wife approach to the practice of genuine informed consent. Senator Church is no longer there to represent us. Senators Markey and Hatch attempted to raise the flag in 2014 with no success. Under the current administration and the Department of Education leadership, don’t hold your breath.  If higher education wants to defend FERPA, it is going to have to do it for itself.