FERPA: Uses and Abuses, Especially in Emergency Notification Systems

In higher education there is no more well-known privacy law than the Family Education Rights Privacy Act, or "FERPA." Established in the 1970s to protect against abuses law enforcement made against students involved in the civil rights and anti-war movements, this early public privacy law fits into type 3 of the five categories I established in earlier blogs. It is a public, federal law.  That means that Congress passed it, originally back in 1974.  It has been amended on occasion, for example with a new exception under the U.S.A.-Patriot Act that added, what I call, the "health and safety exception for everyone else," i.e. in the case of a terrorist investigation.  By comparison to more contemporary privacy laws, the Health Insurance Portability Accountability Act, or "HIPAA,"for example, FERPA is not robust.  There is no private right of action.  If my alma maters were to leak my transcripts to IHE, just to create a scenario, I could not sue them personally.  I could report them to the Department of Education, however, and that Office would be responsible for an investigation, which might result in a warning letter.  The only sanction is the loss of federal funding, which would be catastrophic to most institutions because of the tie to financial aid -- not to mention grants -- and which may account for the fact that not one dime has ever been lost to a FERPA violation.  The zero to sixty response is too great a penalty for an institution to bear and therefore one that the Department of Education has been unwilling to impose.  

Harm to the reputation of the institution is probably the greater liability today for colleges and universities. After almost thirty years on the books, social norms have acculturated to this rule.  Education records are carefully guarded by almost all schools.  There exists a cult among registrars who are required in secret associations of their kind in clandestine meetings to prick their fingers and swear in blood to protect those records with their life.  Okay, that is a joke, but most people who either are registrars or have had to work with them should be smiling sympathetically because higher education as a rule has internalized the principles and practices of protecting education records in the main, transcripts especially.  But FERPA covers more than transcripts.  Email is the education record that often comes as a surprise to people, a message, for example, that a professor sends to a student qualifies obviously if it is about a grade or paper or some academic activity, but also if it is casual, because it personally identifies the student from an agent of the institution.

There is one class of information about a student that falls outside of FERPA: directory information.  That kind of information includes any number of attributes such as a student's name, his or her local address, an email address, class year, academic awards, extracurricular activity, etc.  Two features about directory information need to be explained further.  One is that the institution can set as a matter of policy what attributes are included in it.  The Department of Education has left that decision up to the college or university.  While formal FERPA policies are no longer required under the law, many institutions still use policy as the means to define those attributes which fall under directory information and that which is outside of directory that remains protected, as well as other notice requirements as are required under the law but practiced according to institutional methods specifically.  The other is that the student has the right to "opt-out" of the directory exposure, in many cases by indicating somehow, most often these days electronically with a "flag" that they want that information "suppressed," or unavailable to the public.  Notice that this "opt-out" method is consistent with many default directions in U.S. privacy laws, in contradistinction to the European Union model that defaults in the other direction, that is disclosure must be actively chosen and enacted by the user.

I am writing about this subject as an example of a public privacy law, one that should be familiar with anyone who trucks in higher education.  I am also writing about it because I have had an inquiry about how FERPA comports with vendors who specialize in emergency notification systems (ENS).  Here are my thoughts:  there is inherently nothing illegal or actionable about FERPA with regard to emergency notification systems, but colleges and universities do need to observe some rules and cautions.  The principal rule is that the ENS must as a matter of the contract accept the institution's FERPA obligations.  For specific language, see your institutional attorney; those provisions are becoming increasingly common as we transact with cloud providers.  The caution is that technologically and administratively, both the vendor and the institution, must figure out a method to address those students who have chosen to opt out of directory information.  Either notice and/or policy should reflect that for the purposes of emergency notification, the option out is not available, or, if prepared to accept that preference, the vendor must be as consistent as the institution is about the decision.  The key is consistency in one direction or the other.  

My understanding is that there have been miscommunications or understandings on both sides of this equation.  Some schools are saying that it is a violation of FERPA to use such a system … not true, just observe rules and cautions.  Vendors are saying that they cannot accept FERPA terms in the contract.  Not true, ask Box or Microsoft or any number of vendors, including the guy who comes by our offices to shred paper documents and has included such obligations within the contract for both FERPA and HIPAA.  The real proof may be in software, which should be written with enough detailed specification to be sure that when downloading institutional information that includes personally identifiable content about students, it is limited only to that which is required for the ENS.  Only vendors who are up to those legal and technological specifications should be used.  Colleges and universities, by the same token, cannot use FERPA as a blunt instrument against technological solutions.