The Education Department released new guidelines on student privacy today that would allow educational institutions to share data with other state agencies. The move alters a key privacy law to ease the creation of state databases to track academic progress -- to the dismay of student privacy advocates, who say the changes offer too few constraints on sharing sensitive personal information.
Proposed changes to the Family Educational Rights and Privacy Act, which will be published in Friday's Federal Register, would let institutions share more data for studies, audits and evaluations. High school administrators could share information about individual students to track their progress in college, for example, department officials said. Disclosing the information would require a written agreement stating what facts and figures were included, and the data would be destroyed after the audit or study was complete.
Longitudinal student databases have become a holy grail for many higher education reformers, who argue that only by tracking students from K-12 through college and into the work force can policy makers truly gauge the success of postsecondary education and training. After Congressional Republicans and privacy advocates beat back a Bush administration push to create a federal unit records database, federal policy makers turned their attention to encouraging states to create (or in some cases enhance) their own student data systems. The Obama administration has poured hundreds of millions of dollars into those efforts.
As calls for better statewide databases of academic progress have increased, a conflict has been brewing between those demands and the strictures of FERPA, which limits what information institutions can share about their students. Last year, the Education Department fired its top privacy official, Paul Gammill, who said he had argued that portions of the economic stimulus law requiring state departments of labor and educational institutions to share information about students violated the privacy act.
In a conference call with reporters Wednesday, department officials said the changes were meant to help ensure that taxpayer money was being spent on effective programs. As the department released the new privacy regulations, its officials said they were taking steps to tighten the security of student data, including clarifying enforcement provisions to prohibit agencies such as student lenders and nonprofit organizations from illegally disclosing students’ personal information.
The department also issued briefs on best practices for keeping private data safe and protected and announced the hiring of a chief privacy officer, Kathleen Styles, a former official with the U.S. Census Bureau. Additional changes to FERPA allow institutions to fine-tune the release of publicly available “directory information” so that it can be used only for specific purposes, such as yearbooks.
But data security, where the department has a strong record, and privacy protection are different issues, said Barmak Nassirian, associate executive director of the American Association of Collegiate Registrars and Admissions Officers.
“It is a privacy free-for-all in which everybody and their uncle gets access to highly private information without the student’s knowledge or consent,” Nassirian said, adding that school records can include not only grades and test scores, but also medical information and details about library fines and other administrative issues.
There could be valid reasons to sacrifice some privacy in the name of reaching educational goals, Nassirian said. But he argued that the department has not made the case for not using narrower methods, such as studies of representative samples with the subjects’ explicit consent, which he said is the proper way to test theories or approaches.
“You don’t put the entire population of the United States in a perpetual surveillance system,” he said.
In response to questions and concerns from agencies and institutions, the department has established a Privacy Technical Assistance Center, designed, it says, “to respond to increasing confusion among states and other education stakeholders” about information privacy and security.
Public comment on the proposed regulations will extend through May 23.