Protecting Privacy in the Age of Too Much Information

Editor’s note: This article by John Locke Foundation director of legal and regulatory studies Daren Bakst is a response to a previous Pope Center article, entitled “Keeping Secrets” by education consultant and attorney Steven Roy Goodman, that criticized federal regulations governing students’ right to privacy. Goodman gets the last word in his article below, “Responsible Minds Need to Know.”

For more than 35 years, the Family Educational Rights and Privacy Act of 1974 (FERPA) has protected the privacy rights of college students by giving them the right to limit institutions from disclosing their personal information to third parties.

In a recent Pope Center article, Steven Roy Goodman argued that the law’s privacy protections are seriously flawed. In addition to addressing some of his arguments, I’ll explain why FERPA should be strengthened, not weakened.

Additionally, the biggest concern regarding FERPA isn’t the law’s privacy protections but the possibility that many of FERPA’s critical privacy protections may no longer exist if new regulations are adopted.

Under FERPA, postsecondary institutions are prohibited from disclosing personally identifiable information from education records without the prior written consent of students. Some examples of such personal information include grades, social security numbers, and less sensitive information that would allow someone to trace a student’s identity, such as names and addresses.  There are, however, some very narrow exceptions when information may be disclosed without prior consent.

Mr. Goodman argues that 2008 was a watershed moment in the history of FERPA because of new regulations adopted in 2008. In discussing the 2008 FERPA regulations, he explains that FERPA didn’t have “much negative impact” until these regulations were adopted. As a result of these regulations, according to Goodman, “the student privacy landscape changed greatly.”

To support this contention, Goodman points to a “clarification” in the law “that a student must consent before an educational institution was allowed to release his or her records.” The consent requirement, which is a central component of the law, isn’t new and has been part of FERPA since its adoption. There’s never been any confusion or any doubt regarding this requirement, which is plain language in statute.

Goodman brings up a common criticism of FERPA, specifically that parents and “tuition-paying relatives” are surprised to learn they may not have a right to access the student’s grades and other personally identifiable information. On the postsecondary level, Congress expressly created FERPA to protect the rights of college students, not the rights of parents. To do so, they had to limit the disclosure of personally identifiable information to third parties, including parents.

However, there are still ways that parents can gain access to personally identifiable information. Institutions may, but are not required to, disclose personal information to parents who can claim the student as a dependent, even without the consent of the student.

Furthermore, parents can let their children know that they won’t pay tuition unless the children provide the necessary consent to the institution. It isn’t FERPA’s fault if parents are unable to secure consent from their own children; it’s a family matter.

Goodman, like others, assumes that parents should easily gain access to personally identifiable information. This ignores the numerous reasons why parents shouldn’t have access to personal information.  For example, in many situations, students are independent and have no relationship with their parents. In fact, disclosure of information to parents may even be harmful to the students (e.g., abusive parents).

Goodman also provides a series of examples where FERPA allegedly caused problems. One case involves Laramie County Community College in Wyoming, which he cited to show that the law isn’t used to protect student privacy but is really used to protect the actions of administrators. Goodman doesn’t mention that the report involved highly sensitive information about a suicidal student that the institution was concerned about disclosing.

Laramie County Community College tried to use FERPA to initially block a newspaper from publishing a report regarding an overseas trip involving the college’s president.

But the Laramie case wasn’t an example of a problem with FERPA. While the newspaper was initially blocked from publishing the report, one week later the Wyoming district court ruled against the school, as FERPA did not preclude disclosure of the information. The problem was e not with FERPA; the problem was with the schools’ attempt to apply it in a case for which it was not applicable.

Goodman discusses the Virginia Tech shooting and the federal report issued following the tragedy. Specifically, in the report, there was a concern that staff at institutions are not fully informed when “they can share critical information on persons who are likely to be a danger to self or others, and the resulting confusion may chill legitimate information sharing.”

This concern, which covered more privacy laws that just FERPA, including the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, doesn’t support Goodman’s claim that FERPA played a role in the tragedy.

There’s nothing in the report that indicates that the tragedy would have been averted if FERPA had not been in place. Even if Virginia Tech’s staff members had the ability to disclose more information under FERPA, there’s nothing to suggest that they would have felt the need to disclose more information.

Furthermore, FERPA already has an exception that allows disclosure of personally identifiable information in the event of a health or safety emergency even without student consent. The U.S. Department of Education had narrowly interpreted that exception. In the same 2008 regulations that Goodman criticizes, the Department addressed the Virginia Tech-type concern by giving institutions far greater flexibility to disclose personal information under this health or safety emergency exception.

Ironically, as Mr. Goodman argues that FERPA is providing too many privacy protections, the Department of Education has just proposed regulations that truly would change the student privacy landscape by gutting FERPA’s privacy protections. This is being done to enable government agencies to collect large amounts of data on students; the new regulations would allow states to track individuals from cradle to grave. The Department of Education is pushing these regulations even though FERPA likely doesn’t give them the authority to do so.

A wide range of individuals and organizations has expressed opposition to these increasing violations of privacy. The new regulations would permit institutions to disclose student data to virtually any state agency even if the data are completely unrelated to education programs administered by the institutions. For example, if a state health and human services agency wanted to evaluate a Head Start program, it could obtain data on all students at a privacy postsecondary institution even if those students never participated in the Head Start program.

State agencies would be able to exchange data to create detailed profiles of individuals that would be contained in massive government databases. They also likely would be able to exchange information with agencies outside the state. Students and their parents would have no ability to control the disclosure of this information and wouldn’t even know what information was being disclosed and to whom.

Goodman is correct when he recommends that Congress should consider reform of FERPA. However, he has the wrong reforms in mind. Instead of weakening personal protections, as he recommends, Congress needs to make reforms to ensure that bureaucrats at the Department of Education aren’t allowed to cast aside the plain language and intent of FERPA in order for the government to learn almost every detail of our lives.