Increasing Transparency to Make FERPA's Privacy Protections More Meaningful

June 2024

Katherine Kalpos, Morgan Sexton, Amelia Vance, and Casey Waughn

 

CC BY-NC 4.0

Fixing FERPA Header

Schools must communicate about their data collection and privacy policies so that parents and eligible students can effectively exercise their FERPA rights to access, amend, and request deletion of personally identifiable information (PII) in education records. But in their efforts to be more transparent, schools should strive to provide clarity rather than simply providing more information. Transparency does not require (and should not equate to) information overload. While FERPA provides a good starting point toward transparency about school data practices, there are still opportunities to increase transparency in ways that further empower parents and eligible students to exercise their privacy rights, as well as create a culture of informed, constructive community engagement regarding student data privacy and accountability. We offer the following four recommendations for how FERPA can be amended to increase meaningful transparency into school data governance practices without becoming overly burdensome on schools, parents, or students.

1. Supplement Annual FERPA Notices

FERPA requires schools to provide parents and eligible students with an annual notice of their privacy rights, specifically detailing the following information:

  • What their FERPA rights are (including the rights to inspect and review, seek amendment, and consent to disclosure of PII in education records, as well as the right to file a complaint with the Department of Education) 34 CFR 99.7(a)(2);
  • Procedures for exercising their right to inspect and review and to seek amendment to PII in education records 34 CFR 99.7(a)(3)(i)-(ii); and
  • The criteria for who may be a school official and what constitutes legitimate educational interests 34 CFR 99.7(a)(3)(iii).

While these notices help raise awareness of individual privacy rights, they are not as effective as they could be because they lack key information necessary to paint a full picture of the school’s data practices. To foster more transparency, annual FERPA notices should also include the following information:

  • The categories of student PII the school is collecting and why (for example, both Oklahoma and Colorado share these sorts of data inventories);
  • A high-level overview of how the school will use, store, and retain that PII; and 
  • That a) the full scope of student PII that the school is collecting and b) detailed information about how the school will use, store, and retain that PII are available upon request.

This should not create a large administrative burden for schools since, ideally, schools are already pulling this information together as part of their standard data governance procedures. 

Schools may choose to proactively put detailed information about their privacy practices directly into their annual FERPA notices, but schools must remember that meaningful transparency will likely not be achieved through information overload. Rather than taking a “more is more” approach that overwhelms parents and eligible students with loads of information to sift through, schools should strive to be as straightforward and clear in their annual FERPA notices as possible. To do this, FERPA should require schools to carefully weigh which information is included in the notices and to be intentional about the details included. For example, schools could potentially use a layered approach to convey this information (more details about layered approaches can be found here).

2. Make Annual FERPA Notices Available Online

Schools have the discretion to “provide [annual FERPA notices] by any means that are reasonably likely to inform the parents or eligible students of their rights” 34 CFR 99.7(b). This means that schools can choose to deliver annual FERPA notices to parents and eligible students by mail, email, a paper form distributed at school, or in any other way that is reasonably likely to inform individuals about their FERPA rights. But what happens when parents or eligible students want to refer back to this notice later and can’t find it? In today’s digital age, when the answers to most of life’s questions are at our fingertips, posting these notices on existing local or state education agency websites* is a critical step toward increasing transparency.

Posting annual FERPA notices on the school’s website may sound obvious, but it is not common practice. In a survey of local education agency (LEA) websites, the Student Privacy Policy Office (SPPO) found that, of the LEA websites reviewed, only 53% posted the LEA’s annual FERPA notice on their website. While 53% is a good start, it still leaves ~47% of parents and eligible students without a guaranteed way to access the policy at any time without encountering additional barriers (for example, traveling to the school and interacting with school personnel).

To prevent individuals from being deterred by such barriers and discouraged from learning more about the school’s privacy practices, schools should make it as easy as possible for parents and eligible students to access the annual FERPA notice by posting the notice online. Making these notices readily accessible online will more effectively notify parents and eligible students of their FERPA rights, better empower parents and eligible students to engage with data policies throughout the school year, enable schools to showcase how they’re protecting student data, and give schools the opportunity to proactively clarify their data practices and assuage potential concerns.

2024-04-04 700x510 (3)

3. Record When Student Data Is Shared Under a FERPA Exception

FERPA requires schools to either notify or make a record that is reviewable by parents and eligible students every time PII from education records is disclosed to the following parties:

  • Another school for purposes related to a student’s intended enrollment or transfer 34 CFR 99.31(a)(2);
  • Required entities in response to a judicial order or subpoena (unless prohibited) 34 CFR 99.31(a)(9)(ii);
  • Appropriate parties in a health and safety emergency 34 CFR 99.32(a)(5); or
  • Representatives of the US Comptroller General, Attorney General, Secretary of the Department of Education, or state and local educational authorities when those representatives are permitted to redisclose the information 34 CFR 99.32(b)(1) (plus any redisclosures by such representatives 34 CFR 99.32(b)(2)(i)).

However, schools do not have to notify or make a record that is reviewable by parents or eligible students when PII from education records is disclosed to these parties:

  • School officials (including teachers, school staff, and third parties to which the school has outsourced institutional services or functions) 34 CFR 99.31(a)(1);
  • Relevant entities in connection with determining eligibility for, amount, or conditions of financial aid, or for enforcing terms and conditions of financial aid 34 CFR 99.31(a)(4)(i);
  • State and local officials or authorities under state statute concerning the juvenile justice system 34 CFR 99.31(a)(5);
  • Organizations conducting studies for or on behalf of educational agencies or institutions 34 CFR 99.31(a)(6);
  • Accrediting organizations to carry out their accrediting functions 34 CFR 99.31(a)(7);
  • Parents (when the parent claims a student as a dependent on their taxes 34 CFR 99.31(a)(8), when their child is a noneligible student 34 CFR 99.31(a)(12), or when a postsecondary student is under 21 and is found to have committed a disciplinary violation with respect to the use or possession of alcohol or a controlled substance 34 CFR 99.31(a)(15));
  • A victim of an alleged perpetrator of a crime of violence or a non-forcible sex offense (limited to the final results of the disciplinary proceeding conducted by the institution of postsecondary education with respect to that alleged crime or offense) 34 CFR 99.31(a)(13); or
  • Parties seeking directory information (so long as notice of what constitutes directory information is provided annually 34 CFR 99.37) 34 CFR 99.32(d)(4)

Additionally, schools do not have to notify or make a record that is reviewable by parents or eligible students when the following PII from education records is disclosed, regardless of whom the information is shared with:

  • The final results (including the name of the student, the violation committed, and any sanction imposed by the institution against the student) of a disciplinary proceeding at an institution of postsecondary education when the student is found to have committed a crime of violence or non-forcible sex offense 34 CFR 99.31(a)(14); or
  • Information provided to the educational agency or institution under 42 U.S.C. 14071 and applicable federal guidelines relating to sex offenders and other individuals required to register under section 170101 of the Violent Crime Control and Law Enforcement Act of 1994, 42 U.S.C. 14071 34 CFR 99.31(a)(16).

The list of circumstances in which PII from education records can be disclosed without notifying or making a record that is available for parents and eligible students to inspect is notably longer, and used more frequently, than the list of disclosures that require transparency. To better enable individuals to exercise their FERPA rights, FERPA should be amended to require schools to be more transparent about when PII from education records is shared or used, and what protections are in place to keep that information from being exploited or commercialized. In some scenarios, this may not be a workable standard in practice (as it would be impractical for schools to keep a record of every time a teacher accesses PII under the school official exception to facilitate instruction).** However, where practical, we recommend adding a notification or recordation requirement when PII is shared with or used by third parties outside of the educational agency or institution. For example, when a digital product has the ability to create audit logs to show each time it has been accessed, schools should be required to turn that functionality on. This change would provide meaningful transparency without creating new requirements for educators or school administrators to separately document each time they access student information. 

Some states have already taken key transparency measures. For example, the Utah Department of Education is required to maintain a metadata dictionary that discloses which information is being shared with third-party edtech vendors. New York requires education agencies to publish their contracts with edtech vendors. These disclosures should be coupled with reminders about how edtech companies can use student data, especially the ban on selling student information.

4. Clarify that Students Under 18 Have the Right to Access Their Education Records

While FERPA permits educational agencies and institutions (EAIs) to give all students rights to their own education record (see 34 CFR 99.5(b)), it is a common misconception that FERPA only requires EAIs to give FERPA rights to eligible students. This is not true; FERPA’s regulations provide all students a right to access to their education records.*** To counteract the widespread misconception that FERPA does not give K-12 students the right to access their education records–and to empower all students with the knowledge that they can have access–FERPA should expand its transparency provisions to require that schools annually notify students under 18 of their right to access their records. Such annual notification to all students must be age-appropriate, using language that the student can understand, and the requirements for disseminating this notification may resemble the annual notice to parents and eligible students.

While we focus here on notifying students of the right to access their education records because this resource concerns transparency, it’s important to note that schools do not have to stop at access when giving students under 18 rights to the PII in their education records. Giving students more control over their data can increase autonomy and empower students to pursue additional services, such as those offered by community-based nonprofits, even when their parents are not available to provide consent. If schools decide to adopt a policy that gives students additional rights to their education record under FERPA, they should include information about this policy in their annual notification to students under 18.

Closing Thoughts

While FERPA is a good starting point towards promoting transparency about school data practices, there is still room for improvement. By increasing transparency in meaningful ways, schools can empower students and their parents to make informed choices and exercise their FERPA rights with confidence. This will not only benefit individual students, but will also foster a culture of accountability and engagement on the topic of data governance throughout the school community.

*  Local and state education agencies are not required to maintain websites, and they should not be required to develop a website for this purpose if they do not have one already. However, if they do choose to have a website, they should be required to provide their legally required notices to that website.

**  It would be infeasible to require schools to make a record of all disclosures to teachers and other school staff under FERPA’s School Official Exception. We do not intend for additional transparency requirements to apply to such disclosures. However, as discussed in another “Fixing FERPA” blog, FERPA needs a statutory change that adds more accountability safeguards for sharing student PII with technology companies (which also currently happens under FERPA’s School Official Exception). We recommend separating how data is shared with teachers and with edtech companies into two different FERPA exceptions and adding additional requirements (like more transparency) for disclosures to technology companies.

***  The relevant provisions in the FERPA regulations that create the student right of access are spread out across multiple different sections (§ 99.31(a)(12), § 99.31(d), and § 99.3 “Student”), making it difficult to piece them together and identify that this right exists. To add to the confusion, the section that is meant to compile and list all student rights under FERPA (34 CFR 99.5, “What are the rights of students?”) does not mention this particular right at all.

Other Fixing FERPA Publications