Protecting Privacy of School Directory Information
December 2018
Amelia Vance
Originally published by the National Association of State Boards of Education
CC BY-NC 4.0
Students do not have the right to attend school anonymously, but they do have a right to have their information protected and used responsibly by local and state education agencies. State boards can help their states strike this balance.
When the Family Educational Rights and Privacy Act (FERPA) was first passed in 1974, schools realized that they had a problem: Without ongoing consent from parents (or an applicable FERPA exception), they were unable to ask students to wear nametags, create programs for the school play, display the school honor roll on the wall or in the local newspaper, announce football player names at games, or create a school directory. Some schools asked whether this new privacy law even allowed teachers to call students by their name in class, since technically FERPA did not allow schools to share personal information about a particular student even with other students.
Congress quickly acted and adopted amendments that same year to create an exception to FERPA, known as the directory information exception,1 which permits all the activities described above by allowing schools—at their discretion—to share with third parties student personal information that “would not generally be considered harmful or an invasion of privacy if disclosed” (box 1). There are some exceptions: Schools usually cannot refuse to provide directory information to military recruiters who request it.2 Parents have the right to opt out of this sharing, and the school must provide parents with notice annually of their right to opt out.
BOX 1. Examples of Directory Information
The U.S. Department of Education’s Model Notice for Directory Information suggests that schools designate the following information as directory information in their annual notice to parents:
- student’s name;
- address;
- telephone listing;
- electronic mail address;
- photograph;
- date and place of birth;
- major field of study;
- dates of attendance;
- grade level;
- participation in officially recognized activities and sports;
- weight and height of members of athletic teams;
- degrees, honors, and awards received;
- the most recent educational agency or institution attended; and
- student ID number, user ID, or other unique personal identifier.
Unlike most FERPA exceptions, the disclosure of student directory information does not come with limits. When the school shares information with a third party, that third party can redisclose that information to anyone. This is mainly for practical reasons. As mentioned above, schools can use directory information, for example, to create a program for a school play that lists participating students’ names. However, as anyone could attend the play and get the program, the school has no way to control who gets this information. If a parent objects, they can opt out of directory information sharing, and the student will not be listed in the program.
As concern over student privacy has grown during the past decade, parents and privacy advocates have urged schools not to disclose directory information without limitations. Schools may not realize that they may exercise discretion in responding to requests by third parties for student directory information.
In 2017, data analyst Leah Figueroa sent email requests to 10 institutions of higher education asking for “a listing of student directory information.” Three schools requested that she fill out a Freedom of Information Act (FOIA) request before she could receive the data (depending on the state, directory information may or may not be considered subject to state FOIA laws); two schools sent her a public link to their student directory; and one provided her with the records of 22,006 of their students after she paid $50. Figueroa did not need to identify herself or provide a reason why she needed the information—even though sensitive information was shared with her, such as telephone numbers and email addresses.3 She noted that, while most directory information requests are legitimate, coming from “researchers or other colleges seeking to recruit students—some are likely coming from predatory loan companies,” other “aggressive marketers,” or even a stalker seeking the “dorm address of a student.”4
To some, sharing contact information may seem innocuous. Yet four districts learned otherwise last fall when malicious hackers attacked their student information systems, used parent and student telephone numbers to text death threats to students, and posted student contact information online.5 They tweeted, “With the student directory from [Johnston Community School District in Iowa that] we released, any child predator can now easily acquire new targets and even plan based on grade level.” While in the past a PTA directory would be photocopied and only shared within a community, today this contact information is often available online instead.
Options in Federal and State Law
Eliminating the directory information exception would make day-to-day school activities impossible, but as it stands today, FERPA is not protective enough of the privacy of directory information. And the protections that do exist are not clear. Many schools do not know they can deny requests for directory information and redact sensitive information like telephone numbers, dorm addresses, or email addresses when state law requires that directory information be shared under a FOIA request.
In FERPA’s amended 2011 regulations, the U.S. Department of Education (ED) made it clear that schools do not need to solicit an all-or-nothing opt-out decision from parents or eligible students: “If a school has the administrative capacity, it may permit parents or eligible students to opt out of specific items it has designated.” In addition, schools can pick and choose which information they designate as directory information in the first place.6 ED noted that schools have an obligation to “minimize information released in directories to the extent possible because, since the enactment of FERPA in 1974, the risk of reidentification from such information has grown as a result of new technologies and methods.”7
Some states are trying out different approaches. Ohio has a long-standing law that does not allow schools to disclose directory information “to any person or group for use in a profit-making plan or activity,” though the state has also limited the ability of schools to refuse to disclose directory information to a range of officials.8 Maryland has a law limiting the disclosure of phone numbers and home addresses unless parents have given consent.9
After a political candidate in Virginia inappropriately used directory information to text students to encourage them to register to vote and volunteer for the candidate,10 a law was passed in 2018 that said parents could opt out of “any or all” directory information categories, and it does not allow physical addresses, telephone numbers, or email addresses to be disclosed without written consent.11 The Virginia law also exempts directory information from the state’s FOIA law.
Currently, FERPA doesn’t require that the opt-out notice to parents be proactive; just posting it in the student handbook or online is sufficient. Many schools choose to provide a proactive notice to parents with a form that allows them to opt out, but this is only a requirement in Maryland.12 Recently, more and more districts are adopting directory information opt-out forms that allow parents to not only opt out entirely but also choose who can receive directory information. For example, in Fairfax County Public Schools in Virginia, parents can choose whether or not the school can share directory information with school-related organizations like the PTA, state and county agencies, in photographs online or in the media, or with other students. They can also choose what directory information can be shared in the first place.13 However, almost half of districts have less than 1,000 students and therefore may not have the administrative capacity to allow these options. For those districts, simply limiting what information is designated as directory information or not allowing information to be shared with those seeking to profit from it may be an easier lift.
Notes
1 U.S. Department of Education, “Legislative History of Major FERPA Provisions” (Washington, DC, 2004), https:// www2.ed.gov/policy/gen/guid/fpco/ferpa/leg-history. html.
2 Ibid.; No Child Left Behind Act of 2001, Pub. L. No. 107-110 (2002); and National Defense Authorization Act for Fiscal Year 2002, Pub. L. No. 107-107 (2001). This is also required under Section 8025 of the Every Student Succeeds Act.
3 Leah Figueroa, “FERPA: Only Your Grades Are Safe: OSINT in Higher Education,” presentation at Infosec Southwest, 2017, https://www.slideshare.net/ reconvillage/rv-defcon25-ferpa-only-your-grades-aresafe-leah.
4 Taylor Armerding, “Are You a Student? Your Personal Data Is There for the Asking,” Naked Security by Sophos blog (2017), https://nakedsecurity.sophos.com/2017/08/24/ are-you-a-student-your-personal-data-is-there-for-theasking/ .
5 Joseph Cox, “ ‘Dark Overlord’ Hackers Text Death Threats to Students, then Dump Voicemails from Victims,” Daily Beast (October 5, 2017).
6 Proclamation No. 232, 76 Fed. Reg. 75628 (Dec. 2, 2011).
7 Proclamation No. 237, 73 Fed. Reg. 74834 (Dec. 9, 2008).
8 Ohio Rev. Code § 3319.321 (http://codes.ohio.gov/ orc/3319.321)
9 Ann. Code of Maryland State Government Article §10-616.
10 Graham Moomaw, “Virginia House Approves Bill to Shield Student Contact Info from Outside Groups,” Richmond Times-Dispatch (February 7, 2018).
11 Code of Virginia § 22.1-287.1. Directory Information (2018).
12 Maryland House Bill 176, Section 7-111 (2010).
13 Fairfax County Public Schools, “2017–18 Annual Notice of Survey, Records, Curriculum, Privacy, and Related Rights” (Falls Church, VA, N.d.), https://www. fcps.edu/sites/default/files/media/forms/2017-18%20 Complete%20Packet%20K-8_0.pdf.
14 Proclamation No. 232, 76 Fed. Reg. 75628 (Dec. 2, 2011).
15 National School Boards Association, “Resolutions of the National School Boards Association” (Alexandria, VA, 2018), https://cdn-files.nsba.org/s3fs-public/2018_ Resolutions-Adopted-4-6-2018_0.pdf.
16 Amelia Vance, “Policymaking on Education Data Privacy: Lessons Learned,” Education Leaders Report 2, no. 1 (Alexandria, VA: National Association of State Boards of Education, April 2016).
