FERPA Must Clearly Protect All PII Accessible to Schools

January 28, 2025

Jessica Arciniega, Katherine Kalpos, Morgan Sexton, Amelia Vance, and Casey Waughn

 

CC BY-NC 4.0

Fixing FERPA Header

An eighth-grade teacher, Mr. Denning, is shown a video of one of his students, Lauren, candidly discussing her recent experience overcoming mental health struggles on Instagram. He makes a note of what Lauren said in her profile on the school’s student information system (SIS) so that the school guidance counselor can access this information when meeting with Lauren in the future.

The note Mr. Denning added is protected under the Family Educational Rights and Privacy Act (FERPA) because it is (1) personally identifiable information (PII) about Lauren, that is (2) stored in Lauren’s profile on the school’s SIS. But what if the same note was generated by technology, labeled using a random identifier, and included in Lauren’s profile, without being seen by a human? Would FERPA’s protections still apply? It’s unclear. 

When FERPA was enacted in 1974, it was designed to give parents and eligible students certain rights to PII in files–referred to as “education records”–that schools kept about students. At the time, schools primarily retained this information by compiling physical documents about individual students, making it simple to identify the “education records” that parents and eligible students have rights to under FERPA. However, as technology continues to advance, the way schools collect and store information about students has drastically changed–making the process of determining what counts as an “education record” under FERPA increasingly challenging for school personnel. This uncertainty not only undercuts the rights of parents and eligible students to access and challenge PII collected and retained at school, but it also weakens privacy protections for student data shared with technology companies. 

FERPA should be amended to eliminate the concept of “education records”–instead protecting all student PII that is readily accessible to the school, regardless of whether it is created by human personnel or automated systems. This would ensure that PII gathered by automated systems–such as PII compiled in student monitoring profiles–is clearly covered by FERPA and subject to parents and eligible students’ right to access this information.

Technologies Used in Schools Collect Vast Amounts of PII

FERPA gives parents and eligible students privacy rights over students’ “personally identifiable information” (PII) in education records. PII includes (but is not limited to):  

(a) “The student's name;

(b) The name of the student's parent or other family members;

(c) The address of the student or student's family;

(d) A personal identifier, such as the student's social security number, student number, or biometric record;

(e) Other indirect identifiers, such as the student's date of birth, place of birth, and mother's maiden name;

(f) Other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty; or

(g) Information requested by a person who the educational agency or institution reasonably believes knows the identity of the student to whom the education record relates.” (34 CFR 99.3, emphasis added)

Technologies used in schools may track and analyze a wide variety of students’ digital activity, including:

  • Emails sent and received;
  • Internet searches;
  • Websites visited; 
  • Keystroke and click patterns;
  • Essays and online journal entries;
  • Social media posts.

As a result, the third parties that schools rely on to provide these technologies–such as edtech companies–may collect or be able to deduce tremendous amounts of sensitive student PII from students’ digital activity on their platforms, including sensitive data related to their health, social relationships, academic progress over time, sexual orientation, religious beliefs, political views, personal interests, and more. FERPA is meant to ensure confidentiality when sensitive student data is collected at school while also granting parents and eligible students the right to access and challenge it as inaccurate or no longer relevant.

24

But FERPA Does Not Protect All PII Collected by Third Parties

When talking about FERPA’s protections for student data, it is common to note that FERPA protects PII in education records. However, what is less discussed is the reality that the inverse is also true–FERPA does not protect PII outside of education records. For this reason, understanding the scope of “education records” is critical to pinpointing what student data falls within FERPA’s protections.

“Education records” are records that meet two criteria: 1) they must be “directly related” to a student; and 2) they must be “maintained” by an educational agency or institution, or by a party acting for the agency or institution. (34 CFR 99.3(a)). If PII is stored in a way that does not meet one (or both) of these criteria, then that PII is not protected under FERPA. This may significantly weaken privacy protections for student data in two ways. First, if PII collected on an edtech platform is not protected under FERPA, the companies operating that platform may not be subject to any federal privacy law limiting their ability to freely use, share, or sell the student data they collect. Second, parents and eligible students may not have any rights to that information, such as the rights to access or challenge their PII under FERPA. This creates a significant gap where parents and eligible students are unable to access or challenge PII depending on how the PII is processed after collection–something they often have no control over. And when PII is stored in a way that does not meet both criteria of “education records” under FERPA, parents and eligible students may not even be aware that such information is being collected at school in the first place.

The use of technology in schools has made the process of analyzing what PII is protected under FERPA significantly more challenging, as it is not always clear when digital files are both "directly related" and "maintained" under FERPA. We previously discussed how ambiguity around the term “maintained” has been misinterpreted under FERPA to exclude data shared with third parties–such as edtech companies–on the school’s behalf (see this Fixing FERPA installment for more details). We’ll now turn our focus to an equally nuanced issue: deciphering when PII automatically collected by third party platforms is stored in files that are “directly related” to a student.  

When are Files Generated by Technology “Directly Related” to a Student?

FERPA does not define the term “directly related,” so we must turn to guidance for insight into what this requirement means. 

The best guidance we have about when files generated by technology are “directly related” to a student comes from the U.S. Department of Education’s (USED) FAQs on Photos and Videos under FERPA. The FAQs say that educational agencies and institutions should consider various factors when determining if a photo or video is directly related to a student, including whether the media is used for disciplinary action or other official purposes, contains depictions of activities that involve the student, whether there is intent to focus on a specific student, and if PII is otherwise contained within. However, if the student is only incidentally shown in the image or captured as part of the background, or if it shows participation in public school activities without focusing on any individual, it should not be considered directly related.

700x510 USE THIS FOR IN-TEXT IMAGES (21)

Additionally, USED’s Letter to Wachter indicates that videos created by surveillance cameras in schools are generally not part of a students education record unless and until the school takes action in response to it. Until that point of action, the video is only incidentally related to the students on the video. This distinction is practical: giving parents access to all surveillance footage that may incidentally relate to their child would be overly burdensome for schools, would likely have minimal value to parents, and could lead to the impermissible disclosure of other students’ PII. However, giving parents access to a specific, pre-identified portion of surveillance video depicting their child doing something that resulted in official action by the school would be more manageable. 

While we do not yet have authoritative guidance that this is the case,* the FAQs on Photos and Videos under FERPA and Letter to Wachter can reasonably be read to create an intentionality threshold for determining when digitally-created files are “directly related” to a student. Under this approach, when a school takes proactive steps to deliberately connect a broad digital media file to an identifiable student, that file becomes “directly related” to that student under FERPA. This interpretation would have significant impacts in practice, as emerging technologies may make such intentional connections easier than ever before.

For example, while Wachter establishes that unreviewed school surveillance footage is generally not “directly related” to a student because a student has not yet been associated with the footage, facial recognition software may change this dynamic. This technology can enable schools to easily connect the PII in school surveillance videos back to individual students. If schools have integrated facial recognition technologies into their surveillance system, they may be able to retroactively search all videos–including videos not yet reviewed by school personnel–for footage connected to a particular student. The software may also proactively identify students in real-time (or shortly after) for school staff to easily review. As such, the act of integrating facial recognition software could be viewed as an intentional step to link surveillance footage to specific students. This interpretation would make all video footage “directly related” to a student if the software automatically labels each student, regardless of whether school personnel have reviewed the video.

Case Study: Student Monitoring Profiles

The use of online behavioral monitoring profiles in schools are a prime example of the complexity involved in determining when digitally-created files are “directly related” to a student. Many schools contract with third-party monitoring companies to utilize their tools that track and record all student activity on school-owned devices or school networks. These tools use algorithms to flag inappropriate student activity or potential threats and generate notifications to school personnel when necessary. In the process, such technologies automatically create extensive digital profiles about individual students–some of which may never be accessed or reviewed by a human.

John Smith’s School-Issued Laptop

Is PII in these monitoring profiles protected under FERPA? The answer comes down to whether such profiles meet both criteria for “education records” under FERPA. To simplify the analysis, we will assume for the sake of this example that online behavioral monitoring profiles are “maintained” by companies acting for the school.** A plausible (though highly problematic!) interpretation of current FERPA guidance is that these profiles are not “directly related” to a particular student–and thus not protected under FERPA–because monitoring files may never be reviewed by school personnel if that student’s online activity is not flagged. Under this interpretation, information in the profile or an insight about the student’s activity only becomes “directly related” when the school takes some action as a result of the information in the profile. This problematic interpretation would not only enable monitoring companies to use, share and sell sensitive student data, but it also would allow schools to retroactively review individual students’ online activity at any time without ever informing students and parents that these profiles exist. As a result, parents and eligible students may be denied the opportunity to review student monitoring profiles or challenge their contents. 

We strongly disagree with this FERPA interpretation, but do believe that this issue needs clarification. Student monitoring profiles are “directly related” to individual students–thus meeting both criteria to be protected under FERPA–since the intention behind creating each profile is to allow schools to review a known student’s online activity as desired (regardless of whether the school actually ends up accessing that data). Logs of student activity are not kept as one homogenous file that can only be attributed to a specific student when a school takes some action to identify the specific student. Rather, the students' activities are explicitly logged and sorted into profiles as the information is collected. As discussed in our analysis of the intentionality threshold created by the FAQs on Photos and Videos Under FERPA and Letter to Wachter: when a school takes proactive steps to deliberately connect a broad digital media file to an identifiable student, that file becomes “directly related” to that student under FERPA. If a monitoring profile is labeled by student names, the profiles are clearly “directly related” to named students the moment they are created. While this analysis may become more complicated when monitoring profiles are labeled in other ways, the result should not change.

Consider an example where a school contracts with an online behavioral monitoring company to track and record students’ online activity and notify certain school personnel when the algorithm flags that an intervention could be necessary. The company creates digital logs of all student activity online, labeled with random identifiers (such as “Student 293047”) rather than student names (“John Smith”). But when a student’s activity is flagged by the algorithm, the monitoring profile is linked back to a specific student so that the school knows who may need the intervention. Simply notifying school personnel that the online activity of Student 293047 should be reviewed is meaningless unless the school can readily determine that Student 293047 is John Smith. Since the monitoring system was intentionally designed to enable the school to connect digital profiles labeled only by random identifiers to identifiable students, the monitoring profiles must be considered “directly related” to each student (and therefore protected under FERPA) regardless of if school personnel have actually made the connection yet.

Suggested Solution: Protect All PII Accessible to Schools

Limiting FERPA protections to only the PII in “education records” makes it unclear (and often unintuitive) how to distinguish what PII is actually protected under FERPA. This lack of clarity makes it extremely hard for well-meaning school administrators to comply with FERPA and frequently results in unintentional privacy violations when PII is compiled by technology. Despite the apparent gaps in what data FERPA covers, efforts to expand FERPA’s scope have received pushback over the years. Critics have argued that an overly broad scope could impede school functions, such as reporting de-identified or aggregated metrics for benchmarking and prevent teachers from discussing real classroom situations during the teacher (re)certification process. 

That being said, states have figured out how to clarify the scope of student privacy law coverage in a way that carefully balances multiple legal and practical considerations, and we suggest following state law’s lead here. State student privacy laws across the country tend to cover PII without FERPA’s additional restrictions that the PII must be in “education records.” For example, Colorado’s student privacy law protects “Student personally identifiable information,” defined as:

(13) "Student personally identifiable information" means information that, alone or in combination, personally identifies an individual student or the student's parent or family, and that is collected, maintained, generated, or inferred by a public education entity, either directly or through a school service, or by a school service contract provider or school service on-demand provider.

Maryland’s student privacy law protects “Covered information,” defined as:

(a)(2)(i) “Covered information” means information or material that, alone or in combination with other information or material, is linked or could be linked to a student in a manner that would allow an employee or a student of the student's school to identify the student with reasonable certainty.

(ii) “Covered information” includes a student's:

  1. Educational records as defined in § 7-1303 of this article;
  2. First and last name;
  3. Home address and geolocation information;
  4. Telephone number;
  5. Electronic mail address or other information that allows physical or online contact;
  6. Test results, grades, and student evaluations;
  7. Special education information;
  8. Criminal records;
  9. Medical records and health records;
  10. Social Security number;
  11. Biometric information;
  12. Socioeconomic information;
  13. Food purchases;
  14. Political and religious affiliations;
  15. Text messages;
  16. Student identifiers;
  17. Search activity;
  18. Photos;
  19. Voice recordings;
  20. Disciplinary information;
  21. Online behavior or usage of applications when linked or linkable to a specific student;
  22. Persistent unique identifiers; and
  23. Confidential information as defined by the Department of Information Technology.

Rather than limiting protections to only student data in education records, Colorado and Maryland’s laws clearly protect a much broader swath of student information and provide greater protections and rights–and a clearer understanding for everyone of which information is or is not protected–than under FERPA.

In future revisions of the FERPA statute, Congress should follow states’ lead and eliminate the restriction that PII must be contained in “education records” to be subject to FERPA’s protections. This would better ensure that all student PII collected at school and readily accessible to school personnel is subject to FERPA’s privacy protections–regardless of whether the PII is collected by school staff themselves or through the use of automated technology. This change would clarify that parents and eligible students have the right to access and challenge their information in digital records that schools can readily connect to them, even if school personnel have not yet affirmatively reviewed those records themselves, ensuring a more consistent and comprehensive application of privacy protections for student PII collected through the use of edtech.

Endnotes

*  We would greatly appreciate clarification from the Department of Education on whether our interpretation is accurate in future FERPA rule making processes!

** In a prior Fixing FERPA installment, we discussed how ambiguity around the term "maintained" may be misinterpreted under FERPA to exclude data shared with third parties on the school’s behalf. We take the position in this blog that student monitoring profiles are sufficiently “maintained” under FERPA because the school has contracted with the monitoring company to use their services.

Other Fixing FERPA Publications

Fixing FERPA (700 x 510 px)

Fixing FERPA: Protecting Student Privacy in the Cloud

By Jessica Arciniega, Katherine Kalpos, Morgan Sexton, & Amelia Vance | December 13, 2024
20

Fixing FERPA: Strengthening Transparency & Confidence in FERPA Enforcement

By Jessica Arciniega, Katherine Kalpos, Morgan Sexton, & Amelia Vance | June 6, 2024
21

Fixing FERPA: Increasing Transparency to Make FERPA’s Privacy Protections More Meaningful

By Morgan Sexton, Katherine Kalpos, and Amelia Vance | June 6, 2024
18

Fixing FERPA: Enhancing EdTech Accountability

By Morgan Sexton, Katherine Kalpos, and Amelia Vance | June 6, 2024
17

Fixing FERPA: Distinguishing Between Core & Secondary Technology Uses

By Morgan Sexton, Katherine Kalpos, and Amelia Vance | June 6, 2024
19

Fixing FERPA: Clarifying Data Sharing Through a Defined Pedagogical Exception

By Morgan Sexton, Katherine Kalpos, and Amelia Vance | June 6, 2024
2024-04-04 700x510 (72)

Fixing FERPA

By Morgan Sexton, Katherine Kalpos, and Amelia Vance | June 6, 2024
2024-04-04 700x510 (22)

FERPA 101

By Amelia Vance and Morgan Sexton | April 3, 2024
2024-04-04 700x510 (69)

FERPA Exemptions

By Amelia Vance and Morgan Sexton | April 3, 2024
FERPA Exceptions Featured Image 700x510

FERPA Exceptions

By Amelia Vance and Morgan Sexton | April 3, 2024