Coalition Petitions Department of Education to Create FERPA Data Security Rule for Education Records
A coalition of legal scholars and organizations interested in privacy has petitioned the Department of Education to amend the regulations that implement the Family Educational Rights and Privacy Act (“FERPA”) to include a “Data Security Rule” aimed at preventing the unauthorized disclosure of personally identifiable information contained in education records. The proposed rule would require schools and any third parties that possess education records to implement administrative, physical, and technical safeguards, such as encryption and “privacy enhancing techniques” that minimize or eliminate the collection of personally identifiable information, and to notify students and parents of data breaches.
The petitioners argue that many unauthorized disclosures of education records have resulted from the combination of (1) current FERPA regulations that allow easy disclosure of education records to outside parties and (2) weak or nonexistent data security protocols. Under the current regulations, an educational institution can face a reduction or elimination of federal funding if it has a “policy or practice” of releasing PII contained in education records without prior written consent. That consent requirement is subject to certain exceptions, however, including one that allows an institution to disclose records to contractors, consultants, volunteers, or other individuals to whom the institution has outsourced institutional services or functions (such as ed tech providers). While current regulations specify that this exception only applies if the outside party is under the “direct control” of the institution, will not disclose the information to any other party without prior consent or subject to certain exceptions, and must use the information only for the purpose for which the disclosure was made, the petitioners argue that schools are able to give away records without meaningful data security protections. The current regulations do not specify, for instance, any particular data security safeguards that must be used by schools or outside parties to protect education records against unauthorized disclosure, nor do they require institutions or outside parties to issue breach notifications.
The Department of Education has not yet responded to the petition. The petition can be viewed at http://tinyurl.com/j4jgeo3.
This article appears in the Summer 2016 edition of Saul Ewing’s Higher Education Highlights newsletter. Click here to see the complete newsletter.