Data Privacy Rules and Ruses

So, just to dive in and start. FERPA is a 40-year old statute passed by Congress in 1974. In the name, you can see, it is both a rights and a privacy statute. It contains within it both an affirmative right of access to one’s own educational records, or to the education records of one’s minor child. Also a concurrent privacy right to not have those very same records shared with the outside world, except for some exceptions, that we’ll talk about.

So much of the confusion about FERPA, and about access to public records comes down to what qualifies under the statute as a confidential education record. The U.S. Supreme Court has had very few occasions to tell us what FERPA means and if you understand why you get to skip the first month of law school, I will tell you. The reason is because when one brings a legal action to obtain public records, that legal action invariably goes to state court, rather than federal court, because that’s where the right arises. The right to access records rises under the New Jersey Freedom of Information law or the Georgia Open Records Act. So therefore, when you’re denied access on the basis of a claim of federal privacy, invariably you end up taking that case to state court, and it’s quite difficult, in fact at times impossible, to get a case from the state courts into the U.S. Supreme Court.

So only on a very small handful of occasions has the court ever had a chance to tell us the boundaries of FERPA. But this case, the Owasso Independent School District v. Falvo case is one of those rare cases and it’s the only one, really, where the Supreme Court has authoritatively told us what it means for something to be a confidential education record. Many of you are probably familiar with the facts of that case, it’s known as the peer-grading case.

This is that mortifying moment in high-school algebra when we’re all required to exchange our quiz papers with the person next to us, who then went through, checked off the wrong answers and shouted out your grade out loud, so that the teacher could record it.

A parent objected to that practice, believing it was a breach of her child’s FERPA statutory rights. The Supreme Court came back and said, ‘No, those quiz papers, as they were sitting on those students’ desks in a classroom, didn’t meet the threshold definition of a confidential education record under federal law and therefore no breach of FERPA occurred.’

In order to be a FERPA record, the Supreme Court told us, two things have to be true. The record has to be maintained in a central place. They indicated something like your file in the front office of a high school or in the Registrar’s office of a college. Someplace where it would all be collected and compiled in a place that corresponds to your name. And the record must directly, and not tangentially, relate to an identifiable student. Those are the two threshold criteria, in order for a record to be confidential under FERPA in the first place. If it doesn’t meet those threshold requirements, than FERPA is off the table and if the record is otherwise disclose-able under state law, then you as a requester should have access to it.

The one and only way in which FERPA can be enforced is by an enforcement action by the U.S. Department of Education, which has the theoretical authority – and I stress theoretical – to completely de-fund the educational institution, if it determines that a breach of FERPA occurred. You can probably guess how many times, in the 40-year history of this statute, the Department of Education has chosen the nuclear option and to put an education institution out of business because it honored a public record’s request. The answer is 0.

In fact, the Department has its own internal regulations saying that it will not de-fund an institution, unless the institution is notified that it committed a violation, put on a plan of correction and refuses to abide by the plan of correction. So, as a practical matter, what happens if your institution violates FERPA? You get a nasty letter from the U.S. Department of Education, and you’re told not to do it again. As long as you don’t tell the Department of Education that you refuse, nothing else happens to you.

So there’s quite a lot of sky is falling rhetoric out there, about what the consequences are of a FERPA violation, but it’s important to know that in reality the way that FERPA is enforced, is by a warning letter first, from the Department of Ed. And in fact we’re not aware of a single documented instance of someone even getting as far as the warning letter, let alone the nuclear option.

The gap between what FERPA genuinely covers and what school and college attorney guys will tell you what it covers can be quite vast. Despite the guidance from the U.S. Department of Education, we at the Student Press Law Center and journalists around the country, have been told that everything from the results of a high-school swimming meet, to the video tape of a high-school football game, video tapes of college student government meetings, the names of individuals who sit on college disciplinary boards- You name it, there’s a chance that a school or college has classified it as a confidential FERPA record.

This is how we know that’s wrong. The U.S. Department of Education actually said as much, when they appeared in the Falvo case, in 2002, at the Supreme Court. The U.S. Department of Education urged against a finding that the quiz papers were FERPA records, in other words it took a rather conservative view of the scope of what FERPA covers. It did so for this reason: Because once a record is classified as a confidential FERPA record, then a series of obligations is triggered on the part of the educational institution. Remember the rights parts of FERPA. Once a record is classified as a confidential FERPA record, then these things happen: The student or the student’s parents – if the student is a minor child – have an absolute right to inspect that record, and to insert any material that keeps the record from being incomplete or misleading. If the school refuses to do that, then there is a right to have an administrative hearing, in front of an administrative hearing officer, to advance that right of correction. And the record itself has to contain a notification of anyone who has requested access to that record.

You see this lovely illustration accompanying this for a reason, because Columbia University actually tried to tell college journalists that graffiti written on a bathroom wall qualified as a confidential education record, because someone scrawled on a bathroom wall the names of people who the writer believed had been found guilty of committing sexual violence in the college’s confidential disciplinary proceedings. So the college tried to tell student journalists, ‘You may not publish this bathroom wall graffiti, because the bathroom wall graffiti would violate FERPA.’ Your common sense and your understanding of this statute now, tells you, that if that is true, and if Columbia wants to classify the bathroom wall as a confidential education record, then they’ve got to give the student a right to append corrective graffiti on to the end of it, and you can see the absurdity of that categorization.

So I see we have a question coming in, about whether the minor, him or herself, may request access to the file. The answer is that only the parent can do so, if you have a minor child. The right actually devolves to the child, if the child leaves high-school and goes to college – so there are some 17 year olds in college – and once the child goes to college at aged 17, then that right travels with them and the parents no longer have access to those records, no longer have the ability to demand the corrections. So yeah, it’s sort of a binary system. Either the child has it, or the parent has it.

Zinshteyn: Frank, I have a follow-up question. A student has the absolute right to inspect and insert corrective material. What are the safeguards in preventing a student from changing, say, their official scores, their official grades? Can a student just approach a FERPA-designated file and instruct the school to give him or her a B, rather than a C?

LoMonte: Sure, that’s really creative and now I’m really sorry I didn’t try that when I was a kid.

The answer is that’s really what that hearing process is for, and again, we’re not aware of this being used much, if at all. It’s a very obscure process and I would venture to say that it’s a rare family that knows that this exists and is motivated to take advantage of it. But that’s what that hearing process is about, in other words, if it’s a frivolous request, if it’s an unfounded request, then the school has the ability, through that hearing process, to deny the correction. There’s not an absolute right to re-write one’s own grades, or erase disciplinary events off of one’s history. So it’s only if, after the neutral arbiter, were to find that, yes, I do find that this record is deceptive or incomplete, without this correction, then the right attaches.

So why does this matter? There’s a sense, I think, among a lot of people in the college and university community that the broad strike zone of FERPA confidentiality is the right judgment. That once you let the confidential information out, it’s out, and people can be harmed by the needless curiosity seeking into their confidential records, and all of that is probably true, I’m not unsympathetic to that. But, and maybe some of you on this call have got your own stories like this, we see, from time to time, that there are real consequences to the overuse of FERPA. At times, really quite drastic consequences, that impinge on public safety.

There’s a screenshot that you’re looking at from Oklahoma State University. This is probably the most extreme case of FERPA gone wild. Where at Oklahoma State University the university became aware through multiple disciplinary cases that they had a student on campus who was committing sex offenses against young men on campus in his fraternity. This student was given suspension from college, but it was all done in a confidential, closed door procedure. Not even the campus police or the local police were made aware that this individual was at large on campus, or in the community.

Only when one of the complainants alerted a student journalist at the college campus newspaper, did the police become aware and of course were furious to know that there was a potentially dangerous felon on the loose on campus, about which they hadn’t been made aware. Retroactively, the institution did convene an investigation and did correctly conclude that there are public safety exemptions in FERPA, of which the Department of Education has reminded colleges many times, including in the aftermath of [the Virginia Tech shootings], that allow for disclosure even of identifiable, confidential student data, when there is a threat to public safety and the disclosure is necessary, to abate that threat. So clearly, in that case, where we have somebody who is confirmed to have committed multiple violent crimes, disclosure to the police would in no way have violated FERPA. So there are real consequences here, to the over-use and the over compliance problem, with FERPA.

Here’s what we can say for sure is not within the scope of FERPA confidentiality, because the statute tells us so. Congress has amended FERPA several times since the 1970s, once to clarify that if a record is created for law enforcement purposes — and note that that doesn’t say ‘police’, it says ‘law enforcement’, so even a record created by a campus security agency, by people who are just security guards and not full-fledged police officers, would qualify as a record created for law enforcement purposes — that’s not a FERPA record at all. So FERPA is never a valid reason to withhold or redact information from a campus police report, although many people are getting those reports back with a bunch of Swiss cheese holes punched in them with a magic marker. That’s not a valid use of FERPA.

Likewise, and this is becoming of increasing importance, because of the scrutiny of the campus disciplinary process where sexual assaults are involved. If the campus disciplinary body reaches a conclusion that the person committed an offense that would equate to a crime of violence had that occurred outside the confines of a college campus – so an aggravated assault, a rape, an arson, certainly attempted murder, any of those violent crimes, nothing about that outcome, including the name of the individual, is covered by FERPA anymore if at the end of that process there is a verdict of ‘responsible’ by the disciplinary panel.

Therefore, it should be theoretically possible to go to a college in Ohio, or Michigan or New Jersey and serve them with an open records request and say, ‘I want to see all of your outcomes of disciplinary proceedings where somebody’s been found responsible for a crime of violence of a sex crime,’ and to get a complete response. I say theoretically, because good luck trying that. That exception is not widely known about and even where it’s known, it’s widely dishonored. But it is there, and you should be aware that that’s your right.

Finally, and I really want to emphasize this. The Department, which is the enforcement authority, has drawn a distinction between the record and just plain old information. FERPA is really about the protection of the integrity of the records. Which is to say that if somebody knows something, from personal knowledge, or personal observation, then the disclosure of that is not a breach of FERPA, as long as they’re not reading it to you, out of a confidential education record.

An example of where this might come up: There’s some sort of a violent crime in a school, sort of a tragedy in a school. You as a journalist show up, and you want to interview some of the teachers. And you want to ask the teacher about her recollections of Johnny, and the teacher wants to say, ‘Oh, Johnny, model student, wonderful kid, always put his hand up and volunteered in class. Was the class clown, always told jokes and cracked people up.’ Whatever she wants to say about Johnny, as long as she’s not reading you his report cards, none of those personal observations or reflections is covered by FERPA. The disclosure of any of those observations would not implicate FERPA privacy.

Somebody has a question about law enforcement records. If there is a school resource officer who compiles incident reports about things that might be crimes, for law enforcement purposes, then those are public records and not withhold-able on the grounds of FERPA. Now, I should add two caveats to all of this.

Caveat number one, is that there is sometimes a blurry line, especially at K-12, between records created for law enforcement purposes, or ones that are created for disciplinary purposes. I honestly haven’t seen this litigated yet, where you have a uniformed police officer who’s got a badge and a gun and is writing things down in a narrative form that goes in a report, that’s shared with the police department. To me, that’s quite clearly a law enforcement record, even if it is also used by the disciplinary authorities. I think different people will make that judgment call differently, but the statute doesn’t say that the record must be used exclusively for law enforcement purposes. So we’re pretty sure that that type of a report should be accessible as a public record.

The second caveat is that there are sometimes state confidentiality laws that will come into play here. So many agencies are empowered under state law to make judgment about the release of things that would constitute – and this is the term of art that appears in a lot of state open records acts – a clearly unwarranted invasion of personal privacy. That appears in the federal information act requests and in a lot of state information act requests. So that, for example, it really might be a legitimate judgment call, under a state open records act, to give you that campus police report, with the name and home address of the rape victim blacked out on the grounds of that state personal privacy exemption. It’s not a valid use of FERPA but it might be a defensible judgment call under a state privacy exemption.

Here’s what we’re pretty sure it doesn’t cover, because we’ve got some court rulings that are from lower courts, not the Supreme Court, and so it’s dangerous to generalize from those. But these are some recent interpretations of FERPA that we think, frankly, are very common sense ones that comport with the common understanding of Congress’ intent.

I’m not going to discuss all these cases in great detail, I want to save some time at the end for questions, but the one case, Matthew Heller vs. Safford Unified School District case deserves mention only because of the audacious use of FERPA in that case.

Some of you will remember when the U.S. Supreme Court decided the Savannah Redding case. This was the case deciding that a school over-reached in strip-searching a young girl for a non-prescription pain killer that she was believed to be concealing inside of her bra. They humiliatingly made her undress in an administrator’s office, with the school resource officer looking on. Her parents sued on the grounds of 4th Amendment violation and the Supreme Court said, ‘Yes. The school went too far.’ In that situation, where the drug wasn’t especially dangerous, and the tip wasn’t especially reliable and indeed, she didn’t have the drug at all, that that was an over-reach under the 4th Amendment.

Well the case goes back to the state court, where there’s then a financial settlement entered into, between the family and the school district. When the local news media wants to see the terms of the settlement, wants to see how much money changed hands from the school district, in order to know how much the taxpayers were dinged for this over-reach by school authorities, the school then decided that although they did not believe children had privacy rights in their own underwear, that they did have privacy rights in terms of six-figure financial settlements paid by the taxpayers. They lost that one, too. A trial court in Arizona made short work of the FERPA argument and said, ‘No, that’s a public record, this is not an education record in which there is a privacy interest.’

There’s actually an ongoing court case in Florida right now about a student newspaper at the University of Central Florida. The paper tried to get records of the campus disciplinary proceedings involving Greek houses, and were told those records of disciplinary cases against Greek houses were confidential under FERPA.

Two things to remember there. One, is that FERPA only applies to records that either identify a particular student, or are readily and easily identifiable. So, it’s conceivable, on a case-by-case basis, that let’s say that the public record says, the President and Vice-President of the fraternity were found guilty of hazing. Well, even without names, it’s very easily link-able to those individuals, one can readily find out who the President and Vice-President are and so that’s probably, in that specific instance, a valid use of FERPA confidentiality.

The second thing, though, is that once names, and other identifiers, like addresses, or socials, are removed from a record, it ceases to be a FERPA record. This is one of the biggest problems we encounter with educational institutions, including in this case at UCF, that many of them regard FERPA as an all or nothing characterization, where if one bit of student information appears in a document, then the entire document is withheld. There are a number of court cases – there was one in Florida, against Florida State University, there was one in Montana, against a school district in Montana – where the courts have said no. The courts have said that if you can effectively redact the identifying information out, then under state law it’s your obligation to produce the rest.

If the student, as an adult, or as a child, the student’s parents, wish to cooperate in the story, they are assisting you in the story, then they absolutely can execute a written waiver of their FERPA confidentiality. Once they execute that waiver, then FERPA should be off the table and if the record is otherwise a matter of public record, then the district ought not be able to rely on FERPA in withholding it from you.

By the way, since they have an absolute right to obtain their own records, you can also follow that step. You can just have them make the request and just slip it to you. We’ve certainly seen people successfully use that tactic.

From time to time, the Education Department will clarify or reinterpret how it understands FERPA and it did so in 2011, with changes that took effect in January of 2012. This became quite controversial, and it became sort of the ‘match that lit the fire’ for the state data privacy movement that we’re seeing right now. In the 2011 rule-making, the Department put in a new interpretive gloss on who could access FERPA records other than the educational institution itself.

It was always understood that a school could share student data with somebody like, let’s say, a state auditing agency. If the State Auditor General showed up and said, ‘we think you have some phantom kids on the books here, who aren’t really going to school, and we need to see your attendance rolls, so that we can audit you and make sure that you’re not milking the state for students that you don’t really have,‘ that was always a recognized exception and that there was no FERPA violation in doing that. The Department brought in this idea of who is an authorized person that could look at FERPA data for auditing or compliance purposes, and it included private, as well as public actors. Many of you recognize the inBloom company, which imploded recently, was going to be one of these 3rd parties that analyzed data for purposes of compliance with the Common Core standards. But there was so much backlash about the sharing of data with a non-governmental actor like this, that states began withdrawing their cooperation and then inBloom finally had to shut down.

So in some people’s minds, this gave liberalized access to data, in ways that they weren’t especially comfortable with, and this resulted in a number of proposals, including the one that senators Ed Markey from Massachusetts, and Orrin Hatch of Utah floated recently, in draft form. Their bill is called the Protecting Student Privacy Act of 2014.

Essentially what it does, is, there are safeguards right now, in FERPA, when records are shared with an outside 3rd party. Essentially, if the outside 3rd party slips up and makes a disclosure of those records, either accidentally or on purpose, then that contractor is banned from receiving any more education records for a period of five years. So, you can see where, if that’s your line of business, that could be fatal to your business.

But that’s the only stick that is held over that outside 3rd party. The Markey-Hatch bill is an attempt to clarify the limits and the use of student data by these outside 3rd parties. It specifically, in so many words, says that schools and colleges cannot release data for sales or marketing, and it makes these 3rd party entities give all the same rights to students and parents, as the school itself would. So, in other words, if ACME Corporation has my student data for some evaluative purpose, I, as a student or a parent, should this bill become law, be able to go to ACME Corp and say, ‘I would like to inspect the records that you, ACME Corp, have about me,’ and they would have the absolute obligation to do so.

There is a portion of this draft that, to us, is probably unintentional, but scary nonetheless, that removes the one limiting factor in FERPA that has kept schools and colleges from completely running wild with it. That FERPA applies only to records that can be categorized as education records. This bill (The Markey-Hatch bill) re-writes the definition of FERPA, so that it would apply to all information held by schools or colleges, not just that contained in an education record.

So, my example of the Redding case, where there was a court settlement, that would clearly not be an education record under the legal definition, but it would certainly be a piece of information about a student that was held by a school. And so you can see where, should that language make its way into the bill and become law, and it’s a long, long way from doing that, that it could choke off even more accessibility to student information.

States are starting to get into the data privacy business in a big way. There have always been state statutes on the books, that apply some duty of confidentiality to student records. What’s most common is that in a state open records act, you might see FERPA actually referenced, you might see education records actually referenced. Or, you might just see a reference that says, ‘You have a duty under the State’s Open Records Act not to release information that is affirmatively made confidential by federal law.’

So those already existed on the books, in almost every state. ALEC, the conservative legislative group that is so influential at the state level, has decided that it wants to go further. That it wants to put affirmative limits on the ability of state educational institutions to transfer student data to anybody other than the institution itself. It actually prevents districts from sending certain information up to the state level, so that if the district gathers certain information about a student’s religious or political beliefs, or gathers a social security number, those things couldn’t be transferred to a state education department, they have to remain within the institution. The institutions would be audited periodically, to make sure that they have FERPA compliance policies and they’re abiding by them.

So theoretically at least, we’ll have to see how this plays out, because Oklahoma was the first to enact this. This may put some more teeth into student privacy, which right now, since Congress has never fined or sanctioned anybody, is relatively toothless. So, we’ll have to see how this plays out. There’s nothing in the ALEC model legislation, or in the iterations that we’ve seen in the half a dozen states that have enacted variations of it, that directly goes to the ability of a journalist, or a public requester, to get public records. So there’s nothing that looks like a four-alarm fire for those of us that are in the transparency business.

But every one of those bills needs to be watched. There was an attempt to do this in Arizona a couple of years ago to create a state level FERPA, but with more teeth in it. Arizona wound up taking the penalties out, but there was a time when it looked like they were going to pass their own state-level FERPA bill that would actually have penalties, that unlike the federal one, would be used. Of course that would make institutions even more reluctant to cooperate with you as journalists than they are already, today.

I’m not going to talk in detail about these, because I want to move us on and make sure we get to Clery, but there have been a couple of pieces of litigation in this area, most notably the Electronic Privacy Information Center. EPIC took the Department of Education to court after the most recent rule-making, saying that by expanding the universe of people who could get access to student data, that they had gone beyond their congressionally mandated authority. The federal court never reached the merits of whether that was true or not, because the federal court decided that EPIC, as an outside organization, didn’t have standing to mount this claim. They couldn’t show that their interests were sufficiently injured by that rule-making, and so the case wound up getting dismissed on a threshold procedural ground, without ever reaching whether the department’s regulations were authorized or not. So that issue is still floating out there, but it won’t be EPIC that brings it, it looks like.

I want to switch, for just a couple of minutes, to talk about the Clery Act, because this is the other piece of federal legislation that comes into play when journalists are trying to get information from schools and colleges. Unlike FERPA, the Clery act is an affirmative disclosure right. It is a right of the public to know what is going on, on college campuses, where crime and discipline are concerned.

First, that every institution, at its office of public safety, and again it doesn’t need to be a police department, it can just be the campus security office, must maintain, on site, a log that describes the what, the where and the when of each crime, to which campus security or police, are alerted. Note that it will not generally say the who, but it will generally say the what, the where and the when. So you’ll at least get a description like, burglary of a vehicle, corner of Maine and 13th, Saturday night, 10pm.

That might be all you get, but that’s at least the starting point for your reporting. Those have to be kept up to date, at least within 48 hours, they have to be kept onsite for immediate inspection, 60 days’ worth, and they have to be able to go back, within two business days and retrieve the remaining ones

By the way, these only have to be onsite, unfortunately, for inspection during 9 a.m. to 5 p.m., Monday to Friday, business hours, so the Clery Act is not going to entitle you to show up on a Saturday night and say, I want to see the write-up for a crime that happened Saturday afternoon.

The big one, for journalists, and this is coming under increasing scrutiny, are these annual security reports. This is the snapshot of the crime that happened for the previous 12 month period. Now these are mostly of historical usefulness and historical curiosity, because by the time you get them, in October of each year, the data is already 10 months old. What you’ll get each fall is a snapshot that looks at the previous calendar year’s worth of serious crimes. These will not be the bicycle theft, these will not be the littering tickets. These are the crimes that are serious property crimes, like burglary or robbery, or violent crimes, like aggravated assault, or sexual assault.

The agency needs to be reporting a rolling three years’ worth of numbers of these crimes, of which the institution is notified. We get into, for a minute at the end, what goes into that universe of what needs to be reported, because we’re finding there’s a lot of slip between cup and lip there. There’s quite a gap between what institution either accidentally-on-purpose understand their obligation to be, and what the law actually says.

The last requirement is, and this is one that came into very sharp focus after the horrible shootings at Virginia Tech, that there is a requirement to give either a timely, or, if it’s really an imminent threat, an immediate warning, to the entire campus community, if there is a physical threat to safety. That could be a criminal, but it could also be a tornado. This is why students get text messages now, that seems to be the preferred method, anytime that there’s either a shooter on the loose, or there’s a natural disaster, fire or something of that nature.

If you are examining your institution’s annual campus security report, and the numbers look too good to be true, there’s every chance that they are. There is quite a lot of confusion and misunderstanding about what belongs in those crime statistics.

Well, first of all, this is a legitimate one. You’re going to find that the numbers omit things that happened off of the physical premises of the campus and so for many of you, the sex crimes in particular often happen in apartment complexes, or in Greek houses, that are in the periphery of the campus. But if it’s not actually a building that’s owned or controlled by the institution, then there’s no obligation to include that in the statistics.

So clearly, this is not a commentary on how safe it is to go to a particular school, and it would be dangerous to generalize that. It’s only a commentary on your physical safety when you’re on the premises of the campus.

Many institutions don’t have a good idea of who is who is not obligated to make a report. Many of them seem to limit themselves to reports that were made to a uniformed campus police officer and that were treated as a crime. Of course, as we’re coming to understand, that is the proverbial tip of the iceberg. Many things that would constitute a crime, if they happened anywhere other than a campus of a college, wind up being handled by civilian disciplinary authorities, and often, as in the case of Oklahoma State, not even mentioned to the police, at all. Well, even if a person in the Dean of Students, or the campus housing authority, or student life, or the athletic department, learns that a woman was sexually assaulted or a guy got beaten up at a party on campus, that’s still a Clery crime, and that still counts. And that number should be in the annual statistics. We think that there is every chance that those are not getting in there, and some people are going back and asking understandable questions about the veracity of the numbers.

Lastly, it’s also the obligation of the campus security authorities to make sure that if they have shared jurisdiction with the city or county police authority, that also patrols on campus, that they are getting the numbers from them. So if you’re at Emory University, and you’re in Atlanta, and you know that the city police department comes on to the campus of Emory and routinely responds to police calls and makes arrests on your campus, then your duty to report doesn’t stop with what’s in your own records. It also includes picking up that telephone, or writing a letter, or making sure that you’ve got the crimes to which your Atlanta Police Department responded as well.

Zinshteyn: If you can’t get the information via Clery, can FERPA play a role in acquiring the information that you’re seeking as a journalist? Because it’s still happening to a student who’s enrolled, even if the student incident happened off campus.

LoMonte: It’s going to be a situation by situation call, depending on, for one thing, whether law enforcement agencies other than the campus disciplinary authorities got involved, right? We always encourage people to try and consult local law enforcement and see whether there’s not an ability to get records there. They’re often more forthcoming and less secretive about what’s going on on campus, so that’s a big one. But FERPA doesn’t, in and of itself, contain any affirmative disclosure requirements whatsoever. The Department of Education is very fond of telling people that FERPA is not a disclosure statute, it’s not an access statute, it’s a privacy statute, so there are certain workarounds that one could try, including, as the students tried to do at the University of Central Florida- and I think they’ll win their case, ultimately – to try to get de-identified records. Let’s use your fraternity house example. There’s a serious criminal down at an off-campus fraternity house, so it doesn’t show up in the annual statistics. Nor did the campus police respond to it, because it was off their premises, it still may be the case that you could get de-identified records, without student names, from your Dean of Students’ office, or whoever it was who responded. That’s always worth a try.

One person asked about online and mobile apps inside of the classroom. So, answer number one to this is that anything I say about Web 2.0 technology is going to have a giant disclaimer on it because the courts have not had much opportunities to speak to this. So we just have to make our best guess, from what the courts have told us in the past. There’s a lot of fear out there, and we encounter this all the time.

Georgia Tech, at one point, was telling students it was pulling down Wikis to which students had contributed as part of a class assignment, because they were afraid that these Wikis were themselves a breach of FERPA. Their thinking: Because a student was doing the work as part of their class-work and by jointly posting that to a publicly accessible site, a FERPA violation had incurred. That’s pretty dopey, for a lot of reasons, including that the Supreme Court told us that a quiz paper sitting on a student’s desk is not a FERPA record and so it certainly doesn’t seem like digitizing that should change the rule. Nor, once the student has himself shared that, is that a disclosure by or on behalf of the educational institution, so that’s probably not right. And I’d be happy to answer questions off line, my email is director@splc.org, if there are specific questions.

But I think the rule for any kind of student created content is going to be the Owasso rule that the Supreme Court told us. That if it is just a piece of student-created content and it’s not something that has been filed away in a central location, then the disclosure of that content (something that a student does, as part of a class project, or class assignment that’s posted on the web) is not a breach of FERPA.

This is one where I think the law actually winds up aligning with our common sense. It’s not always true, but in this case I think it does. I mean, for years and years, as long as there’s been art classes in school, people have been hanging up student artwork that’s signed by the student, in public places. Nobody thought to get a FERPA waiver for that, because that would seem ridiculous, hanging that up in a public place was somehow a disclosure of your classwork.

The only place I think it would get dicey, obviously, is if you’re actually, literally starting to put evaluative information on the web. It’s one thing to put the Wiki, created by the students, on the web, but if the teacher is then writing in the margin about what grade Johnny should receive for the Wiki, then that would get a little dicey. But that’s not my understanding of the way people are using that technology.

If that didn’t answer the question, fire me off an email to director@splc.org and I’ll take a better shot at it.

The Columbus Dispatch had a great story recently about the fact that their state Department of Education will not let you know the number of guns that were brought into school in any given year, if in the school district, the number was five or fewer. Because it is their view that disclosing that number somehow is giving away a piece of confidential information, because the number might be traceable back to an individual.

Well, that’s really dopey, too. That makes no sense at all, and some day someone will take that to court. Let’s use the hypotheticals. Suppose in the Columbus schools, there’s been one gun incident in calendar 2013. You ask for that number, the Columbus school district gives you the number one. You happen to know, because there was a story about Johnny Williams being arrested for a shooting at the school, you happen to know that that must be Johnny Williams. What has that number given away, that you didn’t already know? Nothing. The fact that that one might be traceable to Johnny Williams in no way has breached a confidence.

This is one of the flaws with the FERPA statute, and why it’s so badly in need of being re-written, is that there is nothing in the statute that actually says that it applies only to the information that’s actually confidential, or not already widespread public knowledge. That’s why it’s at least possible for a school, like the one in Buffalo, New York, to look people in the eye with a straight face and say, ‘Yes, we shot a video of this high school football game, which took place in front of a stadium full of people, all of whom had their own cameras and their own video devices, and yet, as soon as we finished shooting the video, it became a confidential education record and you can’t have it.’ That’s something that Congress desperately needs to address, or if not them, the U.S. Department of Education.

So it’s a situational judgment call based on the size of the community and the number of incidences, but the Department has been unhelpfully opaque there.

Here’s a question about special-ed students, the question comes up, what can and can’t be disclosed about the special-ed status of a student? This is a matter that does implicate both federal and state law. It, to our knowledge, hasn’t been litigated, but there’s a pretty strong confidentiality argument that If you go in and you say, ‘I’m writing a profile on Johnny Williams and I want to know is Johnny Williams enrolled in special ed,’ that without a parental waiver they’re not going to be able to confirm that. Nor could you go in with a public records request and say ‘I’d like, by name, the roll of all of the students who are special-ed students.’ Both under federal privacy law and under state open record acts that allow for the withholding of information, that would be an invasion of personal privacy.

There’re a lot of school attorneys, I think probably with justification, who would believe that your special-ed status falls into that category of something that would be sufficiently embarrassing that the schools have good grounds to withhold that. On the other hand the Department of Education has said that just allowing a visitor to come into a classroom, and sit in on a class, is not a violation of FERPA. This came up because there were many schools that were having parental volunteers come in, or just interested parents, who wanted to make sure that Johnny was getting a good education, and want to sit in the back of the class. The question actually was posed to the department: Well, look, if I let mom sit in on the back of the class, she’s going to see all the other kids writing their schoolwork on the blackboard, and she’s going to hear them discussing matters linked to their academic performance, and we just breach FERPA by letting Mom sit there.

And the answer was no. Going back to the Department’s very sensible understanding that FERPA is about the secrecy of the records and not of the information. It really couldn’t be otherwise, right? I mean, it really couldn’t be otherwise, given the number of people who visit in and out of classes, it would be practically unenforceable to say that every time you let a mom or a guest speaker come into the classroom, that you’ve now violated FERPA. Or that person is now covered by the cone of silence and has to go shred his notes as soon as he walks out of the classroom.

Just as a matter of statutory interpretation and common sense, the Department hasn’t taken that position. So all that is to say, if you were to go into a class as an invited visitor, a journalist, to go in there and observe the class, and the class was plainly and visibly a special-ed class, then I’m not real sure that there’d be any impediment to the publication of that information. But then that just gets into a matter of ethical judgment and discretion. Do we, without parental sign-offs, ‘out’ somebody as being a special-ed kid, and I think a lot of people make the judgment call that they ought not.

Zinshteyn: Is it just educational institutions that are beholden to FERPA? So, for example, say a student hacker gets a copy of identifiable data for all her peers and shares it with a reporter. What happens? Can the reporter rely on that information, print that information, or is this an ethical call, and less a legal call?

LoMonte: Yeah. That’s such a great question because many people run into this, right, there’s this lay person’s understanding, that does not comport with legal reality, that children are supposed to be invisible. We run into this all the time, that people think somehow, that there is some special privacy law that applies to children, and that nothing may be said, or published, or god knows, photographs or videos, about children, without written parental consent. Many otherwise well-educated people are walking around with that belief, and the answer is that there’s really not this free-floating, children’s privacy obligation out there.

So the hacker is an interesting one, or even some private business: You go into Chick Fillet, with your straight A report card, to go get your free chicken nuggets. Is Chick Fillet now in possession of FERPA information and subject to being sanctioned, if one cashier shows the report card to the next cashier? No. Why? Because the only sanction for violating FERPA is the withdrawal of your federal education money. If Chick Fillet is getting federal education money, that’s a great story, but I think not, nor is the hacker.

So since there’s no hammer over any of those entities, then they’re only covered by whatever sort of common law of privacy attaches in your state, and then that just becomes a matter of common law privacy. Your example is wonderful, because it also, there’s a bonus legal point in there. Which is the Supreme Court has told us that as long as you aren’t the person who did the hacking, as the news organization, that even if you know that these are the product of hacking, then as long as you didn’t participate in or solicit the illegality, then that’s your information, fair and square. You have a constitutional right to use it, but then state privacy laws and just matters of ethics and judgment would come into play and certainly, I think most people would never as a journalist see any journalistically sound reason to print report cards in the paper, even if they got them from a hacker.

LoMonte: Sunlight Foundation, of course, is a great one. If you’re not using their resources like Scout, which is a way that you can set, pre-program searches for key words on state legislation and on court cases, that’s free of charge. It’s a really wonderful service.

There’s an organization called the National Conference of State Legislatures, NCSL, that does a pretty good job of tracking trans and state legislation and has a website, ncsl.org, where you can look up different subjects. They don’t actually, yet, have a page dedicated to student data privacy. They have one about social media privacy, which is a trend that we’re seeing going on in a lot of states now, where states are telling schools and colleges that they can’t demand the password and log-in information for people’s social media accounts. Which, terrifyingly, apparently was happening, until some states got wise to it and started shutting it down.