Earlier this month Bill Fitzgerald posted a thoughtful piece on potential issues with FERPA’s “Directory Information” exception among the excellent points made were that there is disconnect between what FERPA data that would not generally be considered harmful if released and how if a another organization unintentionally released this type of data (name, email, address, height, weight) the average person might consider that a data breach.
Like anything related to FERPA, there is always more to say, and I thought I would add a few thoughts.
1) There is a lot of confusion around what “opt-out” means. Schools are required to notify parents of their FEPRA policies annual and give them the opportunity to opt out. I have seen some cases where parents assumed that this meant that they were opting out of school sending their child’s data to ANY 3rd party under other FERPA exceptions. This is not the case, directory information is a relatively useless exception for creating student accounts, one because parents can opt out and two because of the next point.
2) Schools can’t use the directory information exception to create student accounts in a 3rd party service. I have heard people say that “it is OK to use X service, we are sending them an excel file with just directory information so they can create student account.” Once the students log in they will be creating “education records” so you’d better be thinking about the “School Official” exception instead.
3) Lastly, I think that that the objections to directory information come when parents are unclear about who the information can be shared with, or that it could be used for non-school purposes such as marketing. There is a path within FERPA for a more privacy-friendly approach to directory information and it is called limited directory information. The looking at the 2011 Federal register final rule changes to FERPA there is a reference to “limited directory information policy” (§ 99.37(d)) The basis for the clarification goes to some of Bill’s points (“concerns about the potential misuse by members of the public of personally identifiable information about students, including potential identity theft.”) and states that
“an educational agency or institution may specify in the public notice it provides to parents and eligible students in attendance provided under § 99.37(a) that disclosure of directory information will be limited to specific parties, for specific purposes, or both.
The full input can be found here
In a cursory internet search this afternoon I found a number of school districts that have adopted this approach for some or all data elements.
- Logan-Rogersville R-VIII School District (restrictions on specific data e.g. email)
- VAIL UNIFIED SCHOOL DISTRICT (limitation to promoting school programs and similar purposes)
- Fairbanks North Star Borough School District
This says to me that there is an opportunity (and a need) for schools to better understand how to provide more clear and privacy friendly choices to parents within existing FERPA rules.