The Department of Education took an important step towards helping schools understand how to follow student privacy law today, releasing a set of frequently asked questions about the Family Educational Rights and Privacy Act, or FERPA.
FERPA is the federal law that prohibits recipients of Title III education funding (that is, more or less all K-12 institutions and nearly all universities, public or private) from disclosing personally identifiable information contained in education records. There’s an exception for “directory information,” and information in the possession of a campus law enforcement unit typically isn’t considered an “education record.”
The FAQ, titled School Resource Officers, School Law Enforcement Units, and FERPA, has more than 30 questions and answers about the overlap between a school’s obligations under privacy and safety laws. It doesn’t represent new guidance, but instead consolidates material from old policy letters, responses to official comments, and guidance documents in a single place.
In its press release, the Department says it decided to issue the FAQ after a December report on school safety found that school officials were confused about how FERPA’s privacy obligations interact with the need to maintain a safe campus. FIRE has seen that conflict in practice, time and time again. For example:
- In 2013, Oklahoma State University declined to inform law enforcement about multiple sexual assault reports, arguing that FERPA prevented them from doing so. FERPA has exceptions that permit disclosure when there’s an ongoing threat to campus. Questions 10, 27, and 28 of the FAQ explain how this works.
- In 2017, Central Connecticut State University withheld law enforcement records from a student accused of threatening speech, citing FERPA. As the FAQ reiterates in questions 18 and 19, records of law enforcement units are not protected by FERPA, and besides, as question 4 explains, students have the right to inspect their records, even if it was a FERPA record.
- Crime isn’t the only safety issue that can be complicated by a misunderstanding of privacy law. In 2017, East Tennessee State University refused to release athlete concussion statistics, citing FERPA. As the new FAQ reiterates in question 8, these statistics would not be considered “personally identifiable information.”
Where the guidance might be most useful is its careful explanation of how threat assessment teams must handle student information. The FAQ explains that, while teams under the direct control of an institution that perform a school function may be given student information, that team has the obligations to limit the use of that information to the purpose of its disclosure and to not further disclose it. That means the threat assessment team can’t disclose that information to law enforcement, or permit it to be used in a law enforcement capacity, absent a “health and safety” emergency — even if law enforcement officers serve on the threat assessment team.
Another useful highlight is that the FAQ reiterates that a school official with information about a student obtained from “personal knowledge or observation” can usually share that knowledge without violating FERPA, because FERPA applies only to records. Like the rest of this document, this isn’t a new position, but one that school officials should be reminded about periodically. You’d be surprised how many school administrators think they can’t tell you if they saw someone bring a cat into the dorm.
Not every question in the FAQ has the world’s simplest answer, but any document that attempts to summarize federal regulations is going to be complicated in places. Any student, faculty member, or administrator who interacts with FERPA on a regular basis ought to keep this document close at hand. As we saw above, a lot of questionable invocations of privacy law could have been avoided by a reference to one of the answers this FAQ provides.