The University of Kentucky (UK) can withhold records related to the sexual assault claims made against a former professor under student privacy law, a judge ruled Monday—but the judge’s ruling doesn’t make sense under the law it cites.
The records in question relate to university investigations of former Associate Professor of Entomology James Harwood, who resigned last February during a Title IX investigation into his conduct.
Student newspaper The Kentucky Kernel had enough information from confidential sources to request records about the allegations against Harwood in January and April under Kentucky’s Open Records Act. The university refused to turn over most of the records, saying the documents were “privileged,” “preliminary,” and “of a personal nature.”
Under state law, the state attorney general is entitled to confidentially review documents withheld under the Open Records Act to determine if those documents were properly withheld. The Kernel appealed to Kentucky Attorney General Andy Beshear; the university refused to release the records to the attorney general to review.
It was at this stage that the university first invoked the Family Educational Rights and Privacy Act, or FERPA. FERPA prohibits federally funded educational institutions from having a policy or practice of disclosing personally identifiable information from education records; education records are defined as those maintained by an institution that identify a student.
It should have taken about twenty seconds for the university’s attorneys to see that FERPA did not prevent disclosure to the attorney general. FERPA’s regulations do not prevent disclosure to state officials under state statutes adopted after November 19, 1974. The Kentucky statute authorizing attorney general review was enacted in 1976 and last amended in 1994. If you know nothing about privacy law but understand the linear nature of time as we experience it at sub-lightspeed, you should quickly conclude that FERPA doesn’t stand in the way of disclosure to the attorney general here.
Unsurprisingly, Attorney General Beshear ruled against the university in August, saying the records should be released to the paper because the university had failed to meet its burden of proof that the documents were properly withheld. In September, the university took the next procedural step to keep the documents away from the public eye: It sued the Kernel in state court.
The Monday ruling held that no form of the records could ever be redacted enough to suit the court’s tastes:
[T]he size of the graduate program from which these allegations stem is small; the pool of female graduate students in this program is even smaller. When also factoring in that both allegations originated at specific dates and at specific off-campus conferences, the possible identity of a complaining witness becomes even easier to pinpoint. For instance, it would be simple for one to deduce the identities of the complaining witnesses by requesting financial records from the off-campus conferences.
This explanation suggests the absence of familiarity with the underlying law and regulation. For one thing, if the “financial records” detailed expenditures related to an educational activity, those expenditures would also be “education records” that would have names redacted. And maybe more importantly, that isn’t the test the Department of Education has set out.
As the Department explained in its response to comments made in its 2008 regulatory update on FERPA, the standard is whether a reasonable member of the community could identify the redacted information, not a detective:
The standard … was not intended to describe the technological or scientific skill level of a person who would be capable of re-identifying statistical information or redacted records. Rather, it provided the standard an agency or institution should use to determine whether statistical information or a redacted record will identify a student, even though certain identifiers have been removed, because of a well-publicized incident or some other factor known in the community.
Under the court’s reasoning, there can never be an effective method of redacting records, because every record, ultimately, can be correlated with enough external data points to relate to an individual. It shouldn’t be a surprise, then, that the Department of Education doesn’t use this standard; the judge is ultimately proposing a privacy law that more closely resembles Six Degrees of Kevin Bacon than any cognizable legal test.
The fact that the court believes employee discipline records could not be redacted effectively is even more troubling given that, in December, the university’s executive director of public relations offered to release records in a similar case involving UK Professor Buck Ryan:
If Professor Ryan will simply waive his own personal privacy rights, the university will be happy to release the entire investigative file as well as Professor Ryan’s repeated e-mails to the university officials. The university would redact certain portions of the files that would compromise the privacy rights of students. But every record that Professor Ryan claims should be in the open would be. [Emphasis added.]
So either the university offered to violate FERPA (because redaction is impossible) or the ruling doesn’t entirely understand FERPA (because redaction is possible). I assume even the university would agree the latter is the more likely. As the Kernel plans to appeal, the university will have the opportunity to clarify its position.
The case is University of Kentucky vs. The Kernel Press, Inc., 16-CI-003229 (Fayette Ky. Cir. Ct. Jan. 24, 2017).
Update (January 26, 2017): This article was updated to clarify that the Buck Ryan records were not at issue in the Harwood case.
Schools: University of Kentucky