All through the contentious debate about whether President Barack Obama should release his sealed college transcripts, most Americans have at least taken solace that their educational records are protected, too.
But think again if you believe they are, critics are saying.
Since its enactment in 1974, the Family Educational Rights and Privacy Act has protected most of the personally identifiable information in college students’ educational records, but a rule change this past January threatens the integrity of those records, these critics say.
The Obama administration defends the modifications, saying they were necessary for educational reform and accountability.
The act itself prevents disclosure to school officials of most personally identifiable information in a record, unless the student gives written consent, except in limited circumstances. In the past, when information was released without consent, only a school official with a “legitimate educational interest,” or an employee or contractor directly supervised by that official, could have access to the personal information, and in most cases could not redisclose such information.
Now the definition of “school official” has been broadly expanded. Here’s how one college explained it earlier this year in its notification of privacy rights:
“A school official is a person employed by the College in an administrative, supervisory, academic or research, or support staff position (including law enforcement unit personnel and health staff); a person or company with whom the College has contracted (such as an attorney, auditor, or collection agent); a person serving on the Board of Trustees; or a student serving on an official committee, such as a disciplinary or grievance committee, or assisting another school official in performing his or her tasks.”
That last provision would seem to allow any student access to another student’s personal information, even those merely volunteering assistance to school officials in an unofficial capacity.
Some of the most vocal criticism of the rule has come from the American Association of Collegiate Registrars and Admissions Officers, a nonprofit association of more than 2,600 institutions of higher education and more than 10,000 campus enrollment officials.
The association outlined its own serious concerns in a May 2011 letter to the U.S. Department of Education in response to the notice of proposed rulemaking. Its members serve as custodians of educational records for current and former students.
For one thing, wrote Jerome Sullivan, the executive director of the AACRAO, the proposed changes represented a wholesale repudiation of fair information practices. Well-settled principles of notice, consent, access, participation, data minimization, and data retention were all undermined by the proposal’s new paradigm, Sullivan stated.
What’s more, he asserted, the regulations were overwhelmingly influenced by the single-issue lobbying of a well-financed campaign to promote a “data free-for-all” in the name of educational reform.
“Lost in the frenzied rush to do good with other people’s education data is FERPA’s underlying purpose,” Sullivan wrote.
Sullivan also raised the same charge that critics of other Obama administration regulations have made – their implementation by fiat rather than by proper legislative action.
“Finally, most of the radical changes proposed by the Department require legislative amendments to FERPA, and the Department lacks legal authority to implement them through regulatory action,” he wrote. “As our section-by-section analysis and commentary below indicates, the Department seems to grasp at straws and appears to be manufacturing statutory authority out of thin air to justify these changes, several of which clearly conflict with congressional intent.”
Sullivan’s letter then went to the heart of the matter: disclosure of personal information without consent to “authorized representatives” of state educational authorities and others, and restrictions on any subsequent redisclosure by those representatives.
Redisclosure of information obtained by “authorized representatives” of state educational agencies, Sullivan pointed out, may not occur except “when collection of personally identifiable information is specifically authorized by Federal law,” and “any data collected by such officials shall be protected in a manner which will not permit the personal identification of students and their parents by other than those officials…..”
The statutory language makes clear that Congress intended to restrict redisclosures by such official recipients of personally identifiable information from student education records, Sullivan argued.
“In addition, the use of the word ‘officials’ twice to signify who was collecting the data and releasing such data on behalf of the State educational agencies demonstrates that Congress envisioned ‘authorized representatives’ to be employees of the State educational agencies or agents under the direct control of such employees,” he wrote.
The new regulation, Sullivan continued, tossed the notion of direct control – meaning an employee or contractor – out the window.
“Instead, the proposed regulation advances a novel and counterintuitive definition of ‘authorized representative,’ which would allow ‘any entity or individual designated by a State or local educational authority or agency headed by an official listed in §99.31(a)(3) to conduct – with respect to Federal or State supported education programs – any audit, evaluation, or compliance or enforcement activity in connection with Federal legal requirements that relate to these programs,’” he wrote.
The effect of the definition was to expand the scope of who could be designated as an “authorized representative” of a state or local educational agency to entities and individuals well outside its direct control, Sullivan stated.
“Virtually any state or local employee could be designated an authorized representative under the proposed regulations, no matter how remote or dubious their actual standing as an educational functionary,” Sullivan wrote. “What’s worse, nongovernmental entities, including non-profits, religious organizations, foundations, independent researchers, and for-profit companies, as well as individuals, could be granted access to personally identifiable information without notice or consent.”
In addition, Sullivan wrote, the administration lacked the legal authority for abandoning the longstanding interpretation that an authorized representative must be under the direct control of the state or local agency.
“In so narrowly enumerating, by title, the officials who may access personally identifiable records without the student’s consent, Congress surely meant ‘authorized representative’ to be tightly linked to those positions,” he wrote. “The Department, however, would eviscerate that intent by allowing literally anyone (presumably even including representatives of foreign governments) to exercise that authority, if they are so designated.”
To be sure, Sullivan wrote, under the proposed definition a chief state school officer or higher education authority could authorize as its representatives nonprofit organizations, independent researchers, or other state agencies, and enter into written agreements to make sure that student records and personally identifiable information would be protected.
And yet, he asserted, unless they were under the direct control of the authorized representatives, that protection could not be guaranteed.
“Such agreements, however, will be virtually useless in stopping an authorized representative who is not under the direct control of the State or local agency from misusing the data for other purposes or redisclosing the data to others,” Sullivan wrote. “Under the proposed regulations, the written agreements may be required to spell out how nonconsensually redisclosed data should be used and released, but without the element of direct control, the State or local educational agencies will have no ability to enforce them.”
For example, Sullivan stated, a chief state school officer could call over to her colleague heading the state labor or health department and beg the colleague to crack down on a rogue authorized representative working under the colleague’s direct control, but there would be no regulatory assurance that the improper activity would stop, or could be stopped.
When considered with other ill-conceived changes in the rules, Sullivan concluded, it all adds up to a disrespect for privacy rights.
“The Department is arbitrarily expanding the number of entities that can gain access to personally identifiable information from education records, the reasons why they get access, and what they may do with the information they collect, even over the objections of the custodians of those records,” Sullivan wrote. “We are dismayed by the Department’s disregard for privacy rights, as well as its failure to consider the impossible compliance environment these proposed regulations would create.”
Richard Moore may be reached at firstname.lastname@example.org