Report

A Primer on Student Privacy

By Mandy Schaumburg

American Enterprise Institute

July 20, 2023

Learn more about this series

Key Points

  • The Family Educational Rights and Privacy Act was written to be a sword and shield for parents, providing them with access to their children’s information while helping safeguard that information from being shared without parental permission.
  • Despite regulatory modifications in recent decades, this nearly 50-year-old law—written in an era of mimeographs—is sorely out-of-date and unable to adequately address the mountains of student data currently being collected and stored.
  • Congress should rewrite the law to reflect current technological and interest group realities; in the interim, school districts should pursue additional data privacy training and establish basic minimum requirements for data-sharing agreements.

Read the PDF.

The Family Educational Rights and Privacy Act (FERPA) is the federal law that governs how student data can and can’t be shared. It was written to be both a sword and a shield for parents—a sword to provide rights to parents to access their children’s information and a shield to protect their children’s information from being shared without permission.1 FERPA has been tweaked a few times, but it has never been substantially overhauled since it became law, in 1974—almost 50 years ago.

When FERPA was enacted, classroom technology meant wheeling a projector into a classroom to watch a film, homework was mimeographed, phones had long cords and were attached to walls, and all tests were paper and pencil. Fast forward to 2023, and the internet and computers are ubiquitous inside and outside the classroom. Today, students and teachers use laptops and cell phones to communicate, manage lunch money, conduct research, stream video, draft term papers, shop for school, and calculate math equations. This has dramatically increased the amount of data that are stored and collected in ways the original law didn’t foresee.

Despite some regulatory modifications to FERPA, these tweaks are a poor substitute for a comprehensive legislative revision. For example, in 2008, the regulations updated the definition of “personally identifiable information” to include biometric information such as fingerprints and facial characteristics. In 2011, the definitions of “authorized representative” and “education program” were changed, resulting in more parties having easier access to student information. An upcoming regulatory adjustment is expected to include an update to the definition of an education record and clarify provisions relating to complying with a judicial order.2 Despite all these changes, FERPA is still decades behind helping schools effectively deal with the significant personally identifiable information collected on students.

How much data are we talking about exactly? It is likely impossible to quantify. But a decade ago, when expert witness Joel Reidenberg was asked at a congressional hearing to summarize all the information gathered on students, he replied, “Well, probably the easiest way to do that in a minute is just think George Orwell and take it to the Nth degree.”3

Some are unbothered by this increase in data collection, arguing that it can’t harm students so long as schools and contractors use it responsibly to improve teaching and learning. But education records are about much more than academic information. A student’s education record includes not only benign information such as their full name, address, and parents’ names but also more sensitive information such as medical information, parents’ finances, and disciplinary information.

The value of these data to hackers and malicious actors has been proved by the ever-increasing number of ransom requests for student data.4 As the Government Accountability Office recently noted, “In recent years, cyberattacks on K–12 schools have increased. Not only do these attacks disrupt educational instruction and school operations, they also impact students, their families, and teachers.”5 These data, if they fall into the wrong hands, can be used as a dangerous weapon against students, parents, and schools alike.

Notes

  1. Electronic Privacy Information Center, “Family Educational Rights and Privacy Act (FERPA),” https://epic.org/family-educational-rights-and-privacy-act-ferpa.
  2. Office of Management and Budget, Office of Information and Regulatory Affairs, “Family Educational Rights and Privacy Act,” https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202210&RIN=1875-AA15.
  3. Valerie Strauss, “The Astonishing Amount of Data Being Collected About Your Children,” Washington Post, November 12, 2015, https://www.washingtonpost.com/news/answer-sheet/wp/2015/11/12/the-astonishing-amount-of-data-being-collected-about-your-children; and How Emerging Technology Affects Student Privacy, 114th Cong. (February 12, 2015) (statement of Joel R. Reidenberg, Fordham Law School), https://www.govinfo.gov/content/pkg/CHRG-114hhrg93208/html/CHRG-114hhrg93208.htm.
  4. Mark Keierleber, “Hackers Use Stolen Student Data Against Minneapolis Schools in Brazen New Threat,” 74, March 9, 2023, https://www.the74million.org/article/hackers-use-stolen-student-data-against-minneapolis-schools-in-brazen-new-threat.
  5. US Government Accountability Office, “As Cyberattacks Increase on K–12 Schools, Here Is What’s Being Done,” December 1, 2022, https://www.gao.gov/blog/cyberattacks-increase-k-12-schools-here-whats-being-done.

Read the PDF.