Pulling student privacy out of the 1970s

By Zara Day, Senior Policy Associate, CRD Associates

In this age of advanced technology, our conception of privacy seems to be constantly evolving.  Though technology and apps have the potential to enhance our routines, we know that data is never completely secure.  Schools today use technology in ways that could not even have been conceived of 20 or 30 years ago, and, at a minimum, computers are a critical part of the academic infrastructure.  In decades past, confidential student information would likely have been stored in a physical file locked away in an administrative building.  Today, most student information is saved in some capacity in the cloud or on a data server.  It has been 41 years since the passage of the Family Educational Rights and Privacy Act of 1974 (FERPA), and Congress is finally catching up with updates to student data storage and privacy. 

On July 22, 2015, Representatives Todd Rokita (R-IN), Marcia Fudge (D-OH), John Kline (R-MN), and Bobby Scott (D-VA) released the Student Privacy Protection Act, which would, if passed, substantially amend the Family Educational Rights and Privacy Act of 1974 (FERPA).  This bill follows a discussion draft released earlier this year and could potentially be the first substantial update to FERPA since its original passage over four decades ago.  This bill affects all educational institutions (including institutions of higher education), state departments of education and the US Department of Education.  Drafters of this bill make clear that the intention remains for FERPA to provide baseline privacy requirements but that states retain authority to increase these protections as they see fit.

Bill priorities include expanding the definition of education records and requiring educational institutions and third parties to implement privacy protections for student records.  This bill would also require the Secretary of Education to develop regulations and to develop an Office of Compliance.  The Secretary would have the authority to terminate Federal assistance where an institution has failed to comply with these rules and the Secretary determines that compliance “cannot be secured by voluntary means,” and to impose fines between $100 and $1.5 million for failure to comply with new FERPA rules.

Hill staffers working on this legislation have noted that FERPA is, quite simply, due for an update.  Passed over 41 years ago, drafters could not possibly have predicted the enormous changes to education systems and structures that have occurred, including the ever-increasing reliance on online files and data sharing. 

This legislation was sponsored by leadership from both parties in the House Education and Workforce Committee, highlighting a level of bipartisanship that has been somewhat uncommonly common on education issues in Congress recently.  CRD Associates is tracking this and other education legislation, and we are closely following the Higher Education Act reauthorization process.  The Student Privacy and Protection Act can be read here and a summary by the Education and Workforce Committee can be found here.

Lisa Ellington

Big Thinkery, LLC, 1011 Kenilworth Court Northwest, Concord, NC, 28027