Add to collection(s) Add to saved
  1. Business
  2. Management
  3. Business Law

FERPA - Westchester-Putnam School Boards Association

advertisement 
WESTCHESTER PUTNAM SCHOOL BOARDS ASSOCIAITON
PANEL ON STUDENT DATA PRIVACY
THE FAMILY EDUCATIONAL RIGHTS & PRIVACY ACT (FERPA)
STATE’S RIGHTS VERSUS LOCAL RIGHTS
Prepared by:
DAVID S. SHAW, ESQ.
SHAW, PERELSON, MAY & LAMBERT, LLP
December 2, 2013
INTRODUCTION
The engagement of third party vendors by the New York State Education Department to execute
its responsibilities under the Race-to-the Top (RTTT) federal grant program brings to the
forefront the question of parental rights to withhold personally identifiable information (PII)
from both the State and its vendors. Amendments to the Family Educational Rights and Privacy
Act (FERPA) Regulations in 2008 and 2011 have added rights in favor of both local school
districts and the State to use third party services in managing and storing student data, including
PII. The decision by the State Education Department (SED) to out-source data storage to
inBloom and engage private vendors for data dashboards to be accessible by teachers, parents
and students, raises concerns regarding the opportunity for data security breaches in venues that
did not previously exist.
Board of Education trustees and parents should take notice of how the balance of privacy rights
has changed in recent years and what rights remain with parents to protect their children’s
educational records.
A.
Overview of Changes
The Family Educational Rights and Privacy Act, also known as the Buckley Amendment, 20
U.S.C, Section 1232-g, was enacted in 1974 to ensure the privacy of personally identifiable
student edcuational records. The Act establishes the parameters within which student records
and information contained in them could be disclosed to individuals or entities other than
parents/guardians (hereinafter “parents”) or the students themselves.
The Regulations
implementing FERPA, 34 C.F.R. Part 99, were amended over the past five years: to allow
access to student records by authorized representatives of an educational entity (LEA or SEA); to
modify re-disclosure of student records rules; and to implement provisions of the USA Patriot
SHAW, PERELSON, MAY & LAMBERT, LLP
115 STEVENS AVENUE
VALHALLA, NEW YORK 10595
TEL. NO. (914) 741-9870
Page 2
Act and the Campus Sex Crimes Prevention Act. The Amendments also addressed two recent
U.S. Supreme Court decisions (Falvo and Gonzaga).
B.
Authority for Disclosures to inBloom and the Data Dashboard Vendors
Under the FERPA regulations at Part 99.3 and Part 99.31(a), inBloom and the data dashboard
vendors may receive personally identifiable student information (PII) without parental consent
from either local school districts or SED as authorized representatives (contractors). The
premise for their receipt of PII is that they “are performing an institutional service or function for
which the agency or institution would otherwise use employees… under the direct control of the
agency or institution with respect to the use and maintenance of education records.”
(§99.31[a][1][i][B][1]-[2]). The State also has the authority under Section 99.35 to allow its
authorized representatives to have access to education records of students “in connection with an
audit or evaluation of Federal or State supported education programs or compliance with
Federal legal requirements that relate to those programs.”
PII may also be disclosed without parental consent to organizations conducting studies for, or on
behalf of, educational agencies or institutions to: “(A) Develop, validate, or administer
predictive tests; (B) Administer student aid programs; or (C) Improve instruction.” (§99.31[6])
Parental consent is not required for the disclosure of “De-identified records and information”
rendering the student records not personally identifiable, in accordance with protocols described
in the Regulations. (§99.31[b] [1]-[2])
A re-disclosure of PII by inBloom or other third party vendors would be subject to the prior
consent of the parent or eligible student. (§99.33[a] [1])
C.
The Loss of Local Control 0ver Student Discipline Data
The No Child Left Behind Act of 2001 required that each state put in place procedures to
facilitate the transfer of disciplinary records with respect to a suspension or expulsion of a
student by a LEA (local school district) to any private or public elementary or secondary school
in which the student is subsequently enrolled or seeks, intends or is instructed to enroll. (20
U.S.C. §7165[b]). Consequently, SED may have the authority to secure PII regarding student
discipline and have it stored through its authorized contractor not only in furtherance of its goals
under the RTTT Federal Grant program, but also to facilitate the goals of NCLB. (§99.31[a][2]
& §99.34)
D.
Implications of the Local School District MOUs for RTTT Participation & the
inBloom/Shared Learning Cooperative, LLC Shared Learning Infrastructure
(“SLI”) Service Provider Agreement
Local school districts that chose to participate in the State’s RTTT Federal Grant program did so
by executing an MOU with the State (New York State Participating LEA Memorandum of
Understanding) that obligated them to participate in SED’s Plan for a Data System to Support
Instruction, whereby they pledged to implement the longitudinal data system developed by the
SHAW, PERELSON, MAY & LAMBERT, LLP
115 STEVENS AVENUE
VALHALLA, NEW YORK 10595
TEL. NO. (914) 741-9870
Page 3
State and described in the State’s plan, including: (1) collect data as required by the State; (2)
implementing or enhancing a local instructional improvement system, (3) and making data from
such system available to researchers; and (4) providing professional development for teachers
and administrators on using data to improve instruction.
When concerns arose over required participation in the State’s Data Dashboard program, vendor
data security abilities and commercialism by vendors led to the withdrawal from the MOU by a
number of school districts, a question arose as to what student PII would be sent by SED to
inBloom. The State has answered that question by informing school districts that whatever
student data it is entitled to collect from school districts under its legal authority and is relevant
to fulfilling its RTTT Grant requirements will be part of the data set that it will send to inBloom.
School districts opting-out from the MOU will not be required to participate in the Data
Dashboard program. It is unclear what the difference will be between the data that inBloom will
receive from SED regarding MOU compliant districts versus those than have opted-out. The
Shared Learning Infrastructure (SLI) Agreement with inBloom provides school districts with the
right to stop sending data and to request of inBloom that none of its student data be retained
within inBloom’s data stores, as well as request that the same be destroyed or returned by
inBloom to the district. (Attachment F, Exhibit C - Data Privacy & Security Plan, Appendix “A”)
E.
Do Parents Have Opt-out Rights Regarding PPI sent to SED, inBloom and the Data
Dashboards?
No. The general rule regarding the disclosure of student educational records is that a written
signed and dated consent by a parent or eligible (18 years of age or older) is required. (§99.30)
However, there are exemptions from the written consent requirements of the regulations set forth
at §99.31. The student data at issue under the RTTT Federal grant is subject to exemption under
that provision. Parents do not have the right to “opt-out” from having their children’s’ data
provided to SED, inBloom and the Data Dashboard vendors so long as they are authorized
representatives of the State or local school districts. Opting-out under the FERPA Regulations
refers to declining to make certain student records subject to disclosure as “Directory
Information.” (See §99.3 for the definition of “directory information”).
F.
Is the State or a Local School District Subject to Liability through a Claim in Court
that student privacy rights under FERPA have been violated by an unauthorized
disclosure of PII?
No. The United States Supreme Court in Gonzaga University et. al. v. Doe, 536 U.S. 228
(2002), ruled that no private claim may be brought in court to enforce student privacy rights
under FERPA. Thus, neither school districts nor their officers, employees or agents may be
liable for monetary damages in the event of a breach of privacy rights. Rather, remedies must be
sought through the United States Department of Education and the remedies may affect federal
funding entitlements of the school district or State - not money damages payable to a student or
his/her parents.
SHAW, PERELSON, MAY & LAMBERT, LLP
115 STEVENS AVENUE
VALHALLA, NEW YORK 10595
TEL. NO. (914) 741-9870
Related documents
Document
Document
Privacy of Student Data Presentation - Croton
Privacy of Student Data Presentation - Croton
Rachel Hogue`s presentation on Big Data in Education
Rachel Hogue`s presentation on Big Data in Education
presentation about inBloom
presentation about inBloom
Student Privacy Transcript
Student Privacy Transcript
PPT - Oregon Connections Telecommunications Conference
PPT - Oregon Connections Telecommunications Conference
Federal Law and Student Privacy.ppt
Federal Law and Student Privacy.ppt
IAPP presentation - International Association of Privacy Professionals
IAPP presentation - International Association of Privacy Professionals
Maintaining Privacy and Dignity in Care (Fiona Throp)
Maintaining Privacy and Dignity in Care (Fiona Throp)
Building Capacity in District and Campus Leaders
Building Capacity in District and Campus Leaders
Download
advertisement