FERPA does not protect student privacy, and never did

Posted on December 26, 2013


I’ve been debating for a few months on how to tackle this topic in a way that is both informative and engaging while providing firmly grounded sources that back up my analysis. I’ve finally decided that might be too ambitious, and certainly a lot to tackle in a single piece Rather than let anymore grass grow underneath my feet on this issue I decided to jump right in and I’ll be amending and updating my work on this topic much as Congress and US ED as amended FERPA continuously throughout the years. FERPA laws, interpretations and guidance are dense and jargon filled. I will refer to some specific passages, but I will leave it to you delve into those documents directly if you are so inclined. I’ve been asked to synthesize and summarize what I know and have read. If you feel more informed and more concerned after reading this piece I will see my work as successful.

FERPA is old and outdated

FERPA was created in 1974, before much of the current technology, we take for granted today, was even imagined by most legislators (except maybe the creator of the Internet, Al Gore.) As such, the framework is suspect and a patchwork of fixes and amendments that really fails to do what many people think it does. FERPA does not protect student privacy to any real degree, not to the extent we would expect a modern law to do. FERPA was written when many computers were housed in underground facilities on universities campuses (to make cooling them easier) and were the size of houses. Here is a state of the art computer from 1973, a GEC 4000.

And a close up of its fanciest part.

You couldn’t exactly hack into one of these and the data they stored was on tapes that had to be manually mounted. A modern thumb drive probably contains more data that the entire wall of tape cartridges shown in the picture, and most had no external connections. There was no Internet and top transmission speeds through dedicated phone lines with connected modems were about 300bps or about 37 characters per second (on a good day.) Todays transmission speeds can top 100Mbps or more which is the equivalent of 13 million characters per second if my rough estimates are correct. The computers millions of folks carry around in their pockets dwarf the processing speeds of even the fastest computers of 40 years ago, that were usually relegated to musty university and government warehouses and not the least bit portable.

So when FERPA was conceived computers and computerized records were not prevalent, data was not very portable, and usage and applicability of any data was almost non-existent. Fast forward 40 years and now computers are the size of wallets and watches. Millions of bits of data, or names and SSNs, can be stored on hard drives the size of a thumbnail that cost a few dollars and can be purchased at convenience stores. If you drive down almost any city block you can pick up dozens to hundreds of WiFi connections that access computers or computer networks, and the internet allows access to almost any computer anywhere on the planet. Messages and data can be transmitted virtually instantaneously to anyone anywhere via radio or satellite transmissions for little to no cost. Credit agencies, insurance agencies, employment agencies, advertising agencies, and government agencies use data collected and aggregated on everyone to sell, hire, investigate, issue or deny credit, fire, provide or deny benefits etc. We now have cyber bullies, phishers, hackers, identity thieves, and online predators to worry about in addition to all the physical threats of yesteryear to worry about as parents and consumers. When FERPA was created none of these threats were known and FERPA does next to nothing to protect against these threats.

For the dry specifics and dates you can refer to this passage, but I will be going into more detail about specific shortcomings and necessities.

FERPA History

Let’s start at the beginning with a brief history of how FERPA came to be.

The Family Educational Rights and Privacy Act of 1974 (“FERPA”), § 513 of P.L. 93-380 (The Education Amendments of 1974), was signed into law by President Ford on August 21, 1974, with an effective date of November 19, 1974, 90 days after enactment. FERPA was enacted as a new § 438 of the General Education Provisions Act (GEPA) called “Protection of the Rights and Privacy of Parents and Students,” and codified at 20 U.S.C. § 1232g. It was also commonly referred to as the “Buckley Amendment” after its principal sponsor, Senator James Buckley of New York. FERPA was offered as an amendment on the Senate floor and was not the subject of Committee consideration. Accordingly, traditional legislative history for FERPA as first enacted is unavailable.

Senators Buckley and Pell sponsored major FERPA amendments that were enacted on December 31, 1974, just four months later, and made retroactive to its effective date of November 19, 1974. These amendments were intended to address a number of ambiguities and concerns identified by the educational community, including parents, students, and institutions. On December 13, 1974, these sponsors introduced the major source of legislative history for the amendment, which is known as the “Joint Statement in Explanation of Buckley/Pell Amendment” (“Joint Statement”). See Volume 120 of the Congressional Record, pages 39862-39866.

Congress has amended FERPA a total of nine times in the nearly28 years since its enactment, as follows:

P.L. 93-568, Dec. 31, 1974, effective Nov. 19, 1974 (Buckley/Pell Amendment)
P.L. 96-46, Aug. 6, 1979 (Amendments to Education Amendments of 1978)
P.L. 96-88, Oct. 17, 1979 (Establishment of Department of Education)
P.L. 101-542, Nov. 8, 1990 (Campus Security Act)
P.L. 102-325, July 23, 1992 (Higher Education Amendments of 1992)
P.L. 103-382, Oct. 20, 1994 (Improving America’s Schools Act)
P.L. 105-244, Oct. 7, 1998 (Higher Education Amendments of 1998)
P.L. 106-386, Oct. 28, 2000 (Campus Sex Crime Prevention Act)
P.L. 107-56, Oct. 26, 2001 (USA PATRIOT Act of 2001)

Unapproved Changes to FERPA

What you don’t see in this bit of US ED lore is that the changes enacted by the US Department of Education over the last decade (plus) were not approved by Congress. The most recent and significant one I would like to direct you too occurred in 2011 and can viewed here along with a discussion of objections raised and DOEs responses to the objections.


These are very telling indications of how DOE intends to enforce (or not enforce FERPA) but it is 58 pages so I will excerpt a few of the more concerning sections to direct your attention to throughout my examination.

Before we go there though, let me summarize by saying FERPA was theoretically enacted in 1974 to protect the rights of parents and students under very specific situations that were known or understood at that time. (I would assert it actually defines the rights and preeminence of Federal agencies to oversee education matters and data with a small set of rights for parents under a few limited circumstances.) FERPA has been amended 9 times by Congress, and the primary enforcement mechanism is reduction or disqualification for funding directed at schools and states that fail to comply with FERPA regulations.

Applicability and Scope

This leads directly to the next point I would like to discuss; something many people may not be fully aware of or understand about FERPA. Namely the scope and applicability or in other words what it applies to and how it works and can be enforced.

Scope and Applicability

FERPA is a “Spending Clause” statute enacted under the authority of Congress in Art. I, § 8 of the U.S. Constitution to spend funds to provide for the general welfare. (“No funds shall be made available under any applicable program…” unless statutory requirements are met.)

Let me translate this a bit. FERPA has no defined penalties for folks who willfully and/or negligently and repetitively violate it. I can take your children’s personal data and wallpaper my house with it, use it to wrap all my presents, post it in the newspaper, print it on souvenir toilet paper and make paper airplanes out of it and launch them from atop the State Capital during Mardi Gras (something I’ve always wanted to do, sans the personal data) and FERPA and the US Department of Ed cannot prosecute you and the only sanction available to them is to withhold federal funding, if they so choose. This means any vendor that obtains personally identifiable data is largely immune to any repercussions or restrictions on its use or misuse. This is a matter of settled law and an opinion issued by US ED in the afore-linked 2011 document.

. . .Thus, if an authorized representative receives funds under a program administered by the Secretary, the Department has the authority to enforce failures to comply with FERPA under any of GEPA’s enforcement methods. If an authorized representative does not receive funds under a program administered by the Secretary and improperly rediscloses PII from education records, then the only remedy available under FERPA against the authorized representative would be for the Department to prohibit the disclosing educational agency or institution from permitting the authorized representative from accessing PII from education records for a period of not less than five years. 20 U.S.C. 1232g(b)(4)(B). These are the only remedies available to the Department to enforce FERPA. Remedies, such as assessing fines against any entity that violates FERPA, are not within the Department’s statutory authority. Under the FERPA regulations, and in accordance with its longstanding practice, the Department only will take an enforcement action if voluntary compliance and corrective actions cannot first be obtained. If the violating entity refuses to come into voluntary compliance, the Department can take the above listed enforcement actions. However, in addition to these statutorily authorized remedies, we encourage FERPA-permitted entities to consider specifying additional remedies or sanctions as part of the written agreements with their authorized representatives under § 99.35 in order to protect PII from education records. Written agreements can be used to permit increased flexibility in sanctions, to the extent that the desired sanction is permitted under law.

All vendors are free to use and misuse as much data however they choose without real restrictions or penalties

This means US ED has no authority over vendors or use or misuse data, that it must first try and convince abusers to stop abusing and disclosing the data they have received, and that their only recourse is to forbid school districts from providing data to them directly for 5 years or more. However if they obtain the data from another source, say another vendor, agencies can bypass even this very minor censure. Additionally, since DOE has no enforcement mechanism provided by FERPA, agencies can ignore this decision with impunity. This is why inBloom is not going out of business with no one officially committing to provide data to them. They intend to get this data secretly other ways and through other avenues. FERPA does allow schools, school districts and states to state their own civil penalties in their contracts, but most, if not all, fail to do so. What this means is any vendor for any data system in any school district that has access to data can currently use that data however they want if their only restriction written into their contract is that they will comply with FERPA. FERPA does not restrict or target vendors, only schools and school districts. State agencies are also largely excluded from many of the provisions of FERPA although references to them have been sprinkled in throughout the years. Most of the sanctions and wording it directed at local school districts, not state agencies who subsequently acquire the data.

Additionally, parents do not have the right to sue or take actions against vendors, state agencies, local school districts, or individuals who use, misuse or abuse their children’s data, or their own data under FERPA. All enforcement actions are handled through FPCO (the Family Policy Compliance Office), if they so choose. Parents may make a formal complaint, but those complaints can be ignored and parents have no further recourse.

The Kickboard and inBloom connection

A couple of months ago I was contacted by a parent and technology insider about a new company operating in New Orleans in coordination with Leslie Jacobs, a chief reform figure in Louisiana and one of the principal people responsible for creating RSD an creating the deforms striking across Louisiana and particularly New Orleans. This company is called KickBoard, and run by a former Teach for America alum named Jennifer “Jen” Medbery. Kickboard is an inBloom ally and dashboard provider that goes into schools and school districts to obtain all of their student and teacher data and provide tools and metrics for the teachers. What I have been told is that inBloom is now working with groups like Kickboard to obtain student data indirectly, bypassing contracts and oversight with school districts and state agencies. Please refer to this comment provided below.

I have to commend you and brilliant citizens like yourself for standing up and fighting against the partnership between LDOE and inBloom. As a parent and an EdTech critic, I’m so proud to see that partnership dissolving even if only for now. However, I’ve been alarmed for quite some time at the fact that no one has ever called out or investigated the more direct link between our state’s children’s data and inBloom than through Kickboard for Teachers. A search of your blog and even your readers’ comments pulled up zero hits on Kickboard. Jen Medbery and her self-proclaimed mentor and investor Leslie Jacobs more than likely played huge roles in the backroom deals between White and inBloom. As the poster child for New Orleans Edtech specifically and New Orleans entrepreneurship in general, Kickboard cannot be allowed to falter or worse die. Several prominent groups including Idea Village and the New Orleans Startup Fund have too much riding on Kickboard’s success in spite of the fact that Kickboard remains nearly two years behind on its own growth projections. Why else is there such a huge media blitz for Kickboard originating from Idea Village for each of the past two autumns despite that Idea Village has incubated probably five dozen other start-ups since Kickboard graduated from its program four years ago?

The hidden revenue stream was and probably continues to be to Kickboard from other inBloom members at the expense of our state’s children and their parents. Kickboard is listed alphabetically as the 15th of 21 inBloom partners. Leslie Jacobs took over the New Orleans Startup Fund precisely when the Fund was faltering and had really only one major investment consuming the bulk of its pledges, Kickboard. John White’s severing of his contract with inBloom has only served now to push the Kickboard and inBloom partnership deeper and further underground. And, contracts between Kickboard and the schools and districts it services permit the same data exchange through Kickboard to inBloom that White was permitting from the LDOE directly.

We can only hope that Medbery and Kickboard put our children before profits. Yet, I don’t see them justifying a recent unjustifiable valuation in the millions of dollars which subsequently resulted in them securing a sizable out-of-state venture capital investment without extracurricular income from inBloom partnerships.

I do not have detailed financials disclosing how these partnerships work, but I have been wondering how inBloom could continue to function without student data commitments. To be quite frank, there is no way they could operate as they’ve defined themselves (a centralized student data repository and intermediary) without obtaining data from someone. Initially inBloom was going to provide data to their partners like Kickboard. Now that virtually every state and large school district has pulled out of inBloom, thanks to the efforts of Leonie Haimson, Rachel Strickland, Debbie Sachs and others, the only available path I see to them is obtaining this data through vendors that already have access to it. Their most likely place for inBloom to acquire this data will be via and through their existing partners. There are currently not Federal laws to safeguard or prevent this, which is why State laws must be enacted in every state if you wish to prevent personal, student, teacher and parent data from falling into the hand of anyone and everyone who wants it.

For a current list of partnering companies with inBloom you can go here. If your parish does business with any of these vendors there is a decent chance inBloom and other data aggregators will be able to obtain your children’s data through them.

Please note: I do not have concrete proof Kickboard or any of these partners are actively sharing data with inBloom although I have had reports from sources that they are and have included one of those reports provided to me in this article. I have shown that there FERPA has no teeth to prohibit this, and US ED has no inclination or authority to address this issue. As every state and partner that I am aware of has pulled out of inBloom (or allowed parent opt outs or opt ins) and inBloom has not closed up shop it stands to reason they have plans to get this data another way. Bill Gates has 150 million reasons to see this venture succeed.

Future posts will include an outline on how to craft State legislation to address these issues but suffice it to say specific monetary and criminal penalties will need to be enacted.

Additional Note: If the only protections your vendor agreement defines is that it complies with FERPA, then essentially you have no real protections to safeguard or define ownership of your data or penalties for its misuse.  However, many vendors like JPAMS/EdGear (the largest SIS vendor in Louisiana whom contacted as part of my research for this story) have privacy agreements that go far beyond the use, ownership, storage, sharing and destruction restrictions defined by FERPA.  As a local superintendent or school board I believe it would be a good idea to review my contracts with my vendors and tighten up those that lack appropriate safeguards.  I do not attribute this lack to subterfuge on most of your vendors’ parts.  Many vendors may not even be aware of how poorly FERPA defines safeguards for data, as this lack is not something US ED or the Family Compliance Office actively advertises.

About these ads