HOT LAW: Best Practices for FERPA & Data Security
By: Lily Crespo Esq.
Quick takeaway: Because student data privacy is a critical and growing issue nationwide, it is imperative that all schools have a clear understanding of the issues at hand as well as a clearly outlined policy that covers data privacy within their school or district, as well as for those who work with them (contractors, IT vendors, etc.). Local and federal laws will continue to change and evolve over time, and a foundational policy and plan will help keep up with the rapid changes and growing demands of data privacy.
Last year, the Missouri Court of Appeals held that a teacher’s transfer of files containing confidential student information to her personal online storage account was not a “disclosure” prohibited under the Family Educational Rights and Privacy Act. Tammy Ferry, a tenured teacher with the Jefferson City School District employed as an instructional technology coordinator, transferred thousands of District files to her personal Google account, over a thousand of which contained confidential student information.
- The District placed Ferry on administrative leave, the Board of Education of the Jefferson City School District issued a Statement of Charges seeking to terminate Ferry’s employment for willful or persistent violation of the published regulations of the Board, and, after a hearing, terminated Ferry’s employment on the ground that she willfully and persistently violated the Family Educational Rights and Privacy Act (FERPA) (20 U.S.C.A. § 1232g).
- The circuit court ordered Ferry reinstated and this decision was affirmed. The language of FERPA is unambiguous and defines “disclosure” as “to permit access to the release, transfer, or other communication of personally identifiable information contained in education records by any means … except the party identified as the party that provided or created the record” (34 C.F.R. § 99.3).
- It was undisputed that Ferry did not transfer files to a third party that would constitute a FERPA disclosure. Based on the plain language of FERPA’s definition of disclosure, Ferry’s transfer of files to herself via her personal Google account does not constitute a disclosure. [Ferry v. Board of Education of Jefferson City Public School District, 2020 WL 7347737 (Mo. Ct. App. W.D. 2020), transfer denied, (Feb. 2, 2021)].
- The case is currently on appeal to the Missouri Supreme Court. An Amicus Curiae brief from the Missouri School Boards’ Association in support of Jefferson City School District, drew out some key issues regarding FERPA and data governance of particular interest to school administrators.
Missouri School Board Association Supporting Brief Filed June 1, 2021
MSBA’s purpose in this amicus curiae brief is, on behalf of its members, to advert this Court to the dense environment of implicit obligations felt by school districts when it comes to “FERPA” and data governance. The brief contains the following statements from the Department of Education.
Although FERPA does not dictate requirements for safeguarding education records, the Department encourages the holders of personally identifiable information to consider actions that mitigate the risk and are reasonably calculated to protect such information. … The greater the harm that would result from unauthorized access or disclosure and the greater the likelihood that unauthorized access or disclosure will be attempted, the more protections an agency or institution should consider using to ensure that its methods are reasonable.
Without a formal data governance program, the district cannot ensure that sensitive and personally identifiable data maintained by the district is adequately protected and safe from unauthorized access, misuse, or inadvertent disclosure.
Quick tips for responsible data governance
- Stay current and compliant with federal and state laws
- Working with your district’s legal counsel and coordinating compliance with your technology, assessment, curriculum, student services, human resources, and all technology vendors, is the first priority. While technology programs, employee behavior, and products and services are key components in compliance, the mandate begins at the district’s executive level. Many districts designate a single senior leader or leadership team to ensure legal compliance and currency.
- Address Community and Stakeholder Expectations Early and Often
- Keep instructional impacts in the picture
- Student data is essential in supporting learning and success. Data enhances continuous academic improvement and the power to personalize learning. The challenge is balancing instructional needs and opportunities with the need for privacy. Students, families, educators, school leaders, and vendors alike, all play a role in striking the appropriate balance between access to learning resources and services and privacy.
- Responsive, responsible privacy administration and management mitigates risk
- Continual management of a compliance program that designates rules, procedures, and the individual or group responsible for decisions is the starting point.
- Anyone who collects or has access to students’ personal information needs and deserves training and resources. From the swimming coach to school bus driver, school librarian to the nurse, teachers, counselors, and administrators in every department…everyone should learn how to use student data securely, effectively, legally, and ethically, in keeping with your district’s policies and requirements.
As you consider these and other issues, we recommend you speak with your school lawyer or contact Bea, Kevin, Megan, Beth, and Lily by email or at 406-542-1300 to discuss these issues.