You asked if any state regulates how the College Board distributes personally identifiable information, especially Social Security numbers, about students taking the Preliminary Scholastic Aptitude Test (PSAT) and the Scholastic Aptitude Test (SAT). You were especially interested in whether Kansas had any such law.

SUMMARY

A Westlaw computer search of state laws found that only two states, California and New York, have laws that specifically prohibit college admission testing agencies, such as the College Board, from disclosing individual test scores without the test taker’s express authorization. But because the College Board’s members are educational institutions and organizations, the board appears to be covered by the federal Family Educational Rights and Privacy Act (FERPA), which governs handling and disclosure of, and access to, student educational records. In line with FERPA’s requirements, the College Board’s Guidelines for the Release of Data allow disclosure of personal data associated with a particular individual only in response to a direct request by the individual to whom the data pertains.

In addition to FERPA limitations, a new Connecticut law passed in 2003 and which becomes effective January 1, 2005, will explicitly prohibit any private individual or business from publicly disclosing someone’s Social Security number.

THE COLLEGE BOARD

The College Board is a nonprofit membership organization chartered by the New York Board of Regents under the New York Education Law. Its members are schools, colleges, and other educational institutions. The College Board’s major activity is creating, administering, and scoring college admission and placement tests, such as the PSAT, SAT, and Advanced Placement (AP) tests. The board also creates and administers graduate and professional school admission tests and professional licensing exams, especially certification tests for prospective teachers.

STATE LAWS REGULATING STANDARDIZED SCHOOL ADMISSION TESTS

According to a Westlaw computer search of state statutes, only two states, California and New York, have laws governing college admission testing entities. Both laws require testing entities to file reports on standards they use to create their tests and testing fees, among other things. The laws also require testing entities to disclose certain things to those taking the test and explicitly bar them from releasing or disclosing any test subject’s score to a third party without the test subject’s specific authorization (McKinney’s Consolidated Laws of NY, Education Law, § 7-A: 344; Cal. Code Ann. , Ch. 3 § 99616). California’s law also requires testing entities to provide test subjects with an easily understandable written description of, among other things, any promises or covenants it makes to the test subject concerning “the privacy of information relating to the test subject, including his or her test scores” (Cal. Code Ann. , Ch. 3 § 99156).

FERPA AND COLLEGE BOARD GUIDELINES

FERPA is a federal law that protects the privacy of student educational records (20 U. S. C § 1232g). It covers schools and school districts that receive federal funds. With certain exceptions, the law requires schools to have written permission before releasing information from a student’s educational record. If the student is under age 18, his parent must give permission. Once a student turns 18, the student himself must consent to any disclosure. For your additional information, we enclose a plain language summary of FERPA’s requirements, published by the U. S. Education Department.

Although the College Board is not technically a “school,” its guidelines for disclosing personally identifiable data it collects about students explicitly state that its disclosure procedures are intended to comply with FERPA’s privacy requirements. The board’s guidelines list three types of data and impose varying disclosure limits on them. The three types are: (1) aggregate level data, which pertains to a particular state or the entire nation; (2) institution/district level data, which pertains to a particular educational institution or school district; and (3) individual level data, which pertain to a specific person. Examples of the latter include tests taken, individual test scores, Social Security numbers, and high school attended. Individual-level data is the most carefully protected.

The College Board’s guidelines state that it routinely releases individual level data to the individual himself or herself and to the educational institutions the individual specifies should receive score reports and electronic files pertaining to the person. The board considers requests for individual data from other qualified applicants but in such cases, it releases only aggregated data from no fewer than 15 students with no identifying information, such as Social Security numbers, names, addresses, or dates of birth, provided. “This guideline is intended to protect individuals and to ensure that the College Board observes the letter and spirit” of FERPA, the guidelines state. (A complete copy of the guidelines is included with this report. )

CONNECTICUT IDENTITY THEFT LAW

Disclosure of Social Security numbers will soon be barred in Connecticut under a new state identity theft law (PA 03-156). Among its provisions is a general prohibition against any individual, firm, or corporation disclosing Social Security numbers. The law takes effect January 1, 2005. The prohibition does not prevent the numbers from being collected, used, or released as required by state or federal law or used for internal verification or administrative purposes. It does not apply to certain individual and group health insurance policies.

Beginning January 1, 2005, the act prohibits any person, firm, corporation, or other entity, other than the state or its political subdivisions, from:

The penalty for willful violations is up to a $ 100 fine for the first offense, up to a $ 500 fine for a second offense, and up to a $ 1,000 fine or six months in prison for each subsequent offense.

JL: ro