Topic:
LIBRARIES; PRIVACY LAW; FREEDOM OF INFORMATION; STUDENTS; HIGHER EDUCATION;
Location:
EDUCATION - HIGHER; FREEDOM OF INFORMATION; PRIVACY;

OLR Research Report


August 7, 2007

 

2007-R-0485

STUDENT PRIVACY RIGHTS AT COLLEGES AND UNIVERSITIES

By: Rute Pinhel, Research Analyst

You asked for information concerning student privacy rights at colleges and universities. Specifically, you want to know what duty higher education institutions have in protecting student electronic records, including email communications, “swipe card” logs, and library records. You also want to know (1) if there are state laws equivalent to federal laws protecting student privacy rights and (2) whether students have a cause of action under state law if they believe that their privacy rights have been violated.

SUMMARY

The federal Family Education Rights and Privacy Act (FERPA) governs the disclosure of student education records. FERPA generally prohibits schools from disclosing to third parties personally identifiable information from student education records without the consent of the parent or eligible student. But it permits such disclosure without consent in certain situations. Schools must notify parents and eligible students annually of their rights under FERPA.

According to Bernie Cieplak, a program analyst with the U.S. Department of Education's Family Policy Compliance Office, FERPA nondisclosure rules apply to any electronic records, including emails and library records, as long as the records are maintained by the institution and pertain to an individual student. “Swipe card” logs, or electronic records of a student's entry into campus buildings that require a swipe card or personal access code may be excludable. Cieplak noted that if these logs are maintained by a college or university campus police or security office, they would be considered law enforcement records and would not be subject to FERPA nondisclosure rules.

There is no state law equivalent to FERPA, but the state Freedom of Information Act exempts from its disclosure requirements certain education and law enforcement records maintained by public colleges and universities.

While state law does not explicitly provide a cause of action for students whose privacy rights have been violated, a student could seek a tort law remedy in civil court for an invasion of privacy.

FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT

FERPA is a federal law governing the privacy of student education records (20 USC 1232g). FERPA applies to all colleges and universities that receive federal funds. It gives parents the right to inspect, review, and challenge the content of certain education records until their child turns age 18 or attends college, when these rights transfer to the student.

FERPA generally prohibits schools from disclosing to third parties personally identifiable information from student education records without the consent of the parent or eligible student. But it permits such disclosure without consent in certain situations. These include:

1. to other school officials, including teachers, within the institution who the college determines have legitimate educational interests;

2. to the parents of a student under age 21 concerning the student's violation of any federal, state, or local law or school policy or rule governing alcohol or drug use or possession;

3. in connection with a health or safety emergency;

4. to the U.S. comptroller general, attorney general, education secretary, or state and local educational authorities, in connection with an audit or evaluation of compliance with federal or state supported education programs; or

5. to comply with a judicial order or lawfully issued subpoena.

Schools must notify parents and eligible students annually of their rights under FERPA. Notice can be included in a student newspaper, calendar, student program guide, rules handbook, or other reasonable means likely to inform students. Notice does not have to be made individually to students.

Schools may disclose student “directory information” without consent. But they must notify parents and eligible students about the directory information and allow them a reasonable amount of time to request that the school not disclose it. This includes information such as a student's name, address, telephone number, and date and place of birth.

Education Records

The law defines “education records” as “those records, files, documents and other materials which (i) contain information directly related to a student; and (ii) are maintained by an educational agency or institution or by a person acting for such agency.” It excludes records:

1. that are the “sole possession” of an educator and which are not accessible or revealed to any person except a substitute;

2. maintained by the institution's law enforcement unit for law enforcement purposes;

3. related to individuals employed by the institution, but who do not attend such institution; and

4. made or maintained by a physician, psychiatrist, psychologist, or other recognized health professional or paraprofessional if they are (a) made, maintained, or used in treatment and (b) disclosed only to people providing treatment.

According to Bernie Cieplak, a program analyst with the U.S. Department of Education's Family Policy Compliance Office (FPCO), FERPA nondisclosure rules apply to any electronic records, including emails and library records, as long as the records are maintained by the institution and pertain to an individual student. “Swipe card” logs, or electronic records of a student's entry into campus buildings that require a swipe card or personal access code may be excludable. Cieplak noted that logs maintained by a college or university campus police or security office would be considered law enforcement records and would not be subject to FERPA nondisclosure rules.

Disclosure of Education Records in a Terrorism Investigation

A provision of the U.S.A. PATRIOT Act amended FERPA to allow the attorney general, or any federal officer in a position not lower than an assistant attorney general, to apply to a court for disclosure of certain education records if he or she has reason to believe that they will assist investigation or prosecution of a terrorist act. The act also provides limited immunity for educational agencies or institutions that in good faith disclose these documents.

Complaint Procedure

Under FERPA regulations (34 CFR 99.63 – 99.67), parents or eligible students may file a written complaint with the FPCO if they believe their privacy rights have been violated. The complaint must (1) contain “specific allegations of fact giving reasonable cause to believe that a violation…has occurred” and (2) be filed within 180 days of the date of the alleged violation, with some exceptions. FPCO initiates the investigation and must provide the complainant and agency or institution written notice of its findings. If the office finds that the institution violated FERPA rules, it must include a statement of the specific steps the institution must take to comply and allow a reasonable period of time during which the institution may comply voluntarily.

If the institution does not comply, the education secretary may (1) withhold further payments or terminate the institution's eligibility for funding under any applicable program, or (2) issue a cease-and-desist order to compel compliance.

Cause of Action Under FERPA

In 2002, the United States Supreme Court ruled in Gonzaga University v. John Doe (536 U.S. 273) that FERPA does not allow for a personal cause of action based on a perceived violation of the law's nondisclosure requirements. The plaintiff, a former Gonzaga student, sued the university and a faculty member based on the release of personal information in violation of FERPA. The student was denied his teaching certification based on allegations of sexual misconduct after a university faculty member contacted the state agency responsible for teacher certification, identified the student by name, and discussed the allegations against him.

The Court concluded that the student did not have a right to sue under FERPA because the law's provisions “fail to confer enforceable rights.” A jury, however, awarded the student $705,000 for the violation under Washington state tort and contract law.

CONNECTICUT STUDENT PRIVACY LAWS

There is no state law equivalent to FERPA, but the Freedom of Information Act (FOIA) exempts from its disclosure requirements certain education and law enforcement records maintained by public colleges and universities.

Under FOIA (CGA 1-210), public colleges and universities are not required to disclose (1) any educational records which are not subject to disclosure under FERPA; (2) the names or addresses of enrolled students, without proper consent; or (3) any law enforcement records associated with an ongoing investigation. As an official at the FPCO noted, student emails and library records are protected under FERPA. Accordingly, these records would be exempt from FOI disclosure. But it appears that “swipe card” logs that do not contain students' names and are not associated with an ongoing law investigation would be subject to disclosure.

While state law does not explicitly provide a cause of action for students whose privacy rights have been violated, a student could seek a tort law remedy in civil court for an invasion of privacy (Conn. Law of Torts 166, Right of Privacy).

RP:ro