The U.S. Department of Education’s Inspector General’s office released a blistering audit last week, detailing how the department failed to conduct timely and effective investigations into alleged violations of the Family Educational Rights and Privacy Act (FERPA) — the nation’s main student-data-privacy law, Education Week reports.
According to the audit, the department’s privacy office had 285 open FERPA complaints in September 2017, with nearly a third being more than two years old and 31 cases having investigations finished but never officially closed because the paperwork wasn’t properly filed. The 24 cases the office did close during the 2017 fiscal year took an average of two years to complete.
Because of disorganization — there is no mechanism to track the number or status of complaints received — the Inspector General estimates that a years-long backlog has been created, and recommendations for improvement include modern software to track complaints, the allocation of resources for enforcement, and the end of the practice of leaving cases indefinitely active.
The Family Educational Rights and Privacy Act (FERPA) was created in 1974 to protect the privacy of student records. The law has three purposes: It gives families the right to request their child's records, the opportunity to amend records, and some degree of control over how their child's data is dispersed and who can access it.
While families have a certain amount of agency under FERPA, it doesn't cover everything. For example, schools don't need to get parental consent to release data to other education officials.
For a long time, data — which includes everything from student grades and assessment scores to addresses, birth dates and attendance records — was maintained as hard copy records. But advances in technology have taken it to a new place: the cloud.
These advances make it easier to track information as a child transitions from elementary school to college, which from an efficiency standpoint is great. They also carry big implications around data and privacy abuse, making acts like FERPA, which was expanded in 2008 and 2011 to allow third-party vendors and "authorized representatives" of state authorities to collect data without parental consent, increasingly important.
As Education Week explains it, FERPA complaints today run the gamut, from instances where individual students believe their information was shared improperly to those where entire student bodies say a school demanded they waive rights under the law for enrollment. And backlogs aren't necessarily new to the current administration, but something the Education Department has been dealing with for decades.
How to fix that issue is something of puzzle. The audit points out that the privacy office received permission to hire five new staff members in 2015, but many of the staffers weren't placed on investigations. Rather, they were assigned to work with states and school districts on FERPA training and policy guidance. From the inspector general’s viewpoint, the office should have been working to resolve the current complaints, but it also acknowledged that working with states and districts on compliance could minimize cases in the future.
That reality creates a catch-22 that some advocates are aware of.
"A complaint is often the only recourse a parent has when they feel their child's privacy has been violated," Paige Kowalski, an executive vice president for the Data Quality Campaign, told Education Week. "But the department will never get ahead of its backlog if it's not also effectively delivering supports."