When the parents of a California teen logged on to the internet last year to visit a school-related web site featuring profiles of their son and other members of the Paloma Valley High School golf team, what they found was cause for serious concern.

The web site, designed to promote young student athletes to potential college recruiters, was loaded with personal information about their son, Jordanfrom his grade-point average and SAT scores to his birthday and home address.

It was a great site “in concept,” said Dale Shiffler, the boy’s father. Problem was, no one had asked Jordan’s parents for permission to post the information. Well aware of the dangers that lurk online, the Shifflers worried what would happen if identity thieves, child molesters, or other dangerous cyber criminals were somehow to use that information to target their 17-year-old son or another member of the team.

“There were things posted up there that I just did not feel comfortable with,” Shiffler said. As for Jordan, he felt exposed. “With the grades and stuff, I was kind of a little embarrassed,” he said in an interview with eSchool News.

The incident serves as a stark reminder of the challenges and dilemmas that school systems face in protecting students’ privacy in the digital age. Legal and privacy experts say the lesson for other school leaders is simple: Make sure all staff members clearly understand their obligations under the law.

FERPA compliance

The recruitment site was created by the team’s golf coach, Tim Daniel, and linked to the Poloma Valley High School home page. Concerned that the web site was in violation of the Family Educational Rights and Privacy Act (FERPA)the federal law that protects the privacy of student educational recordsthe Shifflers filed a complaint with the California Office of Civil Rights for the U.S. Department of Education (ED).

Shiffler said the coach, who is not a teacher at the school, never consulted administrators or students’ parents before posting the information online for “the whole world to see.”

Although the web site has since been taken down, Shiffler contends it was active for more than a year. The Los Angeles Times, which first broke the story in May, reported that officials from the Perris Union High School District ordered the link removed from the school’s web site hours after they learned that personal information had been disclosed. Daniel was said to have closed the site.

Perris Union Superintendent Dennis Murray did not respond to repeated telephone calls from eSchool News requesting an interview. The team’s golf coach also could not be reached for comment.

But legal experts and other observers said school officials likely would be reluctant to comment on such an “egregious violation” of student privacy.

According to Parry Aftab, an internet privacy lawyer who heads up Wired Safetywhich claims to be the world’s largest internet safety, help, and education organizationmost schools do not take potential FERPA violations and other student privacy rights seriously enough.

“I’ve been talking about this [issue] for the last four years now,” said Aftab, who left her job at a law firm to help spread awareness about online privacy and other internet safety issues. “Just because you never hear about anyone bringing FERPA actions doesn’t mean schools are not committing these violations.”

According to the law, parents of students who are 17 and underand students themselves if they are at least 18 years of agemust give written consent before a school is allowed to release into the public domain information contained in the student’s educational records.

An exception to the rule applies to what is known as “directory information,” which may include a student’s name, address, telephone number, date and place of birth, honors and awards, and dates of attendance. Still, even directory information should be shared only on an “opt-out basis,” Aftab saidmeaning parents and eligible students must be given an opportunity to decline the release of these records, if they so wish.

Schools that do not comply ultimately risk losing federal funding, including Title I support for disadvantaged students, said ED spokesman Jim Bradshaw.

“Schools need to recognize that FERPA exists and is a condition of getting funding,” Aftab said. “Schools should have a very clear policy that states what the rules are.”

Otherwise, she said, many of them could end up footing the bill for their mistakes. “You really have to teach your educators what they need to do to keep from getting sued,” she said. “It’s all about risk management.”

According to eSchool News columnist Nora Carr, former assistant superintendent of the Charlotte-Mecklenburg Schools and an expert in educational communications, the key is to make sure all staff membersnot just teachersare well aware of the law, what information they can and cannot post online, and the consequences that can result from unlawful breaches of student privacy.

“When it comes to FERPA and other related issues, providing ongoing and annual training and information to all administrators and faculty members is vitally important,” Carr said. “You simply can’t do too much.”

Bradshaw said he could not comment on the Shiffler case in particular, because ED is still reviewing the complaint. However, he did say the department receives “several hundred” complaints a year in which parents allege their children’s privacy rights have been compromised illegally.

Whenever ED receives such a complaint, he said, it reviews the letter and then sends a notice to school district officials informing them of the complaint.

The department also asks the district to review its privacy practices and to look carefully for any potential violations. ED even offers to work with districts to help them achieve compliance.

“Through the years, we’ve almost always been able to help districts comply,” Bradshaw said. However, in those rare instances where attempts have failed, ED has taken school districts to court to force the issue. “We’ve never had to go the extent of cutting off funds,” he added.

Not backing off

Concerned not only for his child’s well-being but for the online safety of others, Shiffler said he believes ED should take full advantage of the law and squeeze off funds to those school systems committing blatant violations.

“It’s my primary goal to make sure everyone in the country knows about this. Things like this don’t need to be posted out there,” Shiffler said. “This is a big deal.”

Although it’s been nearly two years since the original complaint was filedand the offending site is no longer onlineShiffler said he has no intention of backing down. First, he said, the school district needs to admit its mistake: “As long as it is going to take for them to offer an apology to my familyto my sonthen I am going to make an issue of it. It’s not over by any means.”

For his son, Jordan, who has since graduated from the school and recently wrapped up his freshman year at a local college, the fallout from the controversy was, at first, difficult.

Jordan said he got the cold shoulder from the golf coach and other members of the team, who thought his family had overreacted to the web site.

“It’s been kind of bittersweet,” Jordan said of all the attention. “A lot of people know about it now, but nothing really has been done.”

Still, after his parents explained to him the dangers of the internet and what the information could have been used for, Jordan said he believes they were right to file the complaint.

Because the incident involved a boy’s golf team, Jordan said, many parents were not as sensitive to the issue as they probably should have been. “What if it was a girl’s cheerleading team, or a girl’s softball team?” he said. “It probably would have been a little different then.”

Links:

U.S. Department of Education
http://www.ed.gov

Wired Safety
http://www.wiredsafety.org

Paloma Valley High School
http://palomavalley.tripod.com

Perris Union High School District
http://www.puhsd.org/newweb/default.htm