New student-privacy rules that take effect this month address two burgeoning challenges in higher education: shielding students from computer-related identity theft and protecting them from peers identified as a potential threat by faculty members.
The altered privacy rules were outlined in the government’s newly revised Family Educational Rights and Privacy Act, known as FERPA, which went into effect Jan. 8. The federal Education Department (ED) released the new FERPA guidelines in response to both the April 2007 massacre at Virginia Tech and the growing threat of identity theft on campus.
Seung Hui Cho, a Virginia Tech student, killed 33 people, including himself, months after Cho’s behavior disturbed professors and other students. Many faculty members wanted to notify Cho’s parents of his behavior, but they thought it would violate FERPA rules.
"The purpose was to clarify the fact that schools may release information on students who are considered threats to themselves or others," said ED spokesman Jim Bradshaw. "There appeared to be enough confusion to clarify the rules. We wanted to make it crystal clear that schools could release student information to parents, law enforcement [personnel], … school officials, and health officials."
The FERPA update, for the first time, now states that privacy laws protect online students as well. The rules do not stipulate that colleges and universities must alert students when their personal information is stolen. However, most states have passed laws requiring colleges to notify students whose information has been compromised.
The rules state that students’ identification numbers–which have replaced Social Security numbers as identifiers on many college campuses–cannot "be used to gain access to education records except when used in conjunction with one or more factors" that "authenticate the student’s identity," such as a password.
The department’s original proposal was far different, barring the use of any identification number in college directories. But this more stringent version was scrapped after some higher-education officials complained that the proposed changes would have been a costly, logistical nightmare for campus IT administrators.
"That was of great concern to the IT folks, and legitimately so," said Steven McDonald, general counsel for the Rhode Island School of Design who specializes in student privacy law.
If that initial proposal had been enacted, U.S. colleges and universities would have faced a massive retrofitting process that would have charged campus IT chiefs with changing student ID numbers throughout their school’s network. The undertaking would have been expensive for colleges–and doubly painful during a recession that already has campus officials scrambling to maintain operating budgets.
In the new FERPA guidelines, which are available on ED’s web site, a swath of educators’ opinions is included, along with the department’s final decision on the ID number regulations. Some campus officials said the proposed regulations "did not go far enough" to prohibit the use of students’ Social Security numbers, pointing out that keeping SSNs on academic transcripts and electronic databases could jeopardize students’ identity.
Rodney J. Petersen, a government relations officer for the higher-education technology advocacy organization EDUCAUSE, said most institutions were satisfied with FERPA’s stipulation that alternative student ID numbers did not have to be treated "with the same sensitivity" as SSNs, but would still require passwords to access student data.
"It’s just one more reason why campuses should move away from SSNs as students’ primary identifier," Petersen said.
The FERPA document says some who commented on the proposed ID rules said treating student IDs as directory information "would improve business practices and enhance student privacy," because colleges would be encouraged to require more passwords and personal identification numbers to access education records.
The new regulations also allow more flexibility for higher-education officials, Bradshaw said, so campus decision makers won’t be faced with the quandary that Virginia Tech faculty faced.
"We purposely didn’t lay down hard and fast guidelines, because we wanted to give school officials flexibility to make that call" whether to share student information with authorities, Bradshaw said.
Not everyone is satisfied with the changes. The Washington, D.C.-based Student Press Law Center criticized the new rules, saying colleges’ newfound freedom to control student information would allow campus officials to stop journalists and parents from collecting basic statistics tracking campus safety and academic performance.
Frank D. LeMonte, the center’s executive director, said the information could be kept out of the public eye, because ED expanded the definition of what can be classified as a confidential "education record."
"[ED’s] interpretation flies in the face of every court ruling to interpret FERPA, and it goes well beyond what Congress intended in enacting the law," LeMonte said.
"The public has a right to know essential safety information, such as what steps administrators take when they catch a student carrying a gun into a high school. There is no legitimate ‘privacy’ interest in committing a felony on school grounds, and the department’s insistence on protecting the privacy of a would-be school shooter over the safety interests of the public shows just how arbitrary and irrational these rules are."
Bradshaw defended the department’s expanded definition of what can be considered student records.
"These regulations were an effort to strike a balance between confidentiality concerns and keeping parents informed about potentially dangerous situations concerning their kids," he said.