FERPA

It took me 4 cups of coffee to figure out how to reply to this question!  And it’s not because I didn’t know the answer. 

FERPA is the “Family Rights Privacy Act.”  It bars disclosure of students’ “education records.”

“Education records” (like grades, disciplinary reports, attendance) are defined by FERPA as records:

               (1) Directly related to a student; and

(2) Maintained by an educational agency or institution or by a party acting for the agency or institution.

That is the entirety of the definition, from which many things—like names, team participation, dates of birth—are then excluded.[1]

The punishment for a FERPA violation is loss of ability to qualify for federal funds…a scary prospect for any school.  A FERPA violation also comes with a heavy dose of self-correction and shame, as an institution must fix whatever caused the problem, and often, send out letters of correction/apology.

With ten years as an in-house attorney at a university under my belt (and thus, a ten years’ worth of “FERPA Fear” in my brain), the minute I read this submission, I thought: Pshaw, no student newspaper or magazine is an education record under FERPA!  These grants are fine.

That was at cup #1.  But as I started cup #2, I thought: But why are these grants fine?  Why is no student newspaper or magazine an education record under FERPA?  Technically, they could meet the definition.

And those cocky ten years in higher ed were giving me no reason for my answer. 

For a lawyer, an answer without reasoning is no answer at all.  So I kept sipping (and researching). 

As I settled into cup #3, I reviewed some FERPA case law.   But although this were fun to revisit, by the time I was brewing cup #4, I realized: This is not telling me why a student newspaper or magazine doesn’t meet the definition of “education record” under FERPA.

It was only when I re-read FERPA’s definition for “disclosure” that I could back up my instinctive answer with actual legal reasoning. 

Remember, FERPA bars “disclosure” of student education records.  As it says in 20 U.S.C. 1232g(b)(1) and (b)(2)):

"Disclosure" means to permit access to or the release, transfer, or other communication of personally identifiable information contained in education records by any means, including oral, written, or electronic means, to any party except the party identified as the party that provided or created the record.  [emphasis added]

As I sipped gratefully at cup #4, there was the answer: if any student newspaper or magazine has content in violation of FERPA, the violation happened the minute it rolled off the presses…not when the content was published to a larger audience. 

It’s a bit metaphysical (or perhaps ontological) but bear with me: Re-publication in the way the member’s question describes—while arguably making an original violation bigger—cannot create a violation where there was none before. In other words, if FERPA-protected educational records were already “disclosed” via a student newspaper or magazine, allowing other people (students, parents, advertisers) unauthorized access to education records, there was already was a violation, back when the content was first published.  And if protected records aren’t already disclosed, the re-publication won’t be a forbidden disclosure, now.

To illustrate this, here is a hypothetical.  Let’s say that in 1991, the New Hartford High School newspaper (the Tattler!) printed all of my grades (without my permission).  That would have been a FERPA violation, about which I could have complained to the U.S. Department of Education.

Fast-forward to 2019.  Let’s say the Tattler ends up on New York Heritage, where everyone could then see that during the first Iraq war, I was a very strong scholar in English and History, but things were…a tad lacking in Math. 

While that would be a continuation of the old FERPA violation, it would not be a new violation (even if I was just seeing it for the first time).  And while I could still conceivably make a complaint to the USDOE, asking them to ask the school to work with New York Heritage to take it down, my options to do so would be limited, since there is no private cause of action or right to sue under FERPA. 

So, while I cannot “clear” unseen content for FERPA violations (remember my Tattler scenario), I can say that a new FERPA violation will not be caused by posting already-published material on New York Heritage.

In that same spirit, I will now address the other question the member asks:  Are there any other legal reasons student [publications] could not be made available freely in an online repository?

I wish I could just say “No,” and everyone could not worry about this at all.  But we must never underestimate the creativity of lawyers and plaintiffs in finding new ways to threaten legal action!  If the content of a particular student newspaper or magazine is scandalous or allegedly harmful enough, an attorney could try to frame a claim around some type of defamation or personal injury action.  And of course, when publishing content, there is always a potential claim based on copyright or trademark….even if that claim turns out to be bogus.

But these cautionary words are based on highly speculative scenarios.  There is no outright bar on sharing student publication content the way there is for disclosing grades, health information, and attendance-related records.  And because the digitization of student publications creates a useful array of otherwise ephemeral material, and can be a valuable snapshot of a culture at a particular place in time, there are  strong legal defenses for the digitization and publication of them by not-for-profit entities.[2]

To position a student publication digitization project to stand up to legal threats, a solid understanding and articulation of why the project has academic, social, and/or historic value, and a clear ability to show there is no “for-profit” motive, are fundamental.  By thinking through a digitization project, establishing its social value, and documenting its adherence to professional and scholarly ethics, it is easier to defend making the material freely available—and searchable. 

The good thing about grant funding is that the application and reporting process often builds these analyses right into the project. 

Thanks for this stimulating question!

Depression.  Burn-out. Dissatisfaction. Lack of connection.  Lack of money. Lack of parking.

These are just some of the reasons students give when they choose to leave—or are forced to leave—their college or university before graduating. 

Many times, these reasons snuck up on them, although in hindsight, they could be seen: a pattern of missing classes, a downward trend in grades, maybe even dropping out of clubs and other campus activities.  And almost always, after a student leaves (often in tears) faculty and staff, coaches and friends, are left wondering: could they have done more[1]?

No matter what events led up to it, for each such incident of student “attrition,” the stakes are high: student loans, a sense of failure, the end of a career dream, and perhaps even a medical condition that went untreated while the student struggled on their own.

But what if the clues could be seen earlier?  What if the downward spiral could be stopped?

Fueled by increasing technological capabilities, many institutions of higher education are developing cross-campus, inter-sector systems to do just that: hoping to correlate the warning signs and fight student attrition through early intervention.  Using a variety of commercially available and home-programmed tech, they are tracking everything from dining hall meals, to class attendance, to visits to the gym.  These factors, as well as comments from concerned faculty or staff, are then routinely assessed and cross-checked for red flags. 

Because libraries are increasingly hosting classes and providing adjunct space for group work, it makes sense that such a system would consider tracking library usage.  After all, it can be a good sign that a student is just getting out of their dorm room!

But there is a tension within this well-meaning system.  College is where young adults journey to find their independence and privacy; promoting this maturation is part of a college or university’s purpose. Further, a net of privacy laws constrains the easy sharing of certain types of information.  But knowing the painful consequences of unchecked student struggles, many institutions work hard to find the right blend of metrics and policies to be able to intervene. 

Part of this hard work is finding the right path through that net of privacy laws.  As the member writes, the biggest privacy law of all, FERPA,[2] does allow such inter-departmental sharing,[3] and even parental notification about safety concerns, when the time is right.  It does this through both application of the law, and “FERPA waivers.”

But in New York, FERPA is not the only privacy rule to apply[4] to these information-sharing systems.  As the member states, New York’s Civil Practice Laws and Rules (the “CPLR”) §4509 (“4509”) also governs a student’s records—at least, their library records.  And it sets the bar high.

4509 is a short law where every word matters, so it is worth quoting in full here: 

Library records, which contain names or other personally identifying details regarding the users of public, free association, school, college and university libraries and library systems of this state, including but not limited to records related to the circulation of library materials, computer database searches, interlibrary loan transactions, reference queries, requests for photocopies of library materials, title reserve requests, or the use of audio-visual materials, films or records, shall be confidential and shall not be disclosed except that such records may be disclosed to the extent necessary for the proper operation of such library and shall be disclosed upon request or consent of the user or pursuant to subpoena, court order or where otherwise required by statute. [emphasis added]

As you can see, “college and university libraries,” even though they are part of larger institutions, are clearly covered by this law.

So how does 4509 impact the member’s question?

First, every library (academic or not) should have a clear sense of what it regards as “library records.”  As can be seen in the statute, the term is not precisely defined (“including but not limited to” leaves a lot of room for argument!).  Some of the obvious ones are listed in the law (circulation records, database searches, copy requests) but unnamed others could be just as vital to privacy (use of a 3-D printer, security footage covering the circulation desk, and in the member’s example, the use of research appointments).   And still others activities that use the library may or may not apply (classes conducted in the library, but not part of library programming, are arguably excludable).

To protect the records as required by law, a library must know precisely what records it must protect.  This is why, just like a public or association library, a college or university library should have a “Privacy of Library Records” policy clearly showing where it draws the line. Such a policy should also have a “subpoena response protocol,” so the library can train staff on how to receive internal and external third-party demands for information. 

And in a perfect world, this college or university “Privacy of Library Records Policy” should be known and supported by the institutional officer who oversees the library (a Provost or Academic VP).  This officer’s authority, from time to time, may be needed to ensure the policy is respected by campus safety officers, student disciplinary administration, and any other department that might want library records in service of another institutional purpose.  Librarians should not hold the 4509 lines alone!

Now, back to the member’s scenario.  Once a library knows precisely where it “draws the line” on library records, the member’s instinct is right: any access to information that falls within the institution’s definition of “library records” should be either denied, or allowed only as the law requires: via a signed consent from the user/student.

I know, just what every student wants—to fill out another form!  But these 4509 consents, just like a “FERPA Waiver,” are not only mechanisms to ensure legal compliance, they are a chance to educate students about their right to privacy. 

For instance, the consent form (I imagine it would be a digital click-through on a password-protected student account, but it could be a paper form) could say:

“The privacy of library records is protected by the law in New York State (CPLR 4509).  Your enrollment in the [SYSTEM NAME] will ask the library to disclose certain library records that are protected by this law.  As a library user at an library in New York, you have the right to keep your library records private.  A list of what [LIBRARY NAME] considers to be library records is here [link to policy].  If you would like to consent to the [NAME OF LIBRARY] sharing your library records with only [SYSTEM], please check the below consent:

[ ] I am at least 18 years of age, and consent to the limited sharing of my library records for purposes of sharing the information with the [SCHOOL NAME] [SYSTEM].  This consent does not allow sharing my library records, even within the school, for any other purpose.  No consent to share the records with external entities is give. 

I understand I will need to renew this consent every fall semester, and that I may revoke this consent at any time.

Of course, there is no legal requirement for annual renewal, but it is worth considering.  A year is a long time in the life of the typical undergraduate student, who may enter college with one set of civil rights values, and leave with another. With an annual renewal, the library not only complies with the law, but educates the student about their privacy rights on an annual basis.

So, to address the member’s final questions:

Have we crossed any lines here?

No.  By thinking about this issue during the planning phase of the system, you are making sure the lines are bright and well-defined.

Do we even need the opt-in statement?

You could call it that, but I recommend calling it a “4509 Consent.”  That would build awareness of this important law in our future leaders (and librarians).  Of course, as a lawyer, I may be biased as to how important that is (but it’s really important!).

Is this something clear or fuzzy/grey?

Not so long as your library has a clear and routinely evaluated policy defining what it regards as “library records.”  This can be tough at an integrated institution, where so much information technology crosses through different sectors.  But it should be done.

What should we be considering that we haven't thought of?  

I think you should consider buying yourself a nice cup of coffee or tea for doing your part to support a commitment to personal privacy in the United States of America and State of New York.  Unlike in the European Union, our privacy currently risks death by a thousand cuts.  Every bit of armor counts. 

Thanks.

And thank you.