Aug 5, 2024

FERPA Exceptions: A Study in Studies

FERPA Exceptions: A Study in Studies
FERPA Exceptions: A Study in Studies
Author Alexa Mooney

The Family Educational Rights and Privacy Act, or FERPA, protects personally identifiable information from education records from unauthorized disclosure. The Law has been affording parents privacy rights over their children’s education records for almost half a century now; indeed, the fiftieth anniversary of FERPA’s passage is this August 2024. As FERPA’s golden birthday approaches, FPF is taking a closer look at some of its finer points and how they are functioning in practice fifty years later. This blog post examines one of FERPA’s exceptions to the requirement to obtain parental consent before disclosing student personally identifiable information, the “studies exception”. [1]34 CFR 99.31(a)(6)

Schools and Research Data Access

Given the wording of the phrase “studies exception” and that the exception allows for sharing student data with researchers under certain conditions, conflation of the studies exception with the idea of a general “research” exception is not uncommon. Perhaps this blog post even reached your attention following a search for school research laws or how research operates under FERPA. Some may be surprised to learn that there is no research exception under FERPA at all: no provision of the law allows for the general sharing of student information for research purposes without parental consent. 

Though no general research exception exists under FERPA, varying types of student data remains imperative for a number of research objectives. Researchers may be interested in original data created and collected specific to a particular research project (primary research), such as interviews, focus groups, observations, and surveys,[2]Another federal law, the Protection of Pupil Rights Amendment (PPRA) governs conducting student surveys on certain protected topics concerning sensitive information, such as psychological problems, … Continue reading  or data collection through third-party applications. They may also be interested in using existing datasets (secondary research) collected as the byproduct of natural educational processes, such as administrative records or assessment records. Using primary or secondary research to inform longitudinal or correlative studies may be the first that comes to mind when thinking about using student data for research; however, an incredibly broad range of uses exists beyond the purely academic purposes often associated with researchers. Any role in the process of improving instruction may handle student data research. Studentdata can help inform the effectiveness of a particular assessment product. It can help EDTech vendors or community partners determine whether learning objectives are met using their product or program. It is even important for teachers conducting action research as a requirement for Masters in Education degree or writing dissertations. School employees may be responsible for designing or approving extracts of data that researchers use. A broad range of research uses for student data all benefit from access to it; we will examine the requirements for security and privacy necessary to reap the benefits.

FERPA and the Studies Exception

In order to access the education record data needed for research purposes, a researcher must meet the requirements of FERPA, any state-specific laws, and district and state policies. The general rule under FERPA is that parental consent is required  prior to disclosing personally identifiable information from a student’s education record unless an exception applies. Written parental consent must specify the records that may be disclosed, state the purpose of the disclosure, and identify to whom the disclosure may be made. If a researcher would like to collect new data from students, more detailed consent may be appropriate, even if an exception applies. [3]If human subject research is being proposed, researchers should also be aware that the institutional review board (IRB) of a relevant academic institution will likely have additional protocols that … Continue reading

FERPA exceptions refer to conditions or situations where it is not necessary to first obtain parental consent before disclosing personally identifiable information from a student’s education record. Parental consent is not needed to share student data under the studies exception, given that specific requirements are met. Personally identifiable information from education records may be disclosed in connection with certain studies conducted “for or on behalf of” schools, school districts, or postsecondary institutions. In order for the FERPA studies exception to apply, those studies must be for specific purposes: 

    • the purpose of developing, validating, or administering predictive tests;
    • the purpose of administering student aid programs; 
    • or the purpose of improving instruction. 

Furthermore, there must also be a written agreement between the school and the researcher performing the study. The written agreements must do several things, including: 

    • specify the purpose, scope, and duration of the study and the information to be disclosed; 
    • and require the receiving organization (or researcher) to:
      • use personally identifiable information only to meet the purpose(s) of the study;
      • conduct the study in a manner that doesn’t permit the identification of parents or students by anyone other than  representatives of the organization with legitimate interests; and 
      • destroy the personally identifiable information upon completion of the study and specify the time period in which the information must be destroyed. 

Compliance with these requirements is imperative, and noncompliance can come with repercussions. For example, if the Department of Education determines that the researcher improperly re-disclosed personally identifiable information from education records, the educational institution from which the personally identifiable information originated may not allow that researcher to access personally identifiable information from education records for at least five years. [4]34 CFR 99.67

Even if requirements for the FERPA studies exception are met, researchers are not entitled to a right to access student data. The FERPA studies exception does not function in the way that a public data request or Freedom of Information Act (FOIA) request does: there is no absolute public right for an aspiring student data researcher (or anyone, for that matter) to demand the student information they need from a school. A public data or FOIA request would not require a school to generate data not already in existence – which would even include creating new reports for existing data – that many proposed studies would necessitate. The FERPA studies exception makes clear that the educational institution authorizing the study is not required to initiate a study, meaning the school can respond to a researcher’s request and/or approve it. However, they are not required to approve all research requests: the school may also deny them. And even if a school authorized the use of student data for a study, the school is not required to agree with or endorse the conclusions of the study.[5]34 CFR 99.31(a)(6)(iv)

Written Agreements

School districts tasked with creating a written agreement that complies with the FERPA studies exception requirements need not start entirely from scratch: excellent resources exist to help with this task. The United States Department of Education has provided guidance on best practices for the written agreements required under the studies exception to FERPA. Their guidance includes a number of recommendations for navigating these agreements, such as recommending that the written agreement bind not only an organization conducting the research, but also individuals; include an agreement not to redisclose data collected or used for the relevant study; and specify data custodians or stewards [6]For more information on data stewardship, the Institute of Education Sciences has a SLDS technical brief provided here. who are directly responsible for managing the relevant student data. Other best practices include clarifying ownership of the personally identifiable information from education records, identifying clear penalties for misuse or breach of contract, setting responsible and appropriate terms for data destruction, and allowing the school to review and approve reported results. Informing the public about written agreements related to school studies is also a best practice, as it promotes transparency and builds trust. The Student Data Privacy Consortium’s National Research Data Privacy Agreement (NRDPA) is a model written agreement specifically designed to standardize the various required components for the studies exception, for secondary research. The NRDPA is intended to be part of, not a replacement for, a district’s broader research data approval policy. Before simply adopting the NRDPA, districts should review it with their general counsel to see how it will support their existing research policies.

School District Research Policies

Administrative procedures already exist in many cases to support compliance with FERPA for research data requests. Most schools already have policies in place for research approval. Though researchers may be versed in research ethics, they may not know the basics of student privacy. They may not be fully aware of the student privacy and security risks, or of the potential for harm of misusing or improperly sharing student data. And though a university study will likely be guided by an Institutional Review Board (IRB) policy to ensure that the research conducted is legally compliant, ethical, and protective of its participants, this may not be enough to protect student privacy. IRBs may interpret FERPA narrowly [7]FERPA may be interpreted narrowly in wake of decisions such as: the Owasso decision, which interpreted a narrow view of what constituted educational records, what it means for those records to be … Continue reading, and some types of research, such as big data research, may be exempt from IRB approval and nearly impossible to acquire informed consent. Robust school district research policies are one way to help protect student data privacy while still benefiting from student data research.

Research policies may include guidelines for conducting primary research data, requesting secondary data, creating strong definitions, and providing applicable legal frameworks, such as in Chicago Public School District’s Guidelines for External Research and Data Collection. Policies may also indicate who may conduct research, what to do in the case of a conflict of interest, and how the research proposal and approval process works, such as in Boston Public Schools’ Policy and Guidelines for Conducting Educational Research. As the risks of harm from misusing student data are high, some districts’ policies – such as Palm Beach County Schools’ research policy – even require researchers who will be collecting or accessing students’ personally identifiable information to undergo background screening and provide evidence of good moral character. 

Researchers hoping to work with a specific school district should search for or inquire after the district’s research policy. School districts without existing research policies should strongly consider creating one, paying close attention to FERPA requirements and to supporting student data privacy and security: the National Forum on Education Statistics has guides for supporting data access for researchers, both from a Local Education Agency Perspective and from a State Education Agency Perspective

In Conclusion

Research conducted using student data is done for a wide range of purposes and, when done well and safely, can provide an equally wide range of benefits. Research can support individual learners and student success, and better inform decision-making, such as building a curriculum or developing a new instructional program. Before working with a school to collect new or use existing data, researchers should think critically about the type of data they want, and more importantly, the type of data they really need. Is student personally identifiable information really necessary for the study, or would aggregate data be sufficient? Would de-identified data? [8]For more information on de-identified student data, take a look at FPF’s whitepaper on De-Identification & Student Data. Researchers should work closely with schools to support student data privacy, strictly abide by school research policies, and implement recommended best practices under the FERPA studies exception. School districts that agree to share student data with researchers should develop and maintain strong research policies developed with both FERPA compliance and student data privacy and security in mind. Fifty years of FERPA has taught us that commitment to these practices from both participating schools and researchers can help support student data privacy for the next fifty years, as well.

Related Resources

  • Blog

    New Title IX Rule Defines Deepfakes as Sexual Harassment

    Aug 14, 2024Chloe Altieri

    On April 19, 2024, the U.S. Department of Education released updated Title IX Regulations that clarified schools’ ability to raise incidents of harassment usin…

    Learn More
  • EdTech Perspectives

    Demystifying the Consumer Privacy Patchwork

    Jan 18, 2024Randy Cantz

    What should edtech companies know about consumer privacy laws?As states continue to pass new consumer privacy laws, edtech companies may be left wondering what…

    Learn More
  • Higher Ed Perspectives

    Higher Education Compliance with Updates to the GLBA Safeguards Rule

    Jul 6, 2023

    Higher education institutions participating in the US Department of Education’s federal student aid programs need to be aware of recent updates to requirements…

    Learn More