During my elementary school years, every September my school would send me a packet, clad in pastel paperback, containing the contact information of my classmates: phone numbers, parents’ names, and home addresses. I recall that some of my peers’ numbers and addresses were not listed. At eleven years old, I found it a nuisance that I could not call a friend to hang out. Only a decade later did I begin to understand the legal complexities of the situation, at the intersection of policy, education, and consent.
The Family Educational Rights and Privacy Act (FERPA), enacted in 1974, sought to strike a balance between the protection and accessibility of sensitive information useful for educational purposes. Applying to K-12 schools and post-secondary institutions, FERPA stipulates that schools can make certain information termed “directory information” available to the public without students’ consent. This information included “name, address, telephone listing, date and place of birth, …. [and] dates of attendance”; email address was later added. FERPA was written with the 1974 notion of a directory in mind: a paper book printed and distributed for students to contact one another. There were no online social networks or searchable databases. Forty-five years later, that same spirit of print technology guides countless implementations of federal student information protections.
The possibilities for information abuse have multiplied with technological advances, but implementations of FERPA have largely remained the same.
Problems in these implementations have surfaced not because student privacy concerns are novel but because the concerns have evolved with our technological capabilities. FERPA originally emerged from parents’ calls for transparency in the handling of student and government records in the wake of the Watergate scandal. FERPA restricted what student information could be made available to the public to be directory information, seen as useful in, for example, printing a student’s name in a graduation program. More sensitive information, such as transcripts or Social Security numbers, henceforth was prohibited by law from being disclosed without students’ consent. The picture became more complicated with the advent of digital directories. A computer algorithm can rapidly harvest thousands of student records; and databases of addresses, employment histories, and other personal information enable criminals to identify students with a small amount of initial information. When students’ home addresses are accessible to anyone, threats ranging from unsolicited advertising to stalking can and do occur. The possibilities for information abuse have multiplied with technological advances, but implementations of FERPA have largely remained the same.
Students can opt out of directory information disclosure, but under FERPA, consent is not required for such disclosure to happen. Schools are required to notify students and parents of the right to opt out, in advance of the disclosure. This requirement, though, can be tucked into terms and conditions when a student and their parent are, for example, sifting through mounds of financial, academic, and health paperwork to enroll the student in their first year of college.
Schools have a duty to develop policies that responsibly handle their students’ information. Education boards should consider implementing the 2011 FERPA provision that allows institutions to designate certain information (e.g., home addresses) as “limited directory information.” Limited directory information could, for instance, restrict default access to home addresses to individuals attending or employed by that educational institution. The opt-out process is replaced by an opt-in model, where the institution proactively protects student information from the start. In a time of elevated consciousness about privacy, institutions might well pride themselves on how they protect their students’ information. Implementing this 2011 FERPA provision is one way they can do so.
The year 1595 saw the publication of the book The Names of All Such Gentlemen of Accompts As Were Residing in the City of London, which may be the world’s first directory. While modern databases hardly resemble that book, many schools’ policies for information protection remain essentially grounded in the idea of the directory as a purely physical object; implementing the 2011 FERPA provision for limited directory information is a step for all institutions to step into the reality of digitized directories. Today’s digital directories demand coordinated policy implementations that clarify and prioritize the responsibilities of institutions to protect the information of today’s students.
Austin Kraft (he/him/his) is a fourth-year undergraduate student at the University of Minnesota, Twin Cities, where he studies mathematics, linguistics, and computer science. He collaborates with other student leaders in advocating for updated university, city, and state policies on information protection to provide students with the peace of mind that they deserve.