Schools are responsible for keeping students safe, but they also need to balance safety measures with privacy protections. When emergencies happen, schools may want or be asked to disclose information about students. In doing so, schools must comply with the primary federal student privacy law, the Family Educational Rights and Privacy Act (FERPA). Schools must also avoid sharing information that could stigmatize students, make them feel that they can’t share their feelings with school staff, or incorrectly label them as a “threat”. To help schools ensure both safety and compliance with the law, this guide offers four best practices for information disclosure and answers five frequently asked questions about FERPA’s requirements for sharing information during health or safety emergencies.
According to the U.S. Department of Education, FERPA “is not intended to be an obstacle in addressing emergencies and protecting the safety of students.” In fact, the law includes exceptions to its general consent requirement, for emergencies such as natural disasters, disease outbreaks, terrorist threats, and active-shooter situations.
What are schools’ obligations under FERPA?
FERPA broadly prohibits schools from disclosing student records without the written consent of the parent or student. There are a few limited exceptions, including one that permits disclosure in emergency situations.
How much discretion do schools have in determining whether a situation rises to the level of a health or safety emergency?
The Department of Education defers to the reasonable judgement of educators to define emergency situations. A school simply must show that there is an “articulable and significant threat” and make a judgement “based on the information available at the time.” If a school official can explain why, based on available information, he or she reasonably believes a student to pose a significant threat, the school official may disclose, without consent, personally identifiable information from the student’s records to appropriate parties. This is a flexible standard, requiring only a rational basis for the school’s decision.
In response, many schools have implemented emergency response teams, which have been specifically trained to evaluate threats or emergencies. The team usually includes the principal, building manager, key office personnel, and designated teachers. If a school’s team uses clearly articulated guidelines to make decisions about disclosures, its decisions would likely meet the rational basis requirement.
To whom can schools disclose student information during a health or safety emergency?
“Appropriate parties,” in the context of a health and safety emergency, refers “to any person whose knowledge of the information will assist in protecting a person from threat.” Normally, this includes parties who provide specific medical or safety attention, such as public health or law enforcement officials. For example, a school could disclose health information to paramedics about a student who may be having an allergic reaction.
Appropriate parties may also include “any person who has information that would be necessary to provide the requisite protection.” This encompasses a range of persons, including current and former peers of the student and mental health professionals “who can provide… appropriate information to assist in protecting against the threat” as well as “a potential victim or the parents of a potential victim…. whose health or safety may need to be protected.” For example, students on campus and the surrounding community would be considered appropriate parties under FERPA if there were an active shooter on campus. This means that colleges may share some personally identifiable information if necessary, when they send out emergency warnings and create public logs of crimes reported to them, as required under the Clery Act.
Which kinds of student information can be disclosed during emergency situations, under FERPA?
FERPA permits schools to disclose, without consent, personally identifiable information from student records to appropriate parties in connection with a health or safety emergency.
In some emergency situations, schools may find disclosure of directory information – like name, address, phone number, or email- to suffice. For example, the school may disclose directory information to an emergency management agency that is trying to locate the parents of children who have been displaced in a shelter.
In general, student information that is not contained in students’ records can be shared with others without implicating FERPA. For the most part, law enforcement records, including investigative reports created by a school’s security staff, are excluded from the definition of student record because they are maintained by law enforcement, not the school. This means that if a school resource officer drafts an investigatory report regarding an allegation that a student possessed a weapon, that report may be shared with outside entities without implicating FERPA. However, if a copy of the report becomes part of the student’s disciplinary file – i.e. a student record maintained by a school – that copy then becomes subject to FERPA. Likewise, information about student behavior that an educator learns through observation discussions with students, and social media typically falls outside of the definition of a student record since the school does not maintain that information.
If the situation never rises to the level of an actual emergency, will school officials be held liable for FERPA violations?
While FERPA exceptions to consent requirements are generally restricted period of time in which an emergency occurs, school officials do not need to wait for a dangerous situation to materialize before sharing student information that could prevent a student from harming themselves or others. The 2008 FERPA regulations make it clear that school officials “must be able to release information from [student] records in sufficient time…. to keep persons from harm or injury.” Furthermore, even if a school official has mistakenly perceived an incident to be an impending emergency, federal officials typically only investigate systemic FERPA violations rather than good-faith mistakes.
While schools may share information with appropriate parties in emergency situations, schools should carefully distinguish between disclosures in response to specific, articulable threats and general school surveillance programs. Some studies have shown correlations between high levels of school surveillance and high percentages of minority students being suspended. Although protecting studetns’ safety is of the utmost importance, potential unintended privacy and equity consequences can result. Schools must strike a careful balance between protecting student privacy and the need to monitor and share student information in the interest of safety.