Recent NYSED Decision Highlights Need for School Districts to Protect Data Privacy – Privacy
United States: Recent NYSED decision underscores need for school districts to protect data privacy
To print this article, all you need to do is be registered or log in to Mondaq.com.
School districts must consider the sanctity and privacy of the data they maintain, as highlighted in a recent decision by the Office of the Privacy Director of the New York State Department of Education. This alert explains the recent decision, an advance guidance notice, and considerations for school districts going forward.
In Re North Shore: FERPA, Education Law 2-d and Directories
In Re North Shore was published on December 1, 2021. It examined the interplay between education records protected by the Education Act 2-d and directory information under FERPA.
Education Act 2-d relies on FERPA’s definition of personal information in a student record, defined as:
“(a) The name of the student; (b) The name of the student’s parent or other family members; (c) The address of the student or the student’s family; (d) A personal identifier, such as the student’s social security number, student number, or biometric record; (e) Other indirect identifiers, such as date of birth, place of birth, and surname mother’s daughter; (f) Other information which, alone or in combination, relates or may relate to a specific student that would enable a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to d identify the student with reasonable certainty; or (g) information requested by a person whom the agency or educational institution reasonably believes knows the identity of the student to whom the educational record relates . » [34 CFR § 99.3]
FERPA protects this information from disclosure unless: 1) there is appropriate consent to disclosure for the student who is the affected individual; 2) the disclosure falls within certain predefined exceptions; or 3) the information has already been designated by the District as “Directory Information”.
The latter method is usually achieved by designating the information as “Directory Information”.
FERPA defines directory information as including:
Information contained in a student’s academic record that generally would not be considered harmful or an invasion of privacy if disclosed. It includes, but is not limited to, name, address, phone list, date and place of birth, major field of study, participation in officially recognized sports and activities, weight and height of sports team members, dates of attendance, degrees and awards received, and most recent previous agency or educational institution attended. [34 CFR § 99.3]
Directory information may be disclosed if parents and eligible students are notified of:
- Types of information designated as directory information
- The right to oppose or refuse the disclosure of your child’s information
- The time within which such objection must be made after the publication of the extent of the directory information.
New York State Education Law 2-d adds a fourth security and privacy standard:
- Disclosure must benefit students
and education See Education Act § 2-d(5)(b)(1).
months before In Re North Shoreon August 5, 2020, the NYSED Chief Privacy Officer (CPO) issued a guidance notice on the interactions between FERPA and Education Law 2-d in the context of a FOIL request. There, the request was primarily for directory information, but the CPO was of the view that a response would be not benefit either the student or the District. The OPC discovered that it was providing the full name, mailing address, date of birth, and optional phone number of recent graduates to an alliance seeking to educate these students about their right to vote. does not have meet the additional test of “benefit to student or education agencyto warrant disclosure even if such information had previously been identified as directory information under FERPA.
Directory Information Disclosure
The importance of “student and district benefit” has been further explained in In Re North Shore. There, the district released the names of the students’ parents to the teachers’ union in response to a request from FOIL. In this case, the CPO discovered that the parents’ names were not listed as directory information; and the notice identifying the directory information never disclosed that any of the information listed as directory information would be used for the political purposes of a district vote.
These decisions are interesting because in the earlier advisory opinion, the CPO emphasized the final test of benefit to the student and the education agency as the defining test of whether school records could be released. to be used in an election while in the most recent About the North Shore opinion, emphasis has been placed on notifying data subjects in advance of how their information will be used.
These recent opinions offer useful advice for school districts. It is the responsibility of the districts to carefully review and update the notice provided to parents and eligible students when defining the data elements that also make up the directory information and the listed purposes for which the information will be disclosed. .
It is clear that the decision of About the North Shore and the August 2020 guidance notice will be used by the CPO to determine the appropriateness of any disclosure of this information. In practice, the broader the number of types of information identified as directory information in the notice and the permitted disclosure purposes, the less risk a district will be at from any disclosure.
Broad definitions of directory information limit liability following a security incident since the types of information most likely to be exposed will have previously been identified as publicly available information. Clearly, some information, such as social security numbers or financial information, cannot and should not be identified as directory information. Where possible, districts should consider describing these data elements generally (while recognizing that FOIL requests may request directory information).
The content of this article is intended to provide a general guide on the subject. Specialist advice should be sought regarding your particular situation.
POPULAR ARTICLES ON: Privacy from the USA