FERPA and Higher Ed Should Prioritize the Safety of Students’ Private Data

To counter increasingly common and complex threats to students’ privacy rights, schools must update their digital security standards

by Vins
Published: Last Updated on

By Mischa Geracoulis

Around the time of Richard Nixon’s presidency—a low point for public trust in government—families of K–12 students and adult college students raised concerns regarding the volume of sensitive, personally identifiable student information that schools, colleges, and universities were collecting and storing. Fifty years on, educational institutions still routinely collect and store Personally Identifiable Information (PII), such as students’ birthdate, gender, ethnicity, race, economic status, debt load, special needs and abilities, enrollment standing, grades, ID numbers, photos, contact information, and medical records. But today some or all of that sensitive data may be stored in databanks administered by third parties, such as the National Student Clearinghouse and Parchment.

Third-party storage and administration usually involve off-site servers contracted to maintain students’ academic records, including transcripts and credentials, and their health and medical records. Post-graduation, students must pay whichever service provider their school uses to obtain their transcripts.

The Watergate scandal had made clear that, without safeguards, private records could be compromised and misused. Following nationwide demands for government transparency and protection of student records, New York Senator James Buckley sponsored the Family Educational Rights and Privacy Act in 1974. Signed into law by President Gerald Ford, the legislation known today as FERPA aimed to regulate access to the personal, educational, and medical records of students in public and private primary, secondary, and post-secondary institutions. Consequently, since 1974—with few exceptions—schools, colleges, and universities cannot release or allow access to any PII without first obtaining signed consent from students 18 years and older (“eligible students”) or from a parent or legal guardian of students younger than eighteen.

Enacted before the invention of the internet and internet-based education technology (“EdTech”), FERPA’s protection of student PII collected through EdTech is vague and inadequate. Amendments to FERPA in 2008 and 2011 granted all third-party vendors that contract with schools, colleges, and universities for educational purposes access to student PII. Since then, any educational institution that instructs with EdTech or through third-party digital platforms, applications, and devices, must ensure that those platforms are FERPA-compliant and that students’ private data stays that way.

According to the US Department of Education’s Student Privacy Policy Office—self-described as a “one-stop resource for education stakeholders to learn about data privacy, confidentiality, and security practices related to student-level longitudinal data systems and other uses of student data”—it is up to schools, colleges, and universities to make case-by-case determinations as to whether their students’ PII and other data are safely protected. Given that third-party platforms such as Google, Blackboard, YouTube, and Zoom automatically track website traffic and collect user information, FERPA stipulations offer minimal reassurance, particularly if there is no viable “user opt-out” function.

In early 2020, school closures due to the COVID-19 pandemic relegated most or all of the educational experience to virtual spaces and digital devices; much of it remains that way. EdTech companies regularly incentivize educational institutions to invest in their products and services, costs for which are passed on to students through increased campus IT fees and risks to PII posed by the technology, not the least of which are controversial surveillance exam proctoring apps.

Pandemic-related instruction notwithstanding, many colleges have continued using digital platforms—often unnecessarily and without adequate vetting—tasking students with assignments that necessitate reliance on digital platforms, applications, and devices in order to fulfill course requirements. When anyone—including students—uses platforms such as Zoom or Google, they are typically required to establish an account, thereby divulging some degree of PII. For this reason, colleges, universities, and other educational institutions must be transparent about their FERPA compliancy, protection limitations, and “Terms of Service” agreements. Likewise, educational institutions should make opt-out instructions available to students in clear, concise language.

Students should also be informed as to how and for how long Zoom class recordings are maintained, and who can access those recordings. The same requirements should hold for data submitted through learning management systems, such as Blackboard, and for student vaccination and other private health records submitted to their university through third-party medical vendors, such as Medicat. Students need to know whether and how their data are protected by FERPA—or, in the case of medical records, by HIPAA (Health Insurance Portability and Accountability Act of 1996).

Victor Kabata of Sorbonne University, Abu Dhabi, analyzed the privacy and security measures of the learning management system Blackboard to determine what safeguards, opt-out and data deletion capabilities, and intellectual property rights exist for students, instructors, and other users. Opting out of Blackboard is complex, it turns out, dependent on one’s country and state or province of residency, as well as on agreements between Blackboard and the contracted school, college, or university. The study’s findings indicate that the extent of users’ PII security hinges on how robust a school’s privacy policy is, as well as on federal laws such as FERPA in the United States.

In May 2022, the FBI reported the discovery of college log-in credentials on Russian cybercriminal forums and auction websites, triggering warnings to colleges to employ tighter cybersecurity for student data. Increased cyber risks for colleges are purportedly due to rapid, pandemic-propelled, increased dependence on the internet and EdTech. That, plus a combination of unprotected personal devices, increased remote connections to weakly or unprotected school servers, and students’ use of open, unsecured Wi-Fi have heightened cyber risks to the educational sector. The Federal Student Aid Post-Secondary Institution Cyber Team reported that between 2015-2019—that is, before COVID-19—cyberattacks had increased more than 2,000 percent. Since 2020, cyberattacks on post-secondary institutions have succeeded more often than in any other sector.

Comparitech, a research organization that tracks cyberattacks and data breaches, has created maps to pinpoint ransomware attacks, which are updated daily, reflecting the prevalence of cybercrime. Its US map of cyberattacks on schools, colleges, and universities also calculates the cost of ransomware payments, data recovery, and downtime to educational institutions, as well as number of affected students. Total costs for US schools in 2021 were $3.56 billion.

Some institutions’ FERPA-compliance departments have worked to upgrade cybersecurity for student PII. For instance, according to the Information Technology Services department at George Mason University, any digital application or software considered for use at or through the university is subject to the Architectural Standards Review Board before implementation. Using third-party platforms not approved by the Review Board is officially prohibited; if students use unapproved digital platforms and apps, even for class assignments, their PII falls outside the scope of university-FERPA protections.

Because campus cybersecurity efforts are normally top-down, they’re too often ignored or only casually heeded by students and faculty. A 2021 survey of more than 2,000 college students found that approximately half of respondents had no cybersecurity concerns. Whether students are oblivious to threats, trust that their institutions are cybersecure, or simply don’t care, is unclear.  These survey results suggest that cybersecurity-awareness is a 21st century life skill that must be taught across campuses, especially as students’ online presence proliferates.

Two-factor authentication, while not failproof, is a step towards minimizing students’ digital footprints when they access school email accounts, student health services, online courses, and databases. In fall 2022, US colleges and universities sent security alerts to students, warning of increased phishing and fake job offer emails, and fraudulent two-factor authentication prompts, indicating that cyber attackers are already finding work-arounds.

The Department of Education’s Student Privacy Policy Office acknowledges that FERPA PII protection differs pursuant to paper or digital recordkeeping and third-party usage. In 2012 the Office’s Privacy Technical Assistance Center outlined preventative measures for educational institutions, as well as ways to respond to data breaches. But that guidance is now a decade out of date. Lacking breadth of coverage that sufficiently extends to ransomware attacks, PII protection must be more highly prioritized, and both FERPA and school, college, and university cybersecurity need to be modernized to reflect the increasingly common, complex digital threats to students’ privacy rights.

Mischa Geracoulis is a journalist and educator who serves as a contributing editor at The Markaz Review and on the editorial board of the Censored Press. Her teaching and research are focused on the intersections among human rights education, critical media literacy, and ethics. Follow her on Twitter @MGeracoulis.