Personally Identifiable Information
The Family Educational Rights and Privacy Act of 1974, 20 U.S.C. § 1232g, commonly referred to as “FERPA,” entrusts educational institutions and EdTech companies to safeguard educational records and the “personally identifiable information” of students. FERPA and related data privacy statutes enacted at the federal and state levels revolve around several central terms, one being personally identifiable information.
Much confusion exists regarding what constitutes personally identifiable information. FERPA and state statutes, such as the Student Online Personal Information Privacy Act (SOPIPA) in California, places the onus on educational institutions and third parties to use sound information-security practices, which often include encrypting personally identifiable information.
FERPA defines personally identifiable information to include:
- The student’s name,
- The student’s family members,
- Personal identifiers, such as social security number or student ID numbers,
- Indirect identifiers, such as date of birth,
- Other information that would make a student’s identity when used alone or in combination with other information could trace back to a student.
So here’s the twist, a school may designate and disclose publicly selected personally identifiable information if students have an opportunity to opt-out. For example, here’s the directory information disclosure at the University of Michigan:
“Directory information may appear in public documents and may otherwise be released to individuals outside the University without the student’s specific consent. The University of Michigan has designated the following items as directory information: name, address, e-mail address, telephone number, UM school or college, class level, major field, dates of attendance at the University of Michigan, current enrollment status, degree(s) received and date(s) awarded, honors and awards received, participation in recognized activities, previous school(s) attended, height and weight of members of intercollegiate athletic teams.”
What gives? FERPA first states names are personally identifiable information, and then a school can disclose the information as directory information. Are you confused? So are a lot of people including faculty and the EdTech community.
I can remember the days when professors posted final grades on walls sorted by social security number; well, those days are numbered (no pun intended). Clearly, a social security number is not directory information. Student IDs can be used sparingly for students to access their educational records, such an LMS login. After that, EdTech companies need to exercise caution and sound judgment.
From our perspective, privacy, confidentiality, and security works together to safeguard students’ personally identifiable information and their educational records. Social Security Numbers are simply off limits, and we need to handle student IDs with sound security practices, such as transmitting data through an SSL/TLS tunnel and database encryption. Other unique identifiers traceable to educational records, such as an email address, should also be handled with similar security measures.
Mark from GradeHub