Markey-Hatch student privacy proposal fails to fix FERPA foolishness

A newly released draft Senate bill addressing concerns over the security of student data is, at best, a swing-and-a-miss at the larger problems afflicting federal privacy law. At worst, it’s a damaging setback for the public’s right to know.

U.S. Sens. Edward Markey (D-MA) and Orrin Hatch (R-UT) released draft legislation Wednesday responding to widespread public alarm over a 2011 U.S. Department of Education rule that, in the view of critics, made it easier for schools and colleges to share identifiable student data with researchers.

The bill proposes updates to the Family Educational Rights and Privacy Act, the federal student privacy law, but does nothing to address the main problem afflicting FERPA: That its definition of confidential “education records” is grossly over-broad, enabling schools to conceal critical public-safety information or employee wrongdoing on bogus “student privacy” grounds.

To cite a recent example, the University of Michigan has been hiding behind FERPA to withhold information about why it waited four years after receiving a student’s sexual-assault complaint to take disciplinary action against a Wolverines football player who was “permanently separated” from UM last December.

If Congress revises FERPA without addressing the well-documented “overcompliance” problem that routinely results in the wrongful denial of requests for public records, that would be a colossal missed opportunity.

But the Markey-Hatch act may turn out even worse than that, for two reasons.

First, there’s a small but important tweak in the definition of what colleges are required to keep secret. Currently, a school or college must protect the confidentiality of “education records” or “personally identifiable information contained therein” (20 U.S.C. § 1232g(b)(1)). Under Markey-Hatch, here’s what is declared confidential: “education records and personally identifiable information held or maintained by the educational agency or institution.”

See the difference? “Personally identifiable information” will be confidential even if it doesn’t come out of an “education record.”

Given the tendency of college and school attorneys to take advantage of every excuse to conceal information, this could make a huge difference. Up until now, the U.S. Department of Education has been very clear that there is a difference between “records” (which are confidential”) and “information” (which is not). For the most part, so have the courts.

For instance, an Arizona judge granted the media access to emails, memos and internal correspondence from Pima Community College about Tucson mass-shooter Jared Lougher, a former PCC student, even though those documents clearly contained “personally identifiable information.” In the judge’s view, those documents were not “education records,” because they were not centrally maintained in a college database, and in fact might have been discarded or deleted at any time.

There’s a good chance that a future Loughner case would come out unfavorably for public access if Markey-Hatch becomes law. And you have to ask why anyone would want that result.

The second concern is that, under Markey-Hatch, schools and colleges would be instructed to actually create fewer records in the first place (“data minimization,” the proposed bill says). Institutions should respond to any request for records “with information that is not personally identifiable if applicable,” the bill provides.

That’s exactly the kind of squishy, open-to-abuse language with which FERPA is already overpopulated. It risks providing additional cover for irrational judgment calls — like the policy at the Ohio Department of Education, which won’t release district-by-district statistics on gun incidents for fear that people familiar with a particular district might match the district’s gun total to a known individual student. Even though knowing that the “1” in a particular district’s numerical tally corresponds to Johnny Jones doesn’t give away anything confidential about Johnny.

One of FERPA’s foundational weaknesses is the failure to confine schools’ duty of confidentiality to things that aren’t already widely known or readily observable. Markey-Hatch doesn’t even acknowledge, much less address, this critical weakness. Which is why Congress needs to hold comprehensive FERPA-reform hearings where those victimized by FERPA excesses can finally be heard alongside those clamoring for privacy-at-all-costs.