A Tale of Two AG's: How UK's secret-records policy backfired

When universities confronted with demands to inspect their records claim “privacy,” it’s rarely out of selfless concern for their students or employees. It’s almost always because the documents would expose scandal or mismanagement that the institution prefers to keep hidden.

As with its perennial championship-contending basketball program, the University of Kentucky has elevated the secrecy game to heights rarely seen. Coach John Calipari’s hoopsters have mastered the no-look pass, and Kentucky’s legal department has perfected the no-look freedom-of-information request.

That is, until Kentucky Attorney General Andy Beshear whistled the flagrant foul.

To understand this inventive UK technique, travel back for a moment to 2012, when the University of Kentucky’s feisty student newspaper, the Kernel, was looking into reports that the Wildcats may have overstepped NCAA boundaries in recruiting Massachusetts prep star Nerlens Noel (no NCAA sanctions resulted, and after a stellar freshman season, Noel entered the NBA, where he’s now with the Philadelphia 76ers).

The Kernel sensibly asked UK, under Kentucky’s Open Records Act, for access to any correspondence between the athletic department and the NCAA about Noel, hoping to piece together indirectly the story the university wouldn’t address directly. Kentucky denied the request, citing the Family Educational Rights and Privacy Act (FERPA), which requires colleges to maintain the confidentiality of “education records.” (This was almost certainly not a legitimate use of FERPA, among other reasons because college athletes sign broad FERPA waivers allowing for the release of any information that their institution or the NCAA finds advantageous to disclose.)

As provided by Kentucky law, the dispute over the records ended up on the desk of Attorney General Jack Conway. Conway’s review was hamstrung, however, by UK’s lack of cooperation; the university aggressively claimed that even Conway’s attorneys could not review the records without compromising FERPA confidentiality, and refused to provide copies so the attorney general could verify the claim that the correspondence qualified for FERPA protection.

So Conway simply took the university’s word for it:

Since we were unable to review the relevant documents in camera, we rely on the University’s interpretation and application of the federal law, and its professed appreciation for the value of transparency, to ensure that public records are not improperly withheld in the name of student privacy.

This wasn’t just a basket for UK; it was an uncontested layup. All the university had to say was “we promise we’re not lying about FERPA this time” and — decades of well-documented university lies nationwide to the contrary — the records stayed secret, no questions asked. 

Conway’s logic was demolished by a subsequent state-court ruling in the case of a for-profit college being investigated by Kentucky regulators over claims of deceptive marketing practices. 

In that case, Lexington-based National College resisted investigators’ demands for records about the job-placement success of National’s former students, claiming that cooperating with the investigation would compromise students’ FERPA rights. The attorney general — yes, that attorney general, less timid than when facing off against the state’s basketball powerhouse — took National to court, arguing that the college was stalling consumer investigators with its unfounded FERPA claims.

A state-court judge agreed; even if FERPA did protect the job-placement records, the records could be protected by removing student names and by a non-disclosure agreement with the attorney general’s investigators: “National College’s attempt to invoke FERPA is yet another example of a continuing pattern of meritless litigation tactics to obstruct and delay the lawful investigation of the Attorney General.” The judge imposed sanctions on National, which the Kentucky Court of Appeals upheld earlier this month.

Fast-forward to 2016. After learning of a sexual harassment complaint filed against a UK entomology professor, resolved by an agreement that enabled the professor to resign with no finding of wrongdoing, Kernel editor William Wright asked the university to produce its files of the completed investigation. In a familiar refrain, UK invoked student privacy (as well as the privacy interests of the professor and attorney-client privilege) and denied the open-records request.

When the Kernel appealed to the attorney general, UK once again claimed that the requested records were so sensitive they couldn’t even be shared with the state’s lawyers — even citing Conway’s deferential 2012 decision as precedent.

Conway’s successor as attorney general, Beshear, wasn’t as credulous of Kentucky’s “trust-me-it’s-private” defense:

This appeal involves records containing allegations of misconduct against a professor, not a student, and we are not prepared, absent a review of the records, “for substantiation,” to accept the University’s characterization of them as FERPA protected student “education records.”

With no independent means of verifying the university’s exemption claims, Beshear sided with the requester and ordered the records produced, with minimal redactions to protect the identities of student complainants.

Beshear’s conclusion is logically consistent with the Kentucky Open Records Act, which provides:

The burden of proof in sustaining the action shall rest with the agency, and the Attorney General may request additional documentation from the agency for substantiation. The Attorney General may also request a copy of the records involved but they shall not be disclosed.

Since the burden of proof rested with the university, it was incumbent on the university to produce something besides its own assurances to override the open records act’s presumption in favor of disclosure. And UK failed to do so.

Department of Education rules allow educational institutions to share records with outside agencies “for the enforcement of or compliance with Federal legal requirements that relate to [education] programs” That workaround provides ample latitude for a university to share records with its own state attorney general when necessary to determine whether the university is bound by FERPA — a “federal legal requirement” that “relates to education programs” — to keep the records confidential.

In any event, records cease being confidential under FERPA once student identifying information is removed. The university could have provided redacted versions of the records for the attorney general’s independent review — if the university believed that an independent review would have supported its position that the documents are confidential. Evidently, the university did not believe its position could withstand verification.

The university’s best efforts notwithstanding, the documents are now largely public anyway. While the dispute was underway, a source provided the Kernel with detailed records of the university’s internal investigation, including copies of multiple harassment complaints dating back to 2012. 

Unless cooler heads on the university’s board of trustees step in, President Eli Capilouto is determined to continue fighting the now-pointless battle for secrecy, even if that means filing a potentially ruinous lawsuit against his own students’ newspaper seeking to overturn Beshear’s decision. 

If the university goes that route, “trust-me-it’s-private” will not work any more successfully in the courtroom.