The following was submitted as a formal comment to the United States Department of Education on May 23, 2011.  The links were added after for CLHE members.

Since the comment is a bit technical in nature, CLHE will provide a series of issues briefs for members to explain the issues.

Docket ID ED-2011-OM-0002

May 23, 2011

Regina Miles
U.S. Department of Education
400 Maryland Avenue, S.W.
Washington, DC 20202
Sent Via: Federal eRulemaking Portal at http://www.regulations.gov

RE: Family Educational Rights and Privacy Act Notice of Proposed Rulemaking

Ms. Miles:

On behalf of the Council on Law in Higher Education (CLHE), I want to thank the Department of Education for this opportunity to provide comments on the April 8, 2011 FERPA proposed regulations.

CLHE is an independent nonprofit organization that conducts analysis on policy and legal issues affecting the higher education system.  Colleges and universities from across the country, along with law firms and other organizations, receive our information and analysis.

Since the organization was founded in 1998, CLHE has focused extensively on FERPA, along with privacy and information security issues in general.  The organization strongly supports student rights, including meaningful privacy protections.

This comment will first provide a brief overview of our views.  Secondly, as requested in the notice, the comment will address issues in the same order as the proposed regulations.

I. Brief Overview

Many of the proposed changes lack statutory authority under FERPA.  There also is nothing in the American Recovery and Reinvestment Act of 2009 (ARRA) or the American Creating Opportunities to Meaningfully Promote Excellence in Technology, Education, and Science Act (COMPETES Act) that conflict with FERPA thereby rendering any FERPA statutory requirement moot.

While Congress has shown support for statewide longitudinal data systems (SLDS), it has not amended FERPA.  The Department itself has not attempted to argue in the proposed regulations that ARRA or the COMPETES Act has preempted FERPA in any manner based on a statutory conflict.

Instead, the Department appears simply to be supporting SLDS.  This support is demonstrated by the following passage that discusses the authority to audit or evaluate educational programs:

The Department intends these clarifications to promote Federal initiatives to support the robust use of data by State and local educational authorities to evaluate the effectiveness of Federal or State supported education programs.

It may be sound policy to push SLDS, however, this does not give the Department the authority to ignore the plain language and intent of FERPA to achieve that policy objective.  Congress is the lawmaking body and must choose to make any statutory changes, including changes to FERPA.

The Department spends a significant amount of time in the proposed regulations discussing the policy objectives of ARRA and the COMPETES Act.  Yet, in these FERPA proposed regulations, the Department does not discuss in any significant manner how it is ensuring that FERPA is implemented and enforced consistent with the critical goals and intent of the FERPA statute.

In fact, the proposed regulations focus on how FERPA is an obstacle to achieve the policy objective of SLDS.  The goals of FERPA, and as a result, student privacy, play a secondary role to data sharing programs.

II. Specifics

Authorized Representative (99.3, 99.35)

There may not be a definition of “authorized representative” in the statutes, but the statutory language does provide some clear guidance on its face.  The statute specifically allows disclosure of PII, in limited situations, to the Comptroller General, the Attorney General, the Secretary of Education, and state and local educational authorities.

The proposed regulations would allow the above-mentioned agencies to designate any entity or individual, be it public or private, to serve as the authorized representative of the agency.

For example, as stated in the proposed regulations, “there is no reason why a State health and human services or labor department, for example, should be precluded from serving as the authority’s authorized representative and receiving non-consensual disclosures of PII…”

The effect of such an interpretation is to read out the statutory language providing for only specific agencies to receive PII.  If Congress intended for a state labor agency or other third party to receive such data, it would have said this directly in the statute.

It appears that such an interpretation would allow agencies to designate almost anyone it wants so long as some type of argument can be made that the entity or individual is conducting, “with respect to Federal or State supported education programs—any audit, evaluation, or compliance or enforcement activity in connection with Federal legal requirements that relate to those programs.”

It begs questions, such as:*

•    Would this allow one state to designate an agency in another state as an authorized representative?
•    Could individual state politicians be considered authorized representatives?
•    Could private companies that have very strong interests in the data independent of the reason for the disclosure, be authorized representatives?

As stated in the proposed regulations, it has been longstanding Department policy to consider an authorized representative as someone who is under the direct control of the specifically listed agencies.  Such a policy was specifically explained in the “Hansen memorandum.”

This policy reflects a proper interpretation of the statute (limits authorized representatives to those agencies specifically listed in the statute) and addresses the practical problems of agencies trying to control the disclosure of information.

By limiting it to individuals under the direct control of the agencies, there is some assurance that the specific agency will be accountable and take appropriate measures.  Under the proposed language, the agencies would be able, and may be required to if a state legislature so desires, to disclose information to third parties that are unlikely to take measures to prevent the improper disclosure of PII.

The proposed regulations characterize the current interpretation as being “restrictive.”  The opposite is true.  The interpretation allows the agencies to go beyond just allowing employees to have access to data by allowing third parties to have access to data as well.

Recommendation: Codify the “Direct Control” standard into the FERPA regulations.

Education Program (99.3, 99.35)

By changing the requirement that “education programs” be administered by educational agencies or institutions, the Department is creating both legal and practical problems.

Looking at the legal perspective, the Department is taking an unreasonable interpretation of the term “educational program” in order for outside entities to evaluate educational programs that are completely unrelated to educational agencies and institutions, as well as completely unrelated to students.

This interpretation would, for the first time, allow institutions to disclose information on students even if the disclosure of PII is for a purpose not directly related to a student or does not serve some specific function for the institution. While all other permissible disclosures are related to students and institutions, for the audit and evaluation disclosure, there would be a special exception.  Such an inconsistency in relation to all the other disclosures is further evidence that “education program” is being interpreted improperly.

The practical problems of this extreme interpretation also are significant.  An “educational program” can mean almost anything as proposed in the regulations.  Anyone can be an education provider—the definition of “education program” does not limit who can be a provider.  The definition of “education program” also does not require anything more than the program is “principally engaged in the provision of education.”

While such a broad interpretation may help a state health agency review the records of college students so it can look back and see the success of a Head Start program, as discussed in the proposed regulations, it also may lead to the following sample situations, assuming the program is federal or state-supported:

•    A public education television station receives PII to evaluate demographics of contributors.
•    Planned Parenthood, as part of its health education programs, receives PII to evaluate their programs.
•    The National Rifle Association, as part of its educational programs about gun safety, receives PII.
•    Voter education/get-out-to-vote groups receive PII to evaluate their programs.

The term “education” does not just mean classroom education and when not limited to what educational agencies or institutions do, the term can be extremely broad (as demonstrated in the above examples).

Combined with the definition of “authorized representative,” almost any entity, be it public or private (or even an individual) could have access to PII so long as one program that it runs is “principally engaged in the provision of education.”

Recommendation: Do not change the existing FERPA regulations that require educational programs to be those administered by educational institutions and agencies.

Authority to Audit or Evaluate (99.35)

As the proposed regulations explain, FERPA does not create authority for authorized representatives to audit or evaluate programs.  Therefore, the FERPA regulations require that some type of legal authority be established.

This requirement is necessary to ensure that institutions and agencies are properly disclosing PII to “auditors and evaluators” as allowed under the FERPA statute.

Allowing authority to be established if it is “express or implied” would permit institutions and agencies to disclose PII to entities even if that agency has no right, outside FERPA, to access the information.

This interpretation makes little sense given that the audit/evaluation exception involves compliance and enforcement-related activities—these are activities where legal authority must be established (i.e. a government agency has no ability to enforce a law if it does not have clear legal authority to enforce a law—it can’t just argue that the authority is implied).

It is unclear what “express or implied” means.  Since legal authority is not required, this would suggest that “express” or “implied” does not mean that the authority must be expressed or implied in law.  It is difficult to determine what would be express if it were not expressly authorized in law.

As for implied, the Department appears to intend that “implied” can be ascertained by the situation and not what a law would imply.  This would allow agencies to have an almost unlimited ability to claim it has a right to PII.

From a practical perspective, institutions and agencies would have no objective way to figure out whether they can or should disclose PII under the audit or evaluation exception.  If a state agency claims authority exists because it is implied, regardless of what the law states, an institution or agency would have to struggle to figure out whether disclosing the information violates FERPA.

By requiring legal authority, there is a practical objective way for institutions to properly comply with FERPA—they would just need to review the legal authority that is used as justification for the disclosure.

Recommendation: Maintain the existing FERPA requirement that there must be legal authority for a third party to receive PII to conduct audits and evaluations.

Directory Information (99.37)

Prohibiting the directory information opt-out provision to cover students wearing ID cards and ID badges for safety reasons is consistent with the notion that FERPA was not designed to prohibit institutions from properly functioning—it also is comparable to the existing exception under 99.37 prohibiting the directory information opt-out from being used in a class (name, identifier, or email address may be disclosed).

In the proposed regulations, there is no limit on what directory information may be included on the ID card.  This could be problematic, if for example, institutions required unnecessary information such as address or phone number (such information could even pose safety risks to the student wearing the ID).

Recommendation: Make the proposed change but specify the directory information that can be displayed bearing in mind that some information would be unnecessary.

Section 99.37(d) (Limited Directory Information Policy)

Under existing law, institutions already can decide who will or will not receive directory information.  Even so, there has been confusion as to whether FERPA allows institutions to formally disclose directory information for specific parties and/or specific purposes only.

This proposal does give institutions more clarity regarding directory information and allows them to feel more confident in having a directory information policy without fear of the information bring misused.

It also would be helpful if this proposed change clarified that institutions can have different policies based on each specific type of directory information.  For example, it would be very useful for institutions to be able to communicate that certain directory information may be disclosed to specific parties but not other types of directory information.

Recommendation: Make the proposed change but also clarify the change may apply to each type or subset of directory information.

Enforcement Procedures With Respect to Any Recipient of Department Funds That Students Do Not Attend (99.60)

The FERPA statute does not authorize the Department to expand who must comply with FERPA.  The entire statute is drafted in a manner that makes it very clear that “educational agencies or institutions” do not cover student loan lenders, nonprofits, etc.

The FERPA statute states, “No funds shall be made available under any applicable program to any educational agency or institution unless the parents of students who are or have been in attendance at a school of such agency or at such institution…”

The third party entities discussed in the proposed regulations would not be covered—for example, a student does not attend a student loan lender.  The entire statute covers requirements that would not apply to these third parties.

Recommendation: Do not expand the FERPA enforcement coverage.

_______

I again appreciate this opportunity to provide comments on the proposed regulations.  As the Department finalizes the regulations, I hope that it will respect and protect the very important privacy objectives of FERPA.

Sincerely,

Daren Bakst, J.D., LL.M.
President
Council on Law in Higher Education

*These scenarios likely would be answered in the affirmative, especially when considering the other proposed changes in the regulations.

From NCES:

The 45th in a series of publications initiated in 1962, the Digest’s primary purpose is to provide a compilation of statistical information covering the broad field of American education from prekindergarten through graduate school. The Digest contains data on a variety of topics, including the number of schools and colleges, teachers, enrollments, and graduates, in addition to educational attainment, finances, and federal funds for education, libraries, and international comparisons.

NCES also released the Mini-Digest of Education Statistics, which is a pocket guide to useful education data.

Colleges and universities may soon be providing student data for an extensive interconnected system of state databases (i.e. a national student database).

This may come as a surprise to institutions, especially after there was some thought that a national student database system was prohibited in the Higher Education Opportunity Act of 2008 (HEA reauthorization bill).

The Higher Education Opportunity Act had a provision that on the surface may have appeared to take care of the problems with student data systems.  Specifically, the bill generally prohibited a federal student database where personally identifiable student data could be tracked over long periods of time.

Unfortunately, this prohibition was a charade.  The bill still expressly allowed states to maintain state databases and, even worse, for states to coordinate data systems between the states, thereby creating a national (not federal) system.

Some states already have been tracking students and matching their education data with other in-state data such as unemployment insurance data.  This type of extensive data matching system will now occur across state lines.

Higher Education Opportunity Act Language

SEC. 113. DATABASE OF STUDENT INFORMATION PROHIBITED.

Part C of title I (20 U.S.C. 1015) is further amended by adding after section 133 (as added by section 112 of this Act) the following:

`SEC. 134. DATABASE OF STUDENT INFORMATION PROHIBITED.

`(a) Prohibition- Except as described in subsection (b), nothing in this Act shall be construed to authorize the development, implementation, or maintenance of a Federal database of personally identifiable information on individuals receiving assistance under this Act, attending institutions receiving assistance under this Act, or otherwise involved in any studies or other collections of data under this Act, including a student unit record system, an education bar code system, or any other system that tracks individual students over time.

`(b) Exception- The provisions of subsection (a) shall not apply to a system (or a successor system) that–

`(1) is necessary for the operation of programs authorized by title II, IV, or VII; and
`(2) was in use by the Secretary, directly or through a contractor, as of the day before the date of enactment of the Higher Education Opportunity Act.

`(c) State Databases- Nothing in this Act shall prohibit a State or a consortium of States from developing, implementing, or maintaining State-developed databases that track individuals over time, including student unit record systems that contain information related to enrollment, attendance, graduation and retention rates, student financial assistance, and graduate employment outcomes.’.

This article explores the policy and legal implications of these databases.  It argues that the privacy and security problems with state database systems and a national database outweigh any benefit derived from additional data.

Congress and State Data Systems

As discussed in this National Journal dialogue and Inside Higher Ed article on state data systems, Congress is considering a new plan to reform student financial aid that would, in part, encourage the development of state data systems.  According to the National Journal:

Under the Senate’s proposal, states seeking to compete for funds through the program would have to create data systems that include all public postsecondary institutions within their borders. These systems would collect information on all students, including their secondary school record, financial status, entry and exit from colleges, job placement, and postsecondary earnings, among other information.

This push for state data systems, including interconnected systems, has significant momentum.

Some Context: Comparing the Real ID Act with State Data Systems

The public is far more familiar with the federal requirements imposed on states under the Real ID Act than with state education data systems.  The Real ID Act requires states to develop more sophisticated ID cards (including driver’s licenses).  The purpose of these requirements is to help improve national security.

Despite this important goal, there rightfully has been intense opposition to these requirements.  Many states have decided they will not comply with this law because it is a costly, unfunded mandate.
There’s little doubt that the primary reason the Real ID Act is facing such strong resistance is due to these costly, unfunded mandates imposed on states.  While a state education data system could be very costly, it probably wouldn’t be as costly as the requirements of the Real ID Act.  Congress also is probably going to fund these systems.  The costs imposed on states likely would meet little opposition from states because most of them want to build these data systems anyway.
The Real ID Act system, like state education data systems, also interconnects state databases.  States would be able to access data from other state databases and create a national ID system.

The privacy problems with the high profile Real ID Act likely would not be enough to block its implementation.   As a result, it is unlikely the privacy problems for the lesser known state education data systems will be enough to block their development.

However, there is one distinction that never seems to get mentioned.  The Real ID Act at least has the compelling goal of national security to balance against the privacy concerns.  State education data systems have the goal of enabling researchers to have more education data.  As much as researchers believe this is a compelling goal, it pales in comparison to national security.

It is difficult to see how anyone could oppose the Real ID Act on privacy grounds while supporting state data systems.  The privacy argument is much stronger when it comes to state data systems than with the Real ID Act, but unless the privacy concerns are raised by a wider range of interests, it won’t be enough to stop the momentum that exists for these databases.

Doesn’t FERPA Make These Databases Illegal?

No.  The Family Educational Rights and Privacy Act (FERPA) certainly places some limitations on the disclosure of student personally identifiable information, but it is unlikely that it prohibits the development of a national education data system.

In fact, Congress has been making it clear that it wants a national database that track students over time.  New statutory language supporting these data systems generally would take precedent over any limitations that FERPA may have placed on these systems. (new language trumps the old).

Don’t We Need Better Data?

To make informed decisions, having more data, on its face, should be beneficial.  Although, more data doesn’t necessarily mean better data.  There’s no question though that some of the data can help provide better assessments of the success or failure of certain programs.

Good Data v. Better Data

The question isn’t whether there should be good data or nothing.  The question is whether “better” data is worth the privacy problems when good data already exists.  There are already plenty of good data resources available for researchers and this data will only improve, even without tracking individuals from school to work (and beyond).  For example, excellent research is already derived through the use of sample populations, as opposed to using personal data on each individual.

There’s No Magical Policy Machine: Don’t Overstate the Data

Data may help to make policy decisions, but there are many factors that go into making good decisions.  If this wasn’t true, we could input data into a computer and let it make policy decisions for us.

Assume that a program isn’t helping to achieve its goal of higher graduation rates.  The policy solution may be to scrap the program.  The solution also could be to reform the program because the failure may have been caused through the implementation of the program.  It is possible the graduation rates would have been worse if not for the program.  The point: The data systems will provide helpful raw data, but there’s significant analysis that still must be conducted.

There also something called politics.  Policy analysts can have great data and often that will make no difference in the legislative arena.  Sometimes there are political considerations.  Sometimes there are legitimate ideological and philosophical considerations.

Even the statistics that would be derived from these state data systems could tell different stories depending on the researcher.  Some of these different “stories” are legitimate.  Often, the differences are a result of cherry-picking   As Mark Twain wrote, “There are three kinds of lies: lies, damned lies and statistics.”

Where’s the Data to Support State Data Systems?

The United States is about to create massive databases that will have major privacy implications.  Before we do this, where’s the objective evidence, the data, that suggests state data systems and a national system are so beneficial for education policy.

There’s a lot of conjecture, but there’s nothing to establish that states with large data systems have better education systems than other states.  Is there any evidence that having individual level data has led to beneficial results that never would have been possible without the individual data?

Privacy Issues

There’s an attempt to create a cradle to the grave system where all states can access your data.  States will track all of your movement and everything you do.  The data matching won’t be limited to how you did on the SAT but also on things such as whether you are unemployed.  There’s no logical stopping point as to what data would be compiled into one central database.

To believe the federal or state governments wouldn’t try and access the data for other purposes is not being realistic.  This treasure trove of personal information would be a goldmine for law enforcement, tax collectors, and plenty of other interests.

When it comes to personal information, sound practices to protect privacy have been carefully crafted and implemented for nearly three decades.  Institutions should know them well because FERPA captures these sound principles.

The Federal Trade Commission (FTC) lists the five core principles of privacy protection:

1) Notice/Awareness

“Consumers should be given notice of an entity’s information practices before any personal information is collected from them.”  With state data systems, notice is unlikely to exist.  Students won’t even know how the data will be used or who will be able to use the data.

(2) Choice/Consent

“At its simplest, choice means giving consumers options as to how any personal information collected from them may be used.”  Students likely won’t have any control over whether the information is disclosed, such as through opting-out or opting-in.  If students could opt-out, this would address some privacy concerns, but such a system is unlikely.

(3) Access/Participation

“It refers to an individual’s ability both to access data about him or herself — i.e., to view the data in an entity’s files — and to contest that data’s accuracy and completeness.”  Students are unlikely to be able to access their own records or challenge the accuracy of such data.  Imagine the government possessing a massive personal profile of you and the information being wrong.

(4) Integrity/Security

“The fourth widely accepted principle is that data be accurate and secure.”  The government hopefully would already take steps to secure data, but as will be discussed below, there still is significant risk of major security problems.

(5) Enforcement/Redress.

“It is generally agreed that the core principles of privacy protection can only be effective if there is a mechanism in place to enforce them.”  Will there be a private cause of action for students or some way for students to be able to seek redress?  It is unlikely with these state data systems.

Security Issues

Sometimes security issues are combined with the privacy issues.  However, privacy generally refers to the control of information by students or consumers, including when that information may be disclosed.  Security, on the other hand, deals with the protections in place to ensure that unauthorized parties do not gain access to student information.

The very idea of massive databases with sensitive personally identifiable information in one central location is chilling.  The issue is not if there will be a security breach but when there will be a security breach.

As diligent as governments may be to protect data, there always are lapses.  Once the information is stolen, it may be too late to put the genie back in the bottle.

A 2006 House Committee on Oversight and Government Reform report found that all the federal agencies it studied over a three year period had breaches.  “The report finds that every agency has experienced at least one such breach ["loss or compromise of personal information"] and that the agencies do not always know what information has been lost or how many individuals could be affected.”

Just a few weeks ago, the U.S. government suffered the largest release of personally identifiable information ever.  The breach was related to not properly erasing data on a hard drive that had sensitive health and discharge information on veterans.  The National Archives and Records Administration (NARA) is investigating the matter.

“This is the single largest release of personally identifiable information by the government ever,” Bellomy [NARA IT Manager] told Wired.com. “When the USDA did the same thing, they provided credit monitoring for all their employees. We leaked 70 million records, and no one has heard a word of it.”

These are just some examples of the many regular breaches of data that occur every year.  Now imagine breaches that include a compilation of personal data that would be unrivaled by any known government database.  The problems with identity theft could be astronomical in scope.

Conclusion

There’s a rush to move forward with a national data system without properly considering the privacy and security issues.  Before even considering these databases, those that seek to create these systems should bear the burden of showing why they are so necessary that the privacy of citizens is worth sacrificing.

_______

Daren Bakst, J.D., LL.M. is the President of the Council on Law in Higher Education

From NCES:

“Key findings include the following:

• About 36 percent of 1999-2000 bachelor’s degree recipients received at least one Pell Grant while in college.
• Higher percentages of Pell Grant recipients had at least one of several undergraduate risk characteristics (e.g., delaying postsecondary enrollment or failing to graduate from high school) than did nonrecipients.
• Parents’ education was the only factor consistently related to both time-to-degree and graduate school enrollment for Pell Grant recipients. Those whose parents did not attend college took longer to attain a bachelor’s degree and enrolled in graduate school at lower rates than recipients whose parents had a least a bachelor’s degree.
• Although Pell Grant recipients had a longer median time-to-degree than nonrecipients, when controlling simultaneously for parents’ education, undergraduate risk characteristics, and transfer history, recipients had a shorter time-to-degree than nonrecipients.”

The Department of Education released this press release on the study.