In this episode we look at FERPA in the context of other privacy frameworks and laws like FOIA, HIPAA, and HITech. We compare FERPA to medical privacy records and look at how campuses need to move beyond FERPA to examine the real issues of learner privacy. Music: Peacefully by E'S Jammy JamsSupport the show (https://www.patreon.com/learnerprivacy)
Hello and welcome to episode two of the learner privacy.org podcast. I'm Charles severance and I'm your host today's topic is FERPA. I call it the FERPA fig leaf. Most campuses have no privacy strategy beyond FERPA. FERPA is a grand privacy theater at most campuses. And we have like, are hardly, we can get through a faculty meeting without talking about FERPA. But before we talk about, for about , I want to talk about an actual good standard. I want to talk about the standards for medical data privacy, keeping the medical record private as a core value of the medical profession is just kind of how things have been done since beginning of time. Now it was simple 50, a hundred years ago, you had one doctor and that doctor had your record probably in their office on paper. And you saw one doctor your whole life. But at some point, as people started moving around in a society and getting different jobs and health insurance was involved, your medical record needed to follow you. And so there needed to be some rules about the exchange of that medical record. And HIPAA was introduced in 1996 and then another one called high-tech was the health information technology for economic and clinical health that really built on it. So if you look, you see decades of effort building increasing increasingly sophisticated and increasingly pointed standards and laws about medical privacy, the high tech act in 2008, encouraged healthcare providers to adopt electronic health records and improve privacy and security protections for healthcare data. It went right to it. This is about privacy and records right now. If you were to go look at these documents, these laws, and if you were to build software, you would actually get practical guidance. They tell you things like when should something, some kind of access be logged, how long should the log be kept? What precautions should you take so that people don't erase the log. And that's just a tiny little fraction of the rules, meaning, I mean, it's , it's certainly best practice, but it's also the law. Um, now there are criminal consequences, meaning that if somebody violates one of these medical privacy record X , there can be a million or more dollar fine. People can go to jail and they have, right? Because again, the consequences of sort of misusing medical data, like looking something up on someone, you know, or an X or something. Now here's another thing. It's not just laws. It's an entire industry. If you, for HIPAA conference, you'll find there are a number, a number of HIPAA conferences. There are conferences run by the government. There are conferences that are run by private places. And if you look there's many tracks and there's people speaking and they're always thinking, right? And so what happens is, is this is an active industry. That's interested in improving the efficiency of medical records, but at the same time, maintaining privacy. And so they think about it and then they change. They improve the laws, they improve them and make them better over time. So in a sense, if you look back for over 20 years, the legal structure for medical record privacy is a pretty impressive bit of legislation and its implementation is impressive. And then those that I know who work in the field, understand it and think about it all the time and think about why this medical privacy is so important. So I'm impressed with medical record privacy. So with that, now let's talk about FURPA. So Verba was passed in 1975. The latest revision is 2011 . I would say, just go to the epic.org website about FERPA and just read through it and try in your mind to figure out where this series of revisions to legislation has anything to do with the handing of learner data to third party cloud servers, right? It, it's not about that. It's about releasing it. FERPA, prohibits educational institutions from disclosing personally identifiable information and education records without the written consent of the student or the student's parents. And the penalty is that schools that fail to comply with FERPA risk losing federal funding. There are no criminal penalties. There is no jail time associated with FERPA. If a school mistakenly releases information, they weren't supposed to release, they risk losing federal funding. So that seems very, very different from the medical records. And you can take a , get a better understanding of why it's so different if you figure out why it was created in the first place. So prior to FERPA , there was FOYA the freedom of information act. It went into effect July 4th, 1967. FOYA was really a trend in increasing government transparency. And you might expect that in the 1960s, there would be an interest in government transparency or increase in government transparency. If you go to most universities, especially state institutions, you'll probably go and find a salary book stuffed way back in the library I had, I've worked university my whole life. And yes, you go look at the salary book once and then you get all depressed about it, and then you never look at it again. But the reason the salary book is back in the library is because of the freedom of information act. Now , of course, FOYA is fun for journalists, right? You can get a copy of a vendor contract and then write a really mean article about how bad that is, or you can, if you want get the grades of a powerful person and then write a nasty article that has really nothing to do with what they're doing currently. It's just that 40 years ago, they got a C in their political science class. And so FOYA was sneaking into educational records. Now let's take a look at FERPA. So FERPA has some pretty shady beginnings. And here I'm quoting from the epic.org summary of FERPA. FERPA was offered as an amendment to the Senate floor, to a bill extending the elementary and secondary education act of 1975. FERPA was not the subject of committee consideration. There were no public hearings and there was no testimony from institutions or individuals before FURPA was enacted in a way, what this is, is this a sneaking, a bit of legislation on the end of a very highly supported budget pill so that you can make a law and it sneaks into law without anybody noticing in a later speech, Senator Buckley said that FERPA was adopted in response to the growing evidence of the view abuse of student records across the nation. Now I'm going to guess that the abuse of student records across the nation was rich people who were getting tired of having their grades foiled , right? So FERPA for all intents and purposes was a way to stop universities from giving up personal data for students. Now that doesn't mean it's a bad thing, right? I mean, it's just not a bad thing to protect student privacy, but the law had one purpose in one purpose only. And that is to keep grades from leaving universities. The only penalty this school might lose federal funding. There's no criminal penalty. You could Sue if somehow your data was revealed mistakenly, but you might only get pain and suffering. And that is a difficult lawsuit to win against a university. Again, encourage you to look at the history of FERPA. They fine tuned the notion about release of information. They didn't really fine tune the transfer of information. Things like, you know, what, if there was a disciplinary action or what if the police wanted the data, et cetera, et cetera, et cetera. So there was a whole bunch of things having to do with release because the first law was just, you can't release it. And then they sort of refined it to be more appropriate. There's nothing about cloud vendors. There's nothing about wholesale transfer of student learning activity, data to third party. And compared to HIPAA , FERPA is a joke as a privacy standard is not a, it's a fine thing about dealing with the release of information, but there's nothing in it about handling retention consent, et cetera. So when a university council reads that law, they say, Hm , protect federal funding. That's important in a university. And so, pretty much when you're going to hand student data over to a third party, you don't think about the student's privacy. You just want to make sure that that third party is not going to get you in trouble with the federal government. And so you have a bunch of purple contracts. So you basically go up to them and you say, do you promise to follow FERPA? And the vendor goes, yes. And then that's that. And then, so the , the, the university is covered because if the third party does something wrong , they're like, no, they promised and we'll Sue them or whatever. So, and for loss or whatever. And so I simple compliance strategy, which is what FERPA is, is not a privacy strategy. So what should we do? What should we do? We should get an inventory of all the places that we have, our learners data of what data they have, how long we think they should keep the data. Let's come up with a common set of questions to ask our vendors about our learner data privacy. And let's get to the point. We've got a campus strategic plan that begins to think about addressing and improving learner privacy. Now IMS global learning consortium has been working and will continue to work on this area. And honestly, I think we got to give this more intention. I said before that I'm coming late to this privacy party, but I think we all got to work pretty hard. And I think we all have got to teach those on our campus about this. So in summary, FERPA is not law about privacy it's and it's not a law about cloud ed tech services. Let's look at the real risks of schools, losing control of private student data and together let's move from checking the FERPA compliance box to actively protecting learner privacy. Cheers. See on the netSpeaker 1:
Thank you for listening to the learner privacy deck or HubCast our music is by EAs Jimmy jams.