John Verdi, the Future of Privacy Forum’s Vice President of Policy, testified today before the Federal Commission on Student Safety meeting, “Curating a Healthier & Safer Approach: Issues of Mental Health and Counseling for Our Young.” He recommended that, rather than changing current federal student privacy law, the Commission should explore opportunities to educate school officials and other stakeholders regarding the existing legal authorities for sharing data to support school safety.
He provided three concrete recommendations that the Commission could follow to improve student safety and safeguard privacy:
- Be mindful of the full range of privacy risks and harms, as well as the importance of privacy safeguards, as it considers options to improve school safety;
- Support efforts to better educate and communicate with stakeholders regarding existing legal authorities that permit data sharing to promote health and safety within a framework that mitigates privacy risks to students; and
- Call for neutral, expert analysis of empirical data regarding the nature, extent, and leading causes of the key privacy risks and safety risks facing students and schools.
Mr. Verdi stated that the privacy risks pose particular challenges when they arise in the context of children’s or students’ personal information. Physical harm and loss of liberty are especially egregious when the victim is a child. Financial fraud and identity theft increasingly target young Americans, who are often unable to discover or combat the crimes until years later. Children are also susceptible to specialized schemes – including medical identity theft – that can create substantial health risks when multiples individuals’ medical records are merged as a result of the crime.
FERPA already contains a specific exception that permits information to be shared to protect the health and safety of students, whether the child in question is a threat to themselves, or to others. In 2008, the Department of Education amended FERPA regulations to remove the language requiring strict construction of this exception and permit disclosure when an articulable and significant safety threat exists. The Department assured school officials they would support the disclosure if there was a “rational basis for the school’s determination” at the time it was made.
The 2008 amendments adopted a “totality of the circumstances” test and the “rational basis” approach to Department review of school officials’ decisions. The “totality of the circumstances” test authorizes disclosure of protected student information when the totality of the circumstances suggest that disclosure would mitigate a health or safety threat; this test broadened schools’ authority, replacing the previous “strict construction” standard, which suggested that disclosure was only authorized when strictly necessary to preserve health and safety. The “rational basis” approach assures districts that the Department does not second-guess disclosure decisions from a perspective of perfect hindsight; instead, the Department will view assertion of the health and safety exception as appropriate if the district identifies an articulable threat that serves as the rational basis for the disclosure.
Mr. Verdi testified that untethering disclosure authority from the “totality of the circumstances” or “rational basis” tests would necessarily increase privacy risks to students. He also noted that a dramatic broadening of authority could increase sharing of student information in a way that overwhelms administrators with data, casts suspicion on students who show no signs of violent behavior, and fails to promptly identify individuals who pose genuine threats to school safety. In particular, he mentioned that mentally ill students can be disincentivized from seeking help if they fear that their privacy will not be protected.
Mr. Verdi advocated that the Commission instead focus on educating school officials and other stakeholders regarding the existing legal authorities for sharing data to support school safety. The Department of Education’s Privacy Technical Assistance Center (PTAC) has been vital for schools seeking practical guidance on FERPA. PTAC could publish guidance, hold training sessions, and provide additional technical assistance on this issue.
Finally, Mr. Verdi recommended the the Commission call for further research into the nature, extent, and leading causes of the key privacy risks and safety risks facing students and schools.
At a previous Federal Commission on School Safety listening session, FPF’s Amelia Vance, Director of the Education Privacy Project, spoke on the important balance between schools’ obligation to protect student privacy while providing a safe learning environment for students. She touched on the importance of schools being transparent about their interactions with law enforcement and that data sharing should only be engaged in when there is a serious threat of violence, not a minor infraction of a school code.
FPF is a non-profit organization focused on consumer privacy issues. FPF primarily equips and convenes key stakeholders to find actionable solutions to the privacy concerns raised by the speed of technological development. FPF’s Education Privacy Project works to ensure student privacy while supporting technology use and innovation in education that can help students succeed. Among other initiatives, FPF maintains the education privacy resource center website, FERPA|Sherpa, and co-founded the Student Privacy Pledge.
Read Mr. Verdi’s full testimony here.