Best Practices for the Release of Data Under FERPA During School Emergencies

• By Dian Schaffhauser
• 01/23/19

"A delicate balance exists between privacy and security in schools," a recent federal report on school safety noted. "On the one hand, there is the legal requirement to protect the privacy of student education records. On the other hand, it is critical to recognize that some education records may contain information that, if disclosed to appropriate officials, could help prevent students from harming themselves or others."

Finding the appropriate balance between disclosing information during a school emergency and adhering to the regulations of the Family Educational Rights and Privacy Act (FERPA) is the subject of a new two-page guide released by the Future of Privacy Forum (FPF). FPF is a nonprofit that advocates for privacy leadership and research in support of emerging technologies. According to the organization, the guidance is intended to help school personnel understand when and what to disclose. The goal is to be able to "distinguish between disclosures in response to specific, articulable threats and general school surveillance programs."

The guidance came out in response to the "Final Report of the Federal Commission on School Safety," which, FPF asserted, failed to address how to implement security measures while also including appropriate privacy protections. "For example," FPF noted, "the report recommends the use of 'appropriate systems to monitor social media and mechanisms for reporting cyberbullying incidents' but does not mention the privacy implications of such monitoring or appropriate privacy protections."

During the deliberative process, FPF testified about privacy issues and recommended better communication to stakeholders about current privacy laws [and] the importance of "creating 'privacy guardrails' in the context of school safety plans" and encouraged the Commission to develop specific guidance for schools on how to set up those guardrails.

"Unfortunately, the report offers little practical guidance to school officials on how to consider privacy safeguards as they implement programs to monitor threats, harden schools or train personnel," FPF said in a statement. "Privacy doesn't seem to have been a top concern for the Commission, even though its members heard testimony about ways to have both security and privacy."

As an example, FPF stated, the Commission's report advised the use of "appropriate systems to monitor social media and mechanisms for reporting cyberbullying incidents." It failed, however, to cover the privacy implications of those forms of monitoring or the appropriate privacy protections.

The FPF guidance offered four best practices for deciding whether to disclose student information and answered five "frequently asked questions" about FERPA requirements on sharing information during emergencies.

Among the best practices was this one: to "carefully consider potential unintended consequences, such as disproportionate effects on vulnerable populations, and balance those risks with the benefits of monitoring and disclosing student information." While complying with FERPA, the guidance pointed out, "schools must also avoid sharing information that could stigmatize students, make them feel that they can't share their feelings with school staff or incorrectly label them as a 'threat.'"

The federal report is openly available on the U.S. Department of Education's website.

The FPF guidance, "Disclosing Student Information During School Emergencies: A Primer for Schools," is available on its website.