A great deal of my professional life is spent trying to make a body of law from the analog age, the 1976 Copyright Act, fit into the digital world. It is a difficult task, but today I want to discuss a different body of law from the same era—the Family Educational Rights and Privacy Act of 1974 (FERPA), aka the Buckley amendment—and how it can fit with the new activities we are engaged in in the online age.
There is an extra layer of complexity when we talk about privacy today, since there is a lot of rhetoric out there about how online communication and social media have virtually eliminated privacy from our lexicon. The NSA has not helped with this perception, it must be said. In a recent article in Inside Higher Ed about a brief controversy at Iowa State University, a student who has been trying to establish a “Digital Freedom” group remarked that “[s]urveillance is becoming so commonplace and integrated into daily life that the mere suggestion of educating ordinary computer users about popular tools and techniques to protect privacy can be seen by some as potentially dangerous and disruptive.” Nevertheless, FERPA obligates educational institutions and their employees to respect the privacy of student educational records.
Our institutions want to take advantage of new technologies on our campuses, often for sound pedagogical reasons. And librarians are frequently asked to help faculty members develop new teaching methods that employ these tools—student works on YouTube or Pinterest, course blogs on WordPress, a Twitter feed about a class project. Now we even have “flipped” classrooms, where registered students may be required to enroll in a MOOC as part of their on-campus class experience, thus providing some potentially protected material to a third-party MOOC provider. How can we facilitate these activities and also remind our colleagues about responsibilities related to student privacy?
We should start with a few basic facts about FERPA (note that this column is intended as education but definitely not as legal advice). The law gives students some basic rights over their own “educational records,” including the right to consent to any disclosure of those records. Students who are eligible to exercise this right to consent (or not to consent) are those 18 years of age or older, or any student enrolled in a postsecondary educational institution. For a student under 18 and still in K–12, the right belongs to the parent(s). Educational records are defined as any personally identifiable information about a student that is “maintained” by the educational institution and/or its employees or agents. Finally, schools are allowed to designate “directory information” about students that can be revealed without consent; there is a list of kinds of permissible directory information, and students have the right to opt-out of disclosure of even this directory information by proactively informing the institution of that decision.
FERPA has come before the Supreme Court of the United States twice. In the first case, Owasso Independent School District v. Falvo from 2001, the court held that having students grade one another’s work did not violate the protections in FERPA because the grades were not “maintained” by the institution at that point. The case illustrates that FERPA is really not intended to interfere with legitimate pedagogical practice. Similar comfort can be drawn from a 2002 case, in which the Supreme Court held that FERPA did not give students a private right to sue an institution or its employees for failing to meet their obligations; the enforcement of FERPA is entirely in the hands—really the pocketbook—of the federal government, acting through the Department of Education.
From the Owasso case we can take one important point about the use of social media in classes. The postings to a blog or Facebook page may not qualify as protected records because they are never maintained by the institution. When students post material they have written or recorded in some way directly to a public Internet page, they have bypassed the traditional stage of “handing it in” and, perhaps, never created the kind of educational record with which FERPA is concerned.
Nevertheless, there may still be concerns about this sort of activity. Even if the works themselves do not qualify as protected educational records, it is likely that information beyond what an institution is allowed to disclose may be revealed during this kind of activity. The fact of a particular student’s enrollment in a specific class, for example, might become obvious from a class site or blog, and those facts are not part of the permissible directory information. Also, there may be some students who have opted to suppress even directory information—unfortunately our students occasionally have good reason to exercise this option—so even the name of the student would need to be protected.
All this provides some context for the “flipped” classroom situation. When our own students—students toward whom we clearly have all of the obligations imposed by FERPA—are required to register with a third party in order to take a MOOC that is being incorporated into regular instruction, there are two kinds of potential disclosure. First, both directory information and protected information, including actual graded materials completed by students, are potentially disclosed to the third-party provider. This is different than a course management system, after all, which is usually housed on our own servers and administered by our own personnel. Second, some identifiable information, possibly beyond mere directory data, could be disclosed to the other MOOC participants. Unlike in a face-to-face classroom (such as was at issue in Owasso), these other MOOC participants are not all also our students, so disclosure to them might be problematic.
It is possible, but debatable, that the MOOC provider itself may fall into an exception in FERPA that allows disclosure to school officials with a “legitimate educational interest” or to “specified officials” for the purpose of evaluation. The scope and applicability of these exceptions will probably depend on the exact terms of the relationship between the institution and the MOOC provider, so attention to what is said in any contracts between those parties and any other commitments undertaken by the provider may be important. And, in any case, there will still be cases in which even directory information may not be revealed, which would make that second type of potential disclosure, to other MOOC participants, a real problem for flipping the classroom.
I have been telling our instructors who discuss flipping their classes, as well as others who want to have students participate in academic work via social media platforms, to consider taking four relatively simple steps to avoid prohibited disclosures under FERPA:
- Give students advance notice of the range of activities that will be required, including the nature of platforms on which their work will be disseminated or displayed. Don’t surprise students by telling them about having to work in the public eye halfway through a semester.
- Allow students to use a pseudonym if they wish when participating in social media activities or otherwise putting their work in public. By simply keeping their names secret, and sharing the identity behind the pseudonym only with the instructor (or also with classmates, if appropriate), many potential problems can be solved. But pay attention to registration requirements and rules for various platforms; pseudonyms may not work for certain public activities, and a pseudonym will not help if the email address that must also be provided reveals the student’s name or is easily traceable through an online directory system.
- Take the opportunity to remind students not to post personal information on social media sites. This may seem like a lost cause, but pausing for a teaching moment, in which students see that the institution and their instructor(s) are taking their privacy seriously, might pay dividends and prompt them to protect themselves in other contexts as well.
- When necessary, allow for an alternative assignment to fulfill the class requirements. Most students today will not worry about working in an online forum, but occasionally a student really does need to protect his or her identity and whereabouts for reasons that usually do not reflect well on modern society. For such a student, who is taking a risk if his or her name or email is even associated with the institution in a public way (and who has exercised the option under FERPA to suppress such “directory information”), some alternative that keeps that information entirely private may be needed. At least, instructors planning this type of online project should be aware of and remain open to the possibility.