Privacy advocates are urging Congress to take steps to safeguard sensitive student information, warning that new rules by the Department of Education leave student data vulnerable.
In an October 9 letter to members of the House and Senate committees that oversee education, the Electronic Privacy Information Center said that the Department of Education in 2011 moved to modify the definition of key terms in the Family Educational Rights and Privacy Act. The result, according to EPIC, is that "data is now flowing to private companies that operate far outside the direct control of school systems."
The letter follows an unsuccessful lawsuit by the group to challenge the regulations. On September 26, U.S. District Judge Amy Berman Jackson of U.S. District Court for the District of Columbia dismissed the suit for lack of standing. “The individual plaintiffs have alleged nothing more than a hypothetical possibility of some vague harm, and that harm does not even flow from the challenged regulations,” she found.
EPIC said that the new rules for the first time defined “educational program” to include a wide range of activities unrelated to educational performance. The new rules also defined who was an “authorized representative” entitled to receive student records without prior consent in connection with audits or evaluations of educational programs.
According to EPIC, such a representative can be “any individual or entity that educational authorities select….The Education Department has allowed private student data to be made much more widely available than the Congress that enacted [the law] intended.”
The privacy group urged Congress to investigate who has access to student data, whether it’s being used for commercial purposes, what security standards are in place and whether the data could be used in the future for employment, credit or insurance determinations.