University students have less privacy for their campus health records than they would have if they sought care off campus. Schools say they are trying to seek the right balance between privacy and safety
When University of Oregon senior Laura Hanson was sexually assaulted by a fellow student a couple of days after New Year’s 2013, she said she felt violated and later shunned by her friends and sorority sisters.
The university’s drawn-out investigation of the incident—which substantiated her allegation—only added to her trauma.
Hanson’s ordeal wasn’t over. Last year, as she pressed forward with a claim against the university, Hanson learned that the school’s attorneys had obtained her confidential counseling records — her most intimate thoughts about what happened — without her permission.
Student Privacy Protection Act (H.R. 3157)
This bill would update and amend FERPA, and was introduced by Rep. Todd Rokita (R-IN) with important co-sponsorship from Reps. John Kline (R-MN) and Robert “Bobby” Scott (D-VA), the chairman and ranking minority member, respectively, of the House education committee. Rep. Marcia Fudge (D-OH) is also an original co-sponsor. Much of this bill mirrors current FERPA language, or is conceptually similar but updated to reflect current recordkeeping practices, but it also contains new requirements and restrictions in several key areas. Specifically, it imposes additional requirements for sharing student data with third party vendors performing school services and entities that perform college testing and financial aid analyses, including requiring education agencies/institutions to ensure such vendors have appropriate information security practices, requiring them to enter into written agreements with the vendors and mandating that such agreements are made available to parents. Additional key proposed changes from current law include: an express prohibition on the use of student information initially obtained to provide schools services for marketing or direct advertising to those students (with certain exceptions); a mandate to designate the school official responsible for education records security and establish a data breach notification policy; and a requirement that each State educational authority verify that institutions and local educational agencies under its jurisdiction have complied with the notice and procedural requirements of FERPA and certify to the U.S. Department of Education (the “Department”) that such institutions and agencies are in compliance.
About 50 students and alums took advantage of their rights under the Family Educational Rights and Privacy Act of 1974 by sending requests for personal records to the Office of Admission and the Office of the Registrar this academic year, said Dean of Admission Jim Miller ’73. In a typical year, only one or two students request to see their academic files, said Christopher Dennis, deputy dean of the College.
The dramatic uptick comes after Stanford University students created an anonymous newsletter called “The Fountain Hopper” designed to encourage other students to invoke FERPA to receive admission records. The newsletter sparked a wave of current and former students demanding to see their records at colleges and universities across the country.
From the abstract:
Two terms, student privacy and Massive Open Online Courses, have received a significant amount of attention recently. Both represent interesting sites of change in entrenched structures, one educational and one legal. MOOCs represent something college courses have never been able to provide: universal access. Universities not wanting to miss the MOOC wave have started to build MOOC courses and integrate them into the university system in various ways. However, the design and scale of university MOOCs create tension for privacy laws intended to regulate information practices exercised by educational institutions. Are MOOCs part of the educational institutions these laws and policies aim to regulate? Are MOOC users students whose data are protected by aforementioned laws and policies? Many university researchers and faculty members are asked to participate as designers and instructors in MOOCs but may not know how to approach the issues proposed. While recent scholarship has addressed the disruptive nature of MOOCs, student privacy generally, and data privacy in the K-12 system, we provide an in-depth description and analysis of the MOOC phenomenon and the privacy laws and policies that guide and regulate educational institutions today. We offer privacy case studies of three major MOOC providers active in the market today to reveal inconsistencies among MOOC platform and the level and type of legal uncertainty surrounding them. Finally, we provide a list of organizational questions to pose internally to navigate the uncertainty presented to university MOOC teams.
The U.S. Education Department wants to encourage colleges and the tech companies they work with to protect student data from misuse. But the agency’s power to protect the privacy of people taking free, online courses is essentially nonexistent.
“Data in the higher-education context for MOOCs is seldom Ferpa-protected,” Kathleen Styles, the Education Department’s chief privacy officer, said on Tuesday at a symposium on student privacy. In other words, people who take free online courses known as MOOCs, or massive open online courses, are not covered under the Family Educational Rights and Privacy Act, known as Ferpa, which stipulates how colleges must protect the “education records” of their students.
That puts those taking MOOCs in a kind of limbo. They are not technically students, even though the courses are offered by colleges, some of which receive a portion of revenue from fees for certificates of completion.
At a Dec. 2 symposium on student privacy, The Chronicle of Higher Education reports Styles said, “Data in the higher-education context for MOOCs is seldom FERPA-protected.” A U.S. Department of Education website says FERPA applies to “all schools that receive funds under an applicable program of the U.S. Department of Education.” MOOCs are rarely funded with Title IV, government-funded dollars, Styles said.
However, two of the largest MOOC providers disagree on whether federal law applies to their student data.
The standard agreement used by edX, a MOOC platform founded by Harvard University and the Massachusetts Institute of Technology, says that it is subject to and complies with FERPA requirements, according to The Chronicle.
Coursera, a MOOC platform founded by Standard University professors, follows the “principles” of FERPA but doesn’t think it applies to MOOCs, its chief academic strategist Vivek Goel told The Chronicle.
An online resource to help individuals understand the 1974 Family Educational Rights and Privacy Act.
It’s interesting to note their prominent description of FERPA compliance:
Clever is always completely FERPA compliant under the Education Services Exemption. We partner with leading school district security teams and experts to provide outstanding data stewardship, and vendors who work with Clever have agreed to use student data in total compliance with FERPA.
It reads like a TRUSTe certification.