Skip to content
Aurora Institute

House of Representatives Introduces Privacy Law Update

Education Domain Blog

Author(s): Maria Worthen, Susan Gentz

Issue(s): Federal Policy, Increase Access to Broadband


By Maria Worthen ([email protected]) and Susan Gentz ([email protected])

On Wednesday, July 22, the US House of Representatives introduced legislation to update the Federal student privacy law. Congress passed the Family Educational Rights and Privacy Act (FERPA) in 1974 and has not updated it since. Many education advocates agree that FERPA needs a rewrite for the digital age.

About FERPA

FERPA governs the privacy of students’ educational records and personally identifiable information. It gives parents (or students over the age of 18) the right to inspect, review, and correct inaccuracies in their children’s education records. Generally, schools must have parents’ written permission in order to release any information from a student’s education record; however, there are exceptions. Such exceptions may include school officials with a legitimate educational need, another school to which a student is transferring, and for certain administrative, research, audit, and legal purposes.

FERPA also allows “directory information” such as a student’s name, address, telephone number and date and place of birth to be disclosed (for example, in a student telephone directory), but schools must tell parents about the directory information and allow parents a reasonable amount of time to request that the school not disclose this information.

The current FERPA law was written before schools used digital tools to store and use student information. It does not account for an education system in which students access courses online from a different location, or in which educational records are stored online. The law needs updating in order to allow schools to seamlessly share information to support teaching and learning in personalized learning environments.

About the Student Privacy Protection Act

H.R. 3157 updates FERPA to account for digital age learning models, such as students taking online courses from external providers, and online storage of student educational records. For example, the bill permits schools to disclose student information without parental consent to a third party provider to which the school has outsourced institutional services or functions.

It maintains FERPA’s current provisions regarding parental inspection, review, and correction of student records, and keeps the allowable disclosure of student “directory information” in place. It requires educational institutions to have data security protections in place, including a response plan in the event of a data breach.

This measure does not allow providers to advertise or market a product or service but does allow providers to use personally identifiable information to develop, diagnose, or deliver services to improve a student’s academic outcomes. For example, the provider could use personal information to inform students about courses that would meet their academic needs, or be able to use feedback from the student to improve services.

One concern that education advocates have expressed about H.R. 3157 is that it does not provide clear disclosure exceptions for community based-service providers with a legitimate need to view student educational records (e.g., foster care case managers). Another concern is the “studies exception”. This provision states that organizations conducting a study for an educational agency or institution may only have access to data without parental consent if the study is to improve the academic outcomes of students attending that educational agency or institution. It could have unintended consequences for studies that contribute to the field’s knowledge base on research and best practices to improve teaching and learning. Clarifying these issues in the bill would help to fully enable personalized learning, while avoiding unnecessary prohibitions.

Within the proper safeguards, data collection is key to personalized learning. It is critical to enact balanced policies that provide good governance practices to ensure proper protection and use of personal and personally identifiable student data, while at same time enabling new learning models and modalities to personalize learning and close achievement gaps.