Drexel Law Review, August 2016
The literature on student privacy often focuses on specific provisions and definitions. This paper offers a broader perspective on how the regulatory mechanisms of FERPA and new reforms work within today’s technological, institutional, and economic systems. It makes several contributions, including (1) an analysis of the assumptions that underlie FERPA’s FIPPs-based approach to privacy; (2) finding such protections insufficient in light of the technological and information infrastructure created by networked systems, cloud computing, and big data analytics that are often provided by private entities; and (3) enumerating practical, political, and pedagogical, and philosophical characteristics of America’s education system that limit the efficacy of privacy protection through personal or institutional self-management.
FERPA nominally operates on the notion of notice and consent but in practice delegates the bulk of data-related decision-making to educators through the school official exception. The statute defers to educators’ unspecified and undocumented criteria for disclosure. It imposes no direct accountability for violations given the “nuclear” nature of enforcement through withdrawal of federal funding.
FERPA’s reliance on institutional approval and access and amendment rights offered stakeholders sufficient reassurance given the limitations of physical records that were not readily accessible, portable, or incorporated into daily institutional practice. Today, educators cannot cope with the burden of tracking and policing recipients’ information practices given the proliferation and complexities of today’s data-driven infrastructures. The resulting system places untenable burdens on students, parents, and educators that often fails to provide either actual oversight over disclosed information or meaningful transparency, accountability, and scrutiny over schools’ information practices.
Context-specific characteristics also make reliance on FIPPs-based privacy protection practically problematic and theoretically unsound. Opting out by withholding consent is rarely a realistic option given the compulsory nature of primary and secondary education and the competitive pressure on students to obtain credentials from higher education institutions to ensure future opportunities. On a practical level, considering individual privacy preferences would overwhelm educators and administrators. Politically, FERPA’s delegation model accommodates the decentralized political authority and extreme heterogeneity of America’s locally-governed education system. Pedagogically, privacy self-management may have problematic effects as changing information practices changes the content, methodology, and measurement of instruction. Philosophically, shifts in data flow change the content, goals, and values of education itself in fundamental ways. These realities must inform future policymaking rather than reliance on a regulatory model poorly designed for today’s educational ecosystem.
Read entire publication here.