What Is an Education Record? That is the Question that the Department of Education Should Answer

As technology’s role in education has grown rapidly, confusion has also grown over how the Family Educational Rights and Privacy Act (FERPA) protects modern digital records like email, video surveillance, and datasets used to power algorithmic systems. FERPA protects student privacy at the federal level for “personally identifiable information from [students’] education records.” Although the U.S. Department of Education (ED) has historically interpreted “education records” broadly, the evolution of education technology and outdated language from a twenty-year old Supreme Court case have caused some officials to interpret the term too narrowly, excluding modern digital records from FERPA’s protections. ED should address the confusion and clarify FERPA’s language to ensure that all student data is protected and accessible to those who have the most at stake: parents and students. 

The confusion regarding the applicability of “education records” under FERPA to modern digital records stems from the Supreme Court’s language in a 2002 case, Owasso Independent School District v. Falvo. In that case, the Court described education records as centralized records held by an educational institution. It stated that “education records” would primarily be “institutional records kept by a single central custodian, such as a registrar” in a “filing cabinet in a records room at the school or on a permanent secure database.” 

ED, however, has interpreted “education records” more broadly. FERPA and its regulations define “education records” as “records, files, documents, and other materials which (i) contain information directly related to a student; and (ii) are maintained by an educational agency or institution or by a person acting for such agency or institution.” ED recognized in 2008 — six years after Owasso — that that definition is “broad” and readily applies to student data held by third parties acting on behalf of an institution, including data held by education technology vendors. This broad definition not only protects “education records” from disclosure, but also grants parents and students access to their own records. 

Although the Court’s Owasso decision was expressly limited to the issue before it — whether peer grading was prohibited by FERPA — and is nearly twenty years old, some courts and commentators (here, here, and here!) have apparently overlooked ED’s 2008 description of “education records” as “broad.” They have instead concluded that the Court’s conception of “education records” does not include modern digital records, especially when those digital records are not centralized. That interpretation excludes digital records like email, video surveillance, and — critically — the vast datasets on students used to power algorithmic systems and artificial intelligence (AI) from FERPA’s protections. That narrow interpretation also limits parents’ and students’ access to their education records. 

The result has been confusion for schools and parents, public officials, and courts, often resulting in significant harms to students’ privacy and civil rights:

• Schools and parents: One company not only uses student data to score students’ likelihood of academic success as early as first grade, but also utilizes that data en masse to train its algorithmic products. Its algorithmic scoring uses nearly 7,000 data elements, including sensitive data such as gender, race, and enrollment in the free and reduced-price lunch program. Parents have sought access to their students’ data used in these algorithmic products; however, confusion over the scope of “education records” has caused parents to receive conflicting instructions from schools and the company, as each directed parents to submit their requests to the other. Consequently, parents’ requests often languished for months. 
• Public officials: In a 2018 memo, the Colorado Attorney General concluded that, because Owasso referred to education records kept “in a records room at the school or on a permanent secure database,” there is a “significant amount of information relevant to school safety [that] is outside the scope of FERPA and may be freely shared among educators and outside agencies, including law enforcement.”
• Courts: Similarly, in Central Dauphin School District v. Hawkins, the Commonwealth Court of Pennsylvania determined in a unanimous decision that surveillance video of an altercation between a parent and a teacher on a school bus was not an education record subject to FERPA, and ordered the video released under the state public records law. Relying on Owasso, the Hawkins court concluded that student data qualifies as an “education record” only if it is subject to a school district “protocol” for its maintenance, is maintained “permanently,” and is “capable of correction” — requirements that are not in FERPA or its regulations. Although the Pennsylvania Supreme Court vacated the Hawkins decision, it did so without addressing the Hawkins court’s reliance on Owasso, and the reversal of the lower court underscores the confusion caused by the narrow, outdated conception of “education records” in Owasso.

These examples underscore the need for ED to clarify the application of the term “education records” to modern educational data, especially as used by algorithmic systems and artificial intelligence (AI). Algorithms and AI play an increasingly important role in education and rely on student information that is held in vast datasets, commingled with other students’ personal information, and sometimes dispersed across databases. Parents and students deserve to have access to their personal data behind those systems. ED should both:

• reiterate that its 2008 description of education records as “broad” applies to modern digital records such as email and video surveillance, even when it is held by third-party education technology vendors, and 
• clarify how the term “education records” applies to vast datasets utilized for algorithmic systems and artificial intelligence. 

Since the Supreme Court’s decision in Owasso, the role of education technology has expanded dramatically, and the global pandemic accelerated that trend. Now, edtech may monitor every moment of students’ online activity, score their likelihood of academic success, and surveil school buildings for disruptions or even students with a fever. Because executive agencies have the authority to clarify ambiguous terms in the statutes they administer, including after courts have interpreted those ambiguities, ED has the authority— and responsibility — to clarify the term “education record” and explain how FERPA applies to the rapid changes in education data and student privacy that have occurred since Owasso.

It is vitally important that ED act to clarify the term “education records” under FERPA. Those records may include not only a student’s coursework for online learning, but also video from remote proctoring, messages and documents stored in the cloud, the student’s disability status or gender identity, and information about online counseling sessions. All of that data may power algorithms and artificial intelligence used by schools to provide services or make critical decisions, and parents and students deserve access to their own data. ED should ensure that FERPA is understood to give families that access.