Commentary Addressing Risks and Opportunities Through the Lifecycle of Data, Technology, Advertising and Innovation

Data Counsel

Home | Data Counsel

<img class="alignright wp-image-6002" src="https://dataprivacymonitor.bakerhostetlerblogs.com/wp-content/uploads/sites/5/2020/01/digital-world-GettyImages-1060422070_1200x630_72dpi.jpg" alt="" width="438" height="230" />The United States Department of Education (ED) Student Privacy Policy Office (SPPO), on March 13, 2020, issued <a href="https://studentprivacy.ed.gov/sites/default/files/resource_document/file/FERPA%20and%20Coronavirus%20Frequently%20Asked%20Questions.pdf">Frequently Asked Questions</a> related to the serious novel coronavirus disease (COVID-19) that the world is now grappling with. This FAQ document mirrors in large part the same line of advice found in ED’s prior Joint Guidance with Health and Human Services related to student health and permitted disclosure (see our prior blog post on that guidance <a href="https://www.dataprivacymonitor.com/hipaahitech/departments-of-education-and-hhs-release-joint-guidance-on-the-relationship-between-ferpa-and-hipaa/">here</a>), but the FAQ is targeted with specific questions that educational institutions and entities are facing in addressing and supporting their students and communities in light of the pandemic.

With K-12 schools and institutions of higher education at the forefront of community response to the pandemic, and playing a pivotal role not only in education but also in feeding students, providing facilities for the community, and other important facets of community life, schools, districts and institutions need to be able to respond to the pandemic while also ensuring that the provisions of the Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. Section 1232g; 34 C.F.R. Part 99, relating to unauthorized disclosure of an education record are not implicated. Specifically, FERPA prohibits an educational agency or institution from disclosing personally identifiable information (PII) from a student’s education record without the prior written consent of a parent or non-minor student unless an exception applies. One exception is the “health or safety emergency,” which allows disclosure in an emergency to public health agencies, medical personnel, law enforcement officials or even parents if such disclosure is necessary to protect the health and safety of other students or individuals. There must be an actual emergency, not a future or unknown one. In areas where COVID-19 has been declared a public health emergency this requirement would arguably be met. However, ED notes that public health departments typically can have education records disclosed under this exception even in the absence of a formally declared health emergency.

ED’s COVID-19 FAQs provide several scenarios applying the health or safety emergency exception and other disclosure issues that may arise with COVID-19. As with most FERPA analysis, consent by a parent or eligible student is typically enough for authorized disclosure. However, if non-consensual disclosure is undertaken in response to COVID-19 under the health or safety emergency exception, there must be an articulable and significant threat which must be analyzed on a case-by-case basis. Once the emergency passes, that disclosure must be notated in the student’s education record like any authorized or unauthorized disclosure.

This presents interesting considerations for educational entities that may need to share educational records and/or student PII in response to COVID-19. If electronic FERPA systems are used, the entity will need to make sure that the above analysis can adequately be conducted on a case-by-case basis so as not to implicate a potential unauthorized disclosure. Moreover, the systems and processes will need to track and notate disclosures once the emergency has passed. While not covered in ED’s FAQ, this also serves as an important reminder for educational entities to check their agreements to validate what control over FERPA information the entity has over its cloud vendors or other third-party service providers. Given the need to determine, on a case-by-case basis, whether FERPA information can be disclosed in response to COVID-19, a proper understanding of the entity’s agreements will assist it to in verifying that the entity controls the information and is the sole decision maker in determining whether and when student PII can be disclosed in response to this pandemic. Districts, schools and higher education entities would be advised to seek legal counsel regarding any authorized or unauthorized FERPA disclosure in the COVID-19 context, given the analysis is fact-specific and required on a case-by-case basis by FERPA so as to prevent an unauthorized disclosure.

FERPA Disclosures in Response to COVID-19