Privacy in education
Privacy in education refers to the broad area of ideologies, practices, and legislation that involve the privacy rights of individuals in the education system. Concepts that are commonly associated with privacy in education include the expectation of privacy, the Family Educational Rights and Privacy Act, the Fourth Amendment, and the Health Insurance Portability and Accountability Act of 1996. The majority of privacy in education concerns are prevalent to the protection of student data, such as educational records and other personal information, both inside and outside the traditional classroom setting as well as the privacy and confidentiality of medical records. Many scholars are engaging in an academic discussion that covers the scope of students’ privacy rights, from student in K-12 and even higher education, and the management of student data in an age of rapid access and dissemination of information.
Expectation of Privacy
"Expectation of privacy," similar to the "right to privacy," is a phrase that describes the natural desire of humans to maintain their sense of privacy. There is currently no legal definition in the American law that explicitly grants humans the right to privacy. Oftentimes, the Fourth Amendment is utilized by people in court cases to defend themselves from actions that involve certain infringements upon their privacy, such as searches that require warrants. However, over the years, the U.S. Supreme Court has found it difficult to determine an impartial non-biased meaning for "expectation of privacy" because there are too many subjective variables to consider.Student Expectation of Privacy
In line with the general meaning of "expectation of privacy," student expectation of privacy refers to a student's inherent right to privacy in the school system. Examples of student expectation of privacy, especially in the pre-collegiate levels, include the protection of a student's academic record from being viewed by anyone other than the academic instructor, the student's parents or guardians, and the students themselves. There have been many legal cases regarding the privacy concerns of pupils' academic records, for example the Owasso Independent School District v. Falvo that was handled by the U.S. Supreme Court in 2002. This particular case began in October 1998 when Kristja J. Falvo filed a lawsuit against the Owasso Independent School District on the premise that the grading practice employed in her children's classroom, peer grading, was a violation of the Fourteenth Amendment and of FERPA. Additionally, peer grading embarrassed her children in front of their peers, which could be interpreted as a violation of a student's expectation of privacy in the classroom. When the case reached the Tenth Circuit Court of Appeals, it was ruled in October 2000 that peer grading was not a violation of the constitutional Fourteenth Amendment but was, in fact, a violation of FERPA. The Tenth Circuit judges reasoned so by closely interpreting the statue in FERPA about privacy protection of "educational records." Since it was agreed upon that teacher grade books were considered "educational records," the Tenth Circuit decided that anything that went into these grade books, including student grades written on student work, were also considered "educational records" and thus subject to FERPA's privacy protection policies. After the court decision was released, peer grading practices were banned in school districts within the Tenth Circuit regional borders.Many citizens and scholars were opposed to the Tenth Circuit's decision, and the case ultimately reached the U.S. Supreme Court in 2001. In 2002, the Supreme Court Justices officially ruled that peer grading was not a violation of FERPA. They reasoned that student grades on student work were not considered "educational records" until the teacher had physically recorded the grades into a grade book. Thus, peer grading returned as a common grading practice in classrooms across the United States.
Other examples of student expectation of privacy include the right of children to withhold personal information from teachers within in a traditional classroom setting. Such topic remains as a contentious educational privacy concern in the classroom. Some argue that teachers should know more information about students in order to help support them in their academic endeavors. Others argue that teachers should refrain from prying into the personal lives of children because, like adults, children should have the right to privacy and determine the amount of information that they reveal to teachers. Still others make the claim that children are too young to make this decision for themselves and should consult their parents prior to revealing anything personal to their teachers.
Student Educational Records
Student educational records, according to the FERPA statue, is defined as "those records, files, documents, and other materials which-- contain information directly related to a student; and are maintained by an educational agency or institution or by a person acting for such agency or institution."Family Educational Rights and Privacy Act (FERPA)
The Family Educational Rights and Privacy Act of 1974 was propelled by New York Senator James Buckley who promoted the importance of protection and privacy of educational records of students who attended primary and secondary schooling. As a federal legislation, FERPA grants students under the age of 18 and their parents the right to manage their educational records, which may include data about their academic performance, medical information, behavioral analysis, and more. Thus, when parents or guardians feel that their children's educational records have been exposed to the public in some way, they are able to file claims against the school district as a violation of FERPA.For students over the age of 18, particularly those enrolled in postsecondary education institutions, FERPA can be vague and unclear about the disclosure of educational records to parents. Since individuals aged 18 and over are recognized as adults by the law, FERPA separates students in postsecondary education and their parents in terms of access to educational records such as health and drug records. According to Baker, many controversial issues may arise. For example, Baker writes that "FERPA regulation 99.31 allows disclosure to parents without the student's prior written authorization if the student is 'dependent' on the parents as defined by the Internal Revenue Code." However, there may be circumstances under which financially dependent students would not want their private records accessed by their parents. Additionally, FERPA authorizes the release to parents or guardians of information about recorded drug or alcohol use by students under the age of 21. If the underage and illegal drug or alcohol use resulted in legitimate concerns and disciplinary action, school administrators can notify and disclose details to parents without the students' permission.
Common Core
As the Common Core State Standards are being developed and implemented in schools across the United States, some academics are bringing awareness to the potential privacy concerns of student data and educational records. According to Stacie Hunt, the Common Core system creates a large student database that keeps track of student performance and information from pre-K to college and even beyond. Federal government and other agencies are able to gain access to this database, analyze student data records, and sell pertinent information to the schools and districts overall. This creates a privacy concern about student data being spread and utilized by third-parties without the students', or their parents', explicit permission.Educational Technology ("Edtech")
is an emerging field in the area of education. According to Dylan Peterson, "edtech represents a broad category of educational products and services used in schools and by private individuals." Privacy concerns surround the fact that large amounts of data of each student using edtech are collected and stored in a wide database that can be accessed by schools. This data may be personal to the students and they may not wish for others to view it. However, edtech companies claim that without storing as much student data as possible, it would be more difficult to create programs that effectively address the students' educational needs.Students with Disabilities
To help improve programs that benefit the educational experience of students with disabilities, some scholars propose a digitalized database of student records that are updated in real time. This is so that educators can keep track of important information about students with various disabilities and monitor their academic performances for educational purposes. While these scholars support the idea of disclosure of data of students with disabilities, they make it very clear that strong legislation and policies must be enforced to protect the privacy of such data. It is currently a debate whether or not digitalized student data that can be accessed by many parties is really beneficial to support individuals with disabilities in school. Some are not comfortable with the idea that the data is updated frequently and disseminated widely, while others believe that the acquisition of such data is necessary to improve programs and enrich educational experiences.Privacy in Higher Education
Historical Perspective
Since the 1970's, the commonly held perspective was that the right to privacy was an evaluation of individual worth. Further, technology, even before the World Wide Web, was perceived as having potentially negative effects such as allowing information to be breached. Yet, there were not many violations warranted that would urge legislation to act and shift their attention to protecting privacy in education or primarily individual privacy in general. Technology was also viewed as a source to uncover values, behaviors, motives and thoughts but at the same time, many thought that only qualified professionals had access to personal data. However, specifically in higher education, there was a perspective that individuals were susceptible to having their information breached. Thus, the role of education in the 1970's was viewed as one that safeguarded its students and staff to ensure privacy and prevent data from being breached given the technology that existed.College Dormitory Searches
In many public and private colleges and universities across the United States, enrolled students typically live on campus in college-operated dormitories. Since students live in these dormitories for the duration of about one year, many personalize and consider their dormitory rooms as their personal and personalized living space. However, these dormitories are property owned by colleges and often students must waive their right to privacy for college representatives to conduct searches for safety purposes. While some believe that dormitory searches are effective for maintaining a safe community on campus, others believe that these searches are a violation of student privacy. Many cases have been filed by students in which they were caught with illegal substances in their dormitories during searches that these students felt were an invasion of their private living spaces. Additionally, only public or government-related searches with warrants are protected under the Fourth Amendment. Oftentimes college dormitory searches would be regarded as private searches and thus undergo lawsuits that claim a violation of the Fourth Amendment. For example, in the case Morale v. Grigel, a Resident Assistant at the New Hampshire Technical Institute searched a student's room on multiple occasions even though the student was not present in the room at all times. Once the Resident Assistant found marijuana in the room, the student was arrested for possessing illegal substances on college campus property. The student then filed a lawsuit against the Resident Assistant on the grounds that the searches were private and thus violated his Fourth Amendment right to protection from private searches. However, the court concluded that the Resident Assistant's employment status rendered him as a government agent and thus his searches were conducted on behalf of the college, a government-related institution.Social Networks
Within social networks, or particular websites that enable the sharing of information as well as communication among individuals, there exists a level of privacy that students prefer to keep their personal information or social life private from school personnel or faculty in order to avoid context collapse.Learning Analytics
With the improvement of technology, more data has become available within higher education. Administrators are then able to learn more about students in order to implement forms of improving student's success. Through learning analytics, which is defined as the focus on "students and their learning behaviors, gathering data from course management and student information systems in order to improve student success," administrators are able to obtain real-time empirical data such as insights and responses of student's learning processes.Yet the privacy issues arise in how student data is collected, stored, analyzed and presented to stakeholders. There arises ethical issues of "location and interpretation of data; informed consent, privacy, and de-identification of data; and classification and management of data."
Students believe that data about them is elaborate and personalized and at the same time hold a conservative view about learning analytics. Learning analytics helps obtain real time data for higher education learning processes but, at the same time may hinder the development of students such as critical thinking and autonomous learning. It is not as simple as saying that learning analytics will benefit students and thus increase their success and retention rates. This is such because procedures to regulate access are put in place while at the same time bias and lack of validity and comprehension affect the ability to obtain data that will then be used for the benefit of students.
Data Breaches
As of 2017, there has been over 30 data breaches since 2005. The susceptibility to breaches creates threats to institutional research professionals who store and manage student data within the regulatory structure that controls data management. Further than this, student information is then brought to light which can threaten them as well. As vast amounts of data continues to be actively collected, potential breaching through hacking, physical theft, and by vendors becomes more probable.Preventative Measures
Those who study the implications of data breaches emphasize that data should be kept to a minimum and that steps should be taken in order to see who can be trusted to regulate this information in order to keep data private and not accessible to all employees. They also talk about investing in educating employees about what can and cannot be done with data. Further, they state that institutions should use the resources available at their own college/university in order to most effectively implement policies and procedures to keep data private. Exercising caution against third-party vendors that help with data is advised and further that there should be a contract established that 1) defines who exactly who will be working with data, 2) makes clear that data is sensitive and thus should be handled with care, 3) and includes security procedures that describe the exact responsibility of the vendor just in case data is breached.
Writers who investigate data breaches in higher education advise that research professionals should understand that data breaches are bound to happen and that it is better to implement policies and take preventative measures in the first place to ensure the security of data.
Educational Records in Higher Education
Family Educational Rights and Privacy Act of 1974The Family Education Rights and Privacy Act of 1974 limits the “disclosure of certain information contained in a student’s education record to third parties”, which includes parents if the student has not given consent. Third parties can be parents, family, another institution, or pursuants of a subpoena or court order consent is given by the student, 2) if the information falls within the definition of "directory information" if the information is of "legitimate educational interest" the student is tax dependent, 5) if it regards drugs or alcohol violations, 6) if it involves serious conduct violations, and 7) when it involves health or safety emergencies
Examples of health or safety emergencies are if a student in a residence hall is diagnosed with a contagious disease, has a serious eating disorder, has suicidal ideation, binge drinks heavily, or has erratic and angry behaviors. Furthermore, information can be released if it entails disciplinary information such as a student who is an “alleged perpetrator of a crime of violence or a non-forcible sex offense." However, there have been cases where troubled students remain in college, without the college or university advising parents about their "strange" behavior, which resulted in students to take their own lives. The cases of Jain v. Iowa, Shin v. Massachusetts Institute of Technology and Mahoney v. Allegheny College exemplify this issue. Nonetheless, according to FERPA, disclosures are considered to be made in “good faith based upon the available facts.”
Educational records are covered by FERPA. They are not just academic records, class schedules or transcripts but also financial records, disciplinary records, "disability accommodation records, photographs, e-mails, and electronic database records." Official documentation is needed to fall under FERPA even if this entails a personal experience or observation.
What is not covered under FERPA are: law enforcement records, treatment records, and sole possession records and instead fall under other laws or considerations.
In Loco Parentis
Due to the influence of FERPA, there has been a shift from in loco parentis, to in sin parentibus, and back to in loco parentis. In sine parentibus means "without parents" meanwhile in loco parentis means "in place of the parent." Thus, as represented by FERPA, the shift to in loco parentis within higher education is the act of the school taking over the legal responsibility of parents. This means that college authorities stand in place of parents.
The role of FERPA is to enhance student achievement through greater parent involvement as well as protecting the private interests of students. Yet, the shift toward in loco parentis also comes with concerns related to educational records. More specifically, there is a concern about the extent to which large and powerful institutions obtain information to their advantage such as data that is gathered by researchers and policymakers. On the other hand there are concerns that relate to the university itself disclosing information. For example, under FERPA, the school can disclose information about students to parents if it includes alcohol and drug related incidents any time if they are under 21. Because of reasons like these, there is a concern that there may be "systematic disclosure policies" that become out of control and thus harm student rights and privacy.
Privacy vs. Confidentiality
Within student records there is a difference between what is privacy and what is confidentiality. Privacy is more of a legal concept and is defined as the "right of a person to withhold himself and his property from public scrutiny if he so chooses." Thus privacy gives the individual the right to be let alone which means that the university itself does not have the right to pry into student's personal affairs or reveal student information unless there are explicit and valid reasons in doing so or permission has been granted by the student. Yet even giving permission does not mean that the student has given permission to have all of their information revealed from then on but rather than permission is granted within the particular circumstance.
On the other hand, confidentiality means that files and records of students are not authorized to be disclosed to third parties such as not disclosing information that is received in confidence from a patient and physician. Given this, authors who focus on confidentiality ask questions such as:
- Does the communication originate in confidence?
- Is the element of confidentiality essential to the full and satisfactory maintenance of the relationship between the parties?
- Is the relationship one that must be fostered??
- Will there result an injury that is greater than any benefits which may be gained from that disclosure?
Medical Records
The terms privacy and confidentiality arise when it comes to medical records.Health Insurance Portability and Accountability Act of 1996
The Health Insurance Portability and Accountability Act of 1996 provides privacy to data that is related to medical or mental health records that are legally more restrictive than FERPA in regards to confidentiality. HIPAA includes provisions that “intend to facilitate the creation of a national system for the electronic transmission and exchange of medical record information” such as access to information that is individually identifiable like health plans and health care. The act “defined protected health information so as to exclude individually identifiable health information that is included in education records covered by FERPA and that is in treatment records that are exempted from FERPA.” The difference between educational records and treatment records is that treatment records fall under federal and state law while educational records fall under FERPA. Nevertheless, the documentation of patient and caregiver is confidential meaning that medical records will not be disclosed unless consent is given or there is a belief that disclosing records is crucial. Furthermore, generally, health care providers do not disclose information unless they meet a standard that falls above the required FERPA health or safety exception, or consent is given, and thus is limited in providing information within the constraints of the confidentiality among patient and provider.
Integration of Mental and Physical Records
In some instances, college campuses have begun to integrate physical and mental health needs of patients. This means that medical records are becoming more shared among physicians as well as counselors or psychologists that work with students. Yet, medical providers, separately, have the obligation to withhold confidential information as an ethical duty and state privacy regulations. For example, health providers such as counselors, also have the obligation to be confidential and not disclose private information. However, as medical providers move towards integrated care, such that mental and physical records are shared amongst themselves, there arises a confidentiality challenge that may lead to college students to fall behind in school. Since confidentiality is compromised as information is disclosed among providers that use this method of continuity care, less students utilize therapy because they refuse to disclose private information that can then be shared with others. This simultaneously fuels the stigma towards college counseling. Thus, as more information becomes disclosed, less college students seek counseling due to lack of confidentiality as medical records of patients are disclosed between medical providers, when legally the obligation of these medical providers is to abide and guarantee privacy and confidentiality by withholding patient's information unless under specific circumstances.
Further, outside of sharing information among medical providers, there is also the issue of sharing information with researchers. They claim that medical records are difficult to access but when they are, it opens up the door for research. Yet, at the same time it opens the door to privacy and confidentiality risks.
Electronic Health Records
Since technology continues to revolutionize, medical records have become accessible as electronic health records. This allows information to be shared more easily but appears to create a challenge for stigma management and disclosing information during medical appointments.
An in-depth interview study called "Negotiating stigma in health care: disclosure and the role of electronic health records" was made that took into account sexual minority men in the U.S. to seek how they viewed electronic health records. What the study found is that there were concerns of privacy in terms of how the electronic aspect creates a barrier to be open and talk about seemingly confidential information as well as how it may challenge the right to confidentiality and privacy. On the other hand, the study also found that electronic health records may benefit by improving communication among providers when sharing information and further, to provide better care especially after the Health Information Technology for Economic and Clinical and Health Act invested billions in the adoption of electronic health records to improve the quality of care. The study concludes that technology may enhance medical care yet at the same time fuel the stigma that seeking medical help is bad and thus would hinder patients to make appointments, to attend counseling with certain providers, or disclose personal information such as sexual identity and HIV status that they believe will be shared to others without their consent.
State Laws
Federal regulations allow states to place their own regulations, to either increase or decrease the requirements for disclosure, but states who do are few.
- Minnesota State Law
As of 2006, under Minnesota's state rights, individuals have the right to: see and get a copy of their medical records, have information added to their medical records in order to make them accurate, file a complaint, and importantly, sue in state court for violations of their rights under state law.
- Massachusetts State Law
If an individual believes that their right to privacy they have the right to file a complaint with the Officer for Civil Rights, U.S. Department of Health and Human services against health care providers, with the Massachusetts Board of Registration in Medicine against doctors and with the Department of Public Health against hospitals.
The Confidentiality of Medical Information Act is a California state law that includes more information than HIPAA in regards to medical records. The main function is to protect confidentiality of identifiable medical information obtained by an individual's health care provider. It applies to licenses providers such as physicians and nurses. It prohibit medical providers to disclose medical information without obtaining authorization first and that any medical information about an individual is preserved in confidentiality by anyone who comes in contact with it. An individual whose confidentiality is not respected may obtain $1,000 and the amount of actual damages and for the person or entity that discloses confidential information is liable for an administrative fine.
Student and Professional Archetypes
Students With DisabilitiesTension on campus arises because as of the event of 9/11 some people on campus are fearful or overreact in demanding to know which students have conduct records or a disability accommodation. There is a tension of whether the information will be used to discriminate or treat students unfairly. Nevertheless, the distribution of this information is not limited by FERPA among school officials as long as the disclosure is done due to "legitimate educational interests."
Foreign Students
The event of 9/11 impacted the release of information of students with visas and leads to the questioning of the responsibility and obligation of universities to report foreign student's information. Foreign individuals granted the opportunity to study in the U.S. for a period of time are given one of three visas: F-1 for academic studying, J-1 for exchange visitors, and M-1 for vocational training.
However, the government claims that there are no accurate records of the 547,000 individuals holding student status. Meanwhile, universities are supposed to report information the information of F-1 and M-1 students to the Immigration and Naturalization Service such as their name, date and place of birth, current address, student status, degree program, field of study, etc. For those with J-1 visas, the sponsoring organization is to report information such as the individuals activities and compliance. Yet, if they do not necessarily report the information they are at least required to keep track of their foreign student's information.
Importantly, regulations are not addressed in regards to how FERPA applies. The school may release information if the student is no longer enrolled if it needs to comply with judicial order, if it lawfully issues a subpoena, or if there are "specific and articulable facts” that show that a student’s education record may contain information relevant to investigation or prosecution. Information can also be disclosed if it includes the protection of health or safety of students, especially if it is to “protect the health and safety of Americans.” Further, students who were issued I-20A or I-20M forms or DS-2019 forms automatically grant consent to any information needed to determine immigrant’s status or release information that's related to the individual’s compliance with the Exchange Visitor Program. Yet, this information is stated to be only given to certain organizations such as the INS or the Department of State.
Librarians
- Privacy Assessment
Other non-governmental acts that protect the right to privacy and thus limit the information that can be collected are:
Gramm-Leach-Bliley Act
Health Insurance Portability and Accountability Act of 1996
Credit Reporting Act
Further, the Library 2.0 tools and services enhance what the user can do but at the same time track, collect and retain data that then may affect individuals especially since the recent dominance of social media. Yet, because of librarian's belief of protecting the rights of users, they take their own initiative in protecting user's information by destroying access logs daily, posting warning signs, and teaching users about privacy issues. This is especially done in order for information to not be obtained outside of legal restrictions.
Specifically, the Livingston Lord Library of Minnesota State University's mission is to support both cultural and academic experiences and to encourage lifelong learning. Thus, their particular library provides resources that allows individuals to enhance their knowledge and skills. At the same time, they work to maintain their image of believing in confidentiality such that people can exercise their First Amendment right. Yet, there is not specific documentation as of 2007 that displays what privacy is to them. Nevertheless, there are examples of librarians exerting effort to ensure confidentiality and privacy by protecting their user's information.
Role of Campus Privacy Officers
are individuals within the institution who have the institutional responsibility for anything that regards privacy, they make sure that privacy is upheld within higher education. Yet they are relatively new in the United States but nevertheless have been growing since 2002. Their role or function in higher education is:“sustaining an environment where faculty and student are free to inquire, experiment, discover, speak, and participate in discourse is without intimidation, protecting against and responding to modern-day cybersecurity threats, protecting the interests of individuals and assuring they have appropriate influence over data about themselves, pursuing opportunities for use of data in medical treatment, research, and student success, and enabling shared governance”
Their activities include maintaining: data privacy policies, notices, personal data inventory, governance structure and to respond to both complaints and requests from individuals, among other tasks.
A few of the major issues that CPO's focus on are :
- Education records and FERPA
- HIPAA
- "Big data, algorithms, analytics, and usage"
- "Contractual agreements"
- "Information security monitoring and the privacy impact of surveillance"
Controversies
In 1964 students at UC Berkeley protested against the ban that prevented them from engaging in political activity on campus. FBI Director J.Edgar Hoover got involved because he thought that the Free Speech Movement had to do with Communism that aimed to disrupt Capitalism and thus U.S. government. Particularly, Seth Rosenfield's book "Subersives: The FBI's War on Student Radicals, and Reagan's Rise to Power" demonstrates how Hoover investigated the movement and specifically student activists such as Mario Savio through "'intense surveillance and harassment.'" Further, when Clark Kerr, former president of Berkeley and then vice chancellor of the University of California system, lifted the ban on political engagement and further against "Communist speakers" the FBI targeted him and tried to get him fired. Hoover had ordered agents to find information about Kerr and leak it to the Board of Regents in order to show that Kerr was not fulfilling his role as president and thus had to be fired. Essentially, what it points to is that in the 1960's the FBI took on the role of trying to eliminate Communism within the UC Berkeley campus by investigating particular individuals in order to see if they were really Communist or in the case of Kerr to fire them for lifting the ban on political engagement. Some say that this is a breach in privacy because the FBI surveilled and investigated individuals without their consent. Others say that it was needed in order to make sure that no Communist activity was taking place particularly on the Berkeley campus due to the Free Speech Movement.
Princeton University
In 2002 Princeton University’s admission staff accessed a Yale University website used to inform applicants that they have been admitted. The act of Yale University accessing private information was brought to light. As a result, Yale University responded that it would improve their website with additional security to prevent another breach. Meanwhile, Princeton University responded by announcing the resignation of the top Princeton admissions official. Some say that acts like these raise the issues of student record privacy in the digital world.
University of Oregon
In 2015 a woman who said she was raped by three basketball players sued the University of Oregon for disclosing her mental health records to an attorney. This case gave rise to employees from the counseling center to write an open letter to the university community as a form to show that they were disturbed by the university's actions. Yet, officials argue that because the women claimed to have emotional distress then the university had the right to her medical records under FERPA. An attorney named Steve McDonald argued that HIPAA did not apply in this case. Meanwhile, Lynn Daggett, a FERPA specialist, stated that the university has the right to get access to student medical records, especially if entails the need for legal defense. This led to Denise Horn, a U.S. Department of Education representative of the time, to write a statement addressing that higher education institutions should comply with FERPA but also respect the expectation of confidentiality between patient and counselor/therapist.